Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32.NewMediaTrojan Virus Help... [RESOLVED]


  • This topic is locked This topic is locked

#1
The Aphex Twin

The Aphex Twin

    Member

  • Member
  • PipPip
  • 11 posts
Hey Guys,

I was recently infected with the Win32.NewMediaTrojan Virus (takes over the computer and wants you to disinfect your computer using their anti-spyware tools). I ran some cleanup utilities including SDFix.exe but I am still getting the pop-ups that I did before. Any additional help would be appreciated. Here is my log:

C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [f0b2c76e] rundll32.exe "C:\WINDOWS\System32\dqegkwkx.dll",b
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 4032 bytes

Thanks,
Shaun
  • 0

Advertisements


#2
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi The Aphex Twin,

Welcome to Geeks to Go!
I am sage5, and I will be helping you with this problem.

Please download the following & save to your Desktop:
ComboFix


Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the setup package & save it as originally named, next to ComboFix.exe.
Close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it.

Posted Image

  • Follow the prompts to start ComboFix and agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • Click Yes at the window labelled What's next ? to continue with the scan.
  • When complete, a log named C:\Combofix.txt will open.
  • Please post the entire contents of that log as your next reply.


Run ComboFix:
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Log file will be C:\Combofix.txt

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Cheers,

sage5
  • 0

#3
The Aphex Twin

The Aphex Twin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Sage5,

Thanks for the quick response. Below is my ComboFix log and a new Hijackthis log. Thanks again!

ComboFix 08-07-29.1 - Owner 2008-07-30 9:50:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.123 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\winxpsp1_en_hom_bf.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\KK74CFH6\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\KK74CFH6\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\envfixhk.ini
C:\WINDOWS\system32\gOUFPXyb.ini
C:\WINDOWS\system32\gOUFPXyb.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\mpghaxxt.dll
C:\WINDOWS\system32\pckosvmu.dll
C:\WINDOWS\system32\ryoowf.dll
C:\WINDOWS\system32\vtUoonom.dll
C:\WINDOWS\system32\xfpcgq.dll
C:\WINDOWS\system32\xkwkgeqd.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.

2008-07-30 10:11 . 2008-07-30 10:12 294 ---hs---- C:\WINDOWS\system32\xkwkgeqd.ini
2008-07-30 08:15 . 2008-07-30 08:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-29 17:41 . 2008-07-29 17:41 99,456 --a------ C:\WINDOWS\system32\dqegkwkx.dll
2008-07-27 21:23 . 2008-07-27 21:23 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-27 21:21 . 2008-07-27 22:50 <DIR> d-------- C:\SDFix
2008-07-27 21:13 . 2002-08-29 03:40 20,480 --a------ C:\WINDOWS\system32\hidserv.dll
2008-07-27 21:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-27 21:13 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-27 20:09 . 2008-07-27 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-07-27 20:08 . 2008-07-27 20:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WinBatch
2008-07-27 17:30 . 2008-07-27 17:30 323,584 --a------ C:\WINDOWS\system32\byXPFUOg.dll
2008-07-27 08:57 . 2008-07-27 20:08 <DIR> d-------- C:\Program Files\PowerISO
2008-07-26 22:25 . 2008-07-27 20:08 <DIR> d-------- C:\DiabloBackup
2008-07-26 10:08 . 2008-07-26 10:08 6,080 --a------ C:\Temp\drtl109.exe
2008-07-11 13:50 . 2008-07-26 08:55 66,936 --a------ C:\WINDOWS\dlinfo_0.drv
2008-07-11 07:32 . 2008-07-30 08:42 <DIR> d-------- C:\Diablo
2008-07-11 07:32 . 2008-07-11 07:32 86,528 --a------ C:\WINDOWS\bnetunin.exe
2008-07-11 07:32 . 2008-07-11 07:32 61,440 --a------ C:\WINDOWS\diabunin.exe
2008-07-07 02:40 . 2008-07-07 02:40 56,108 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
2008-06-25 21:18 . 2008-06-25 21:18 <DIR> d-------- C:\Program Files\DataDoctorRecovery (Evaluation)
2008-06-20 13:41 . 2008-07-26 22:29 <DIR> d-------- C:\Program Files\Stellar Phoenix NTFS Data Recovery
2008-06-20 13:41 . 1999-06-18 16:49 165,888 --a------ C:\WINDOWS\Ckconfig.exe
2008-06-20 13:41 . 2006-02-28 20:10 69,632 --a------ C:\WINDOWS\system32\Crypserv.exe
2008-06-20 13:41 . 2006-01-09 21:47 31,846 --a------ C:\WINDOWS\system32\Ckldrv.sys
2008-06-20 13:41 . 1996-05-03 12:21 27,648 -ra------ C:\WINDOWS\Setup_ck.exe
2008-06-20 13:41 . 1996-05-03 10:36 18,432 --a------ C:\WINDOWS\Setup_ck.dll
2008-06-20 13:41 . 1995-07-04 13:33 11,776 --a------ C:\WINDOWS\Ckrfresh.exe
2008-06-20 13:41 . 2008-06-20 13:41 1,680 --a------ C:\WINDOWS\system32\esnecil.nlp
2008-06-20 13:41 . 2008-06-20 13:48 1,680 --a------ C:\WINDOWS\system32\esnecil.ind
2008-06-20 13:41 . 2008-06-20 13:41 68 --a------ C:\WINDOWS\Crypkey.ini
2008-06-20 13:41 . 2008-06-20 13:41 4 --a------ C:\WINDOWS\vx86036.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-30 13:05 --------- d-----w C:\Program Files\hjt
2008-07-30 04:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 22:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-07-27 04:00 --------- d-----w C:\Program Files\Heroes 3 Complete
2008-07-27 03:59 --------- d-----w C:\Program Files\Common Files\3DO Shared
2008-07-27 03:59 --------- d-----w C:\Program Files\3DO
2008-07-20 20:23 --------- d-----w C:\Program Files\Soulseek
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B97B037-6C4C-46BF-8B8A-47DF1E4C4804}]
2008-07-27 17:30 323584 --a------ C:\WINDOWS\System32\byXPFUOg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b3ee804f-14bc-4407-b129-aca1aef12429}]
2008-07-30 10:19 120960 --a------ C:\WINDOWS\System32\fisxei.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2002-10-01 02:39 548933 C:\WINDOWS\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-06-18 17:54 968696]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 02:34 167936]
"f0b2c76e"="C:\WINDOWS\System32\irmehktb.dll" [2008-07-30 10:17 99456]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 04:50 19968 C:\WINDOWS\LOGI_MWX.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-15 19:14:42 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-04-04 19:03:21 169472]
Media Card Companion Monitor.lnk - C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe [2005-05-10 20:44:11 98304]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
"MSACM.qmpeg"= qmpeg.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\byXPFUOg

S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-07-26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-30 10:11:10
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\hpfsched.exe:mkcwh 98926 bytes executable
C:\WINDOWS\iis6.log:yiqnh 98926 bytes executable
C:\WINDOWS\smscfg.ini:yvljbg 68096 bytes executable
C:\WINDOWS\Sti_Trace.log:xlhcjz 10893 bytes executable
C:\WINDOWS\msoffice.ini:byscr 29256 bytes executable
C:\WINDOWS\ocgen.log:rddhv 98926 bytes executable
C:\WINDOWS\tsoc.log:nnhyam 29256 bytes executable
C:\WINDOWS\msgsocm.log:bklkx 29256 bytes executable
C:\WINDOWS\PCDLIB32.DLL:uxzfl 29256 bytes executable
C:\WINDOWS\winhelp.exe:baltx 98926 bytes executable
C:\WINDOWS\wininit.ini:nilja 10893 bytes executable
C:\WINDOWS\WMSysPrx.prx:tmafk 29256 bytes executable
C:\WINDOWS\javagw.dll:ywpkc 98926 bytes executable
C:\WINDOWS\cngwu.dat:podou 98926 bytes executable
C:\WINDOWS\twain_32.dll:fscgu 29256 bytes executable
C:\WINDOWS\twunk_32.exe:qtisa 29256 bytes executable
C:\WINDOWS\Q331060.log:rytwm 98926 bytes executable
C:\WINDOWS\Q331060.log:vnlnh 29256 bytes executable
C:\WINDOWS\Q331060.log:vnlnho 29256 bytes executable
C:\WINDOWS\Rhododendron.bmp:cswgjz 10893 bytes executable
C:\WINDOWS\system32\irmehktb.dll 99456 bytes executable
C:\WINDOWS\system32\SoftwareDistribution
C:\WINDOWS\system32\wuapi.dll.mui_en 25944 bytes executable
C:\WINDOWS\system32\wuauclt.exe.wusetup.563328.bak 124184 bytes executable
C:\WINDOWS\system32\wuaucpl.cpl.mui_en 25944 bytes executable
C:\WINDOWS\system32\wuaucpl.cpl.wusetup.566484.bak 174360 bytes executable
C:\WINDOWS\system32\xkwkgeqd.ini 294 bytes
C:\WINDOWS\system32\btkhemri.ini 1382035 bytes
C:\WINDOWS\system32\vqxmyfow.dll 120960 bytes executable
C:\WINDOWS\system32\gOUFPXyb.ini 630525 bytes
C:\WINDOWS\system32\gOUFPXyb.ini2 630383 bytes

scan completed successfully
hidden files: 31

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\System32\irmehktb.dll
-> C:\WINDOWS\System32\byXPFUOg.dll
-> ?:\WINDOWS\system32\iphlpapi.dll
-> ?:\WINDOWS\System32\WINMM.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-30 10:22:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-30 15:21:48

Pre-Run: 6,339,145,728 bytes free
Post-Run: 7,327,412,224 bytes free

winxpsp1_en_hom_bf.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

195

Hijack this:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:38 AM, on 7/30/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [f0b2c76e] rundll32.exe "C:\WINDOWS\System32\irmehktb.dll",b
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 4022 bytes
  • 0

#4
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi The Aphex Twin,

Please download the following & save to your Desktop:
Malwarebytes' Anti-Malware from Here or Here
OTMoveIt2 by OldTimer.


Clean up Registry with a Reg file:
  • Please open a new Notepad file by clicking Start\All Programs\Accessories\Notepad
  • Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B97B037-6C4C-46BF-8B8A-47DF1E4C4804}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7B97B037-6C4C-46BF-8B8A-47DF1E4C4804}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b3ee804f-14bc-4407-b129-aca1aef12429}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b3ee804f-14bc-4407-b129-aca1aef12429}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f0b2c76e"=-
  • Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
  • Save the file to the Desktop, make sure Type is All Files, and name it Fixreg.reg
  • Double click on the file created and click Yes when asked to merge the information into the Registry


Run OTMoveIt2:
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\xkwkgeqd.ini
    C:\WINDOWS\system32\dqegkwkx.dll
    C:\WINDOWS\system32\byXPFUOg.dll
    C:\WINDOWS\System32\fisxei.dll
    C:\Temp\drtl109.exe
    C:\WINDOWS\dlinfo_0.drv
    C:\WINDOWS\bnetunin.exe
    C:\WINDOWS\diabunin.exe
    C:\WINDOWS\iis6.log
    C:\WINDOWS\WMSysPrx.prx
    C:\WINDOWS\system32\irmehktb.dll
    C:\WINDOWS\system32\btkhemri.ini
    C:\WINDOWS\system32\vqxmyfow.dll
    C:\WINDOWS\system32\gOUFPXyb.ini
    C:\WINDOWS\system32\gOUFPXyb.ini2
  • Return to OTMoveIt, right click on the "Paste list of Files/Folders to be moved" window (under the Yellow bar) and choose Paste.
  • Make sure that there is a tick next to Unregister Dll's and OCX's
  • Click the red Moveit! button.
  • Open Notepad
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Paste the text into the Notepad file, click in the window and press Ctrl + V.
  • Click "Exit" to close OTMoveIt.
  • Save the text file as C:\otmove.txt
(If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)


Run Malwarebytes' Anti-Malware:
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Save the entire report as C:\mbam.txt
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Please post me the text from the following as your next reply:
  • C:\otmove.txt
  • C:\mbam.txt


Cheers,

sage5
  • 0

#5
The Aphex Twin

The Aphex Twin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Sage5,

Thank you for the follow-up. I did as you asked and her is the MBAM and OTMove text...

MBAM:

Malwarebytes' Anti-Malware 1.24
Database version: 1012
Windows 5.1.2600 Service Pack 1

3:17:32 AM 7/31/2008
mbam-log-7-31-2008 (03-17-32).txt

Scan type: Quick Scan
Objects scanned: 40891
Time elapsed: 6 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTMove:

C:\WINDOWS\system32\xkwkgeqd.ini moved successfully.
File/Folder C:\WINDOWS\system32\dqegkwkx.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\byXPFUOg.dll
C:\WINDOWS\system32\byXPFUOg.dll NOT unregistered.
C:\WINDOWS\system32\byXPFUOg.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\fisxei.dll
C:\WINDOWS\System32\fisxei.dll NOT unregistered.
C:\WINDOWS\System32\fisxei.dll moved successfully.
C:\Temp\drtl109.exe moved successfully.
C:\WINDOWS\dlinfo_0.drv moved successfully.
File/Folder C:\WINDOWS\bnetunin.exe not found.
C:\WINDOWS\diabunin.exe moved successfully.
C:\WINDOWS\iis6.log moved successfully.
C:\WINDOWS\WMSysPrx.prx moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\irmehktb.dll
C:\WINDOWS\system32\irmehktb.dll NOT unregistered.
C:\WINDOWS\system32\irmehktb.dll moved successfully.
C:\WINDOWS\system32\btkhemri.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vqxmyfow.dll
C:\WINDOWS\system32\vqxmyfow.dll NOT unregistered.
C:\WINDOWS\system32\vqxmyfow.dll moved successfully.
C:\WINDOWS\system32\gOUFPXyb.ini moved successfully.
C:\WINDOWS\system32\gOUFPXyb.ini2 moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07302008_220154

Thanks again!
Shaun
  • 0

#6
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi The Aphex Twin,

About all we need to do is clean up these Alternate Data Streams that Gmer found.

Re-run OTMoveIt2:
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    @C:\WINDOWS\hpfsched.exe:mkcwh
    @C:\WINDOWS\smscfg.ini:yvljbg
    @C:\WINDOWS\Sti_Trace.log:xlhcjz
    @C:\WINDOWS\msoffice.ini:byscr
    @C:\WINDOWS\ocgen.log:rddhv
    @C:\WINDOWS\tsoc.log:nnhyam
    @C:\WINDOWS\msgsocm.log:bklkx
    @C:\WINDOWS\PCDLIB32.DLL:uxzfl
    @C:\WINDOWS\winhelp.exe:baltx
    @C:\WINDOWS\wininit.ini:nilja
    @C:\WINDOWS\javagw.dll:ywpkc
    @C:\WINDOWS\cngwu.dat:podou
    @C:\WINDOWS\twain_32.dll:fscgu
    @C:\WINDOWS\twunk_32.exe:qtisa
    @C:\WINDOWS\Q331060.log:rytwm
    @C:\WINDOWS\Q331060.log:vnlnh
    @C:\WINDOWS\Q331060.log:vnlnho
    @C:\WINDOWS\Rhododendron.bmp:cswgjz
  • Return to OTMoveIt, right click on the "Paste list of Files/Folders to be moved" window (under the Yellow bar) and choose Paste.
  • Make sure that there is a tick next to Unregister Dll's and OCX's
  • Click the red Moveit! button.
  • Open Notepad
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Paste the text into the Notepad file, click in the window and press Ctrl + V.
  • Click "Exit" to close OTMoveIt.
  • Save the text file as C:\otmove2.txt
(If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)


Now we need to get an Anti-virus program running on this machine.

Anti-virus: Please install one only:
Avast! Free Edition or AntiVir PersonalEdition Classic

Anti-Virus Tutorials/Manuals:
Avast Tutorial
Avast Manual
Antivir Manual

Please allow the new Anti-virus to run a full System scan, and at the end of the process you should be able to save a scan log.
If the scan report window does not have a "Save as Report" button (or similar), please highlight the text in the window & copy & paste it to a new Notepad file.
Save it as C:\avscan.txt if you can.

I need you to post me a fresh HijackThis log to confirm correct installation of the Anti-virus and Firewall programs.

Run HijackThis:
  • Select the Run a system scan and save a logfile option. The logfile opens in Notepad.
  • Start your Web Browser and navigate back to this thread.
  • Click the Add Reply button
  • Copy and Paste the text into the Reply window.
  • Also paste me the text from C:\avscan.txt & C:\otmove2.txt

Cheers,

sage5
  • 0

#7
The Aphex Twin

The Aphex Twin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Sage5,

Thanks again for the response. It seems as though OTMoveIt and the virus scan had some trouble removing the final viruses. Here are my text docs:

OTMoveIT:

Unable to delete ADS C:\WINDOWS\ocgen.log:rddhv .
< @C:\WINDOWS\tsoc.log:nnhyam >
Unable to delete ADS C:\WINDOWS\tsoc.log:nnhyam .
< @C:\WINDOWS\msgsocm.log:bklkx >
Unable to delete ADS C:\WINDOWS\msgsocm.log:bklkx .
< @C:\WINDOWS\PCDLIB32.DLL:uxzfl >
Unable to delete ADS C:\WINDOWS\PCDLIB32.DLL:uxzfl .
< @C:\WINDOWS\winhelp.exe:baltx >
Unable to delete ADS C:\WINDOWS\winhelp.exe:baltx .
< @C:\WINDOWS\wininit.ini:nilja >
Unable to delete ADS C:\WINDOWS\wininit.ini:nilja .
< @C:\WINDOWS\javagw.dll:ywpkc >
Unable to delete ADS C:\WINDOWS\javagw.dll:ywpkc .
< @C:\WINDOWS\cngwu.dat:podou >
Unable to delete ADS C:\WINDOWS\cngwu.dat:podou .
< @C:\WINDOWS\twain_32.dll:fscgu >
Unable to delete ADS C:\WINDOWS\twain_32.dll:fscgu .
< @C:\WINDOWS\twunk_32.exe:qtisa >
Unable to delete ADS C:\WINDOWS\twunk_32.exe:qtisa .
< @C:\WINDOWS\Q331060.log:rytwm >
Unable to delete ADS C:\WINDOWS\Q331060.log:rytwm .
< @C:\WINDOWS\Q331060.log:vnlnh >
Unable to delete ADS C:\WINDOWS\Q331060.log:vnlnh .
< @C:\WINDOWS\Q331060.log:vnlnho >
Unable to delete ADS C:\WINDOWS\Q331060.log:vnlnho .
< @C:\WINDOWS\Rhododendron.bmp:cswgjz >
Unable to delete ADS C:\WINDOWS\Rhododendron.bmp:cswgjz .

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07312008_173915

avast! Virus scanner:

7/31/2008 10:21:34 PM Owner 684 Sign of "Win32:Kuang2" has been found in "C:\WINDOWS\system32\ActiveScan\imscan.dll" file.
7/31/2008 10:14:10 PM Owner 684 Sign of "MO97:Tristate-C" has been found in "C:\Tracy\Jumpstarts.doc" file.
7/31/2008 10:12:29 PM Owner 684 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1841\A0221411.dll:ywpkc" file.
7/31/2008 10:12:29 PM Owner 684 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1841\A0221412.exe:baltx" file.
7/31/2008 10:12:28 PM Owner 684 Sign of "Win32:Trojano-952 [Trj]" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1841\A0221405.DLL:uxzfl" file.
7/31/2008 10:12:28 PM Owner 684 Sign of "Win32:Trojano-952 [Trj]" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1841\A0221406.dll:fscgu" file.
7/31/2008 10:12:28 PM Owner 684 Sign of "Win32:Trojano-952 [Trj]" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1841\A0221407.exe:qtisa" file.
7/31/2008 10:12:28 PM Owner 684 Sign of "Win32:Small-E [Trj]" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1841\A0221408.ini:nilja" file.
7/31/2008 10:12:28 PM Owner 684 Sign of "Win32:Trojano-952 [Trj]" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1841\A0221409.prx:tmafk" file.
7/31/2008 10:12:28 PM Owner 684 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1841\A0221410.exe:mkcwh" file.
7/31/2008 10:12:27 PM Owner 684 Sign of "JS:OneMoreSearch" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1841\A0221402.ini:yvljbg" file.
7/31/2008 10:12:27 PM Owner 684 Sign of "Win32:Trojano-952 [Trj]" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1841\A0221404.ini:byscr" file.
7/31/2008 10:12:00 PM Owner 684 Sign of "Win32:Vapsup-HD [Adw]" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1835\A0220017.dll" file.
7/31/2008 10:12:00 PM Owner 684 Sign of "Win32:Vapsup-EB [Adw]" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1835\A0220021.dll" file.
7/31/2008 10:12:00 PM Owner 684 Sign of "Win32:Agent-LTS [Trj]" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1835\A0220031.dll" file.
7/31/2008 10:11:59 PM Owner 684 Sign of "Win32:Vapsup-HD [Adw]" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1835\A0219998.dll" file.
7/31/2008 10:11:59 PM Owner 684 Sign of "Win32:Agent-LTS [Trj]" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1835\A0220001.dll" file.
7/31/2008 10:11:58 PM Owner 684 Sign of "Win32:Vapsup-EB [Adw]" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1835\A0219997.dll" file.
7/31/2008 10:10:20 PM Owner 684 Sign of "Win32:Vapsup-EB [Adw]" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1835\A0217589.dll" file.
7/31/2008 10:10:20 PM Owner 684 Sign of "Win32:Vapsup-HD [Adw]" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1835\A0217590.dll" file.
7/31/2008 10:10:20 PM Owner 684 Sign of "Win32:Agent-LTS [Trj]" has been found in "C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP1835\A0217591.dll" file.
7/31/2008 9:51:19 PM Owner 684 Sign of "MO97:Tristate-C" has been found in "C:\Documents and Settings\Owner\My Documents\What are the strengths in.doc" file.
7/31/2008 9:51:17 PM Owner 684 Sign of "MO97:Tristate-C" has been found in "C:\Documents and Settings\Owner\My Documents\Tracy Hare 5177.doc" file.
7/31/2008 9:51:16 PM Owner 684 Sign of "MO97:Tristate-C" has been found in "C:\Documents and Settings\Owner\My Documents\The Artistic Outcomes of#78.doc" file.
7/31/2008 9:50:08 PM Owner 684 Sign of "MO97:Tristate-C" has been found in "C:\Documents and Settings\Owner\My Documents\Data Collection.doc" file.
7/31/2008 9:49:57 PM Owner 684 Sign of "MO97:Tristate-C" has been found in "C:\Documents and Settings\Owner\My Documents\Data Analysis.doc" file.
7/31/2008 6:35:34 PM Owner 684 Sign of "MO97:Tristate-C" has been found in "C:\Documents and Settings\Owner\My Documents\Appendix A.doc" file.

Sorry, this is the only text I could pull. Of the above infected areas, the anti-virus program could only remove the .doc files. The others were not deleted.

Let me know if you need anything else and I'd be happy to supply it! Thanks again...

Shaun
  • 0

#8
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Those other entries are in the System Restore folders & cannot activate.
We will clear them out in the last clean up, shortly.

Let's try a different scanner to see if it picks up any leftover files.
Please download the following & save to your Desktop:
SmitfraudFix (by S!Ri)

Start the Smitfraud scan:
  • Double-click SmitfraudFix.exe
  • Select option #1 - Search by typing 1 and press "Enter". A text file will appear, which lists infected files (if present). It is saved as C:\rapport.txt
  • Please copy/paste the content of that file into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm
  • 0

#9
The Aphex Twin

The Aphex Twin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Sage5,

Here is the rapport.txt:

SmitFraudFix v2.332

Scan done at 7:55:26.71, Fri 08/01/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
DNS Server Search Order: 216.165.129.158

HKLM\SYSTEM\CCS\Services\Tcpip\..\{CE6CF04A-F1BA-4386-8178-1D8068CB2D07}: DhcpNameServer=192.168.0.1 216.165.129.158
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EA4DA925-B62F-4434-BE85-08CA0C503433}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CE6CF04A-F1BA-4386-8178-1D8068CB2D07}: DhcpNameServer=192.168.0.1 216.165.129.158
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EA4DA925-B62F-4434-BE85-08CA0C503433}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CE6CF04A-F1BA-4386-8178-1D8068CB2D07}: DhcpNameServer=192.168.0.1 216.165.129.158
HKLM\SYSTEM\CS3\Services\Tcpip\..\{EA4DA925-B62F-4434-BE85-08CA0C503433}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 216.165.129.158
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 216.165.129.158
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 216.165.129.158


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#10
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
That's looking really good.
Try 1 last scan with HijackThis to see if we can track down those Alternate Data Streams

Scan for Hidden Data Streams:
  • Open HiJackThis.
  • Click on the Open Misc Tools Section button.
  • Click on Open ADS Spy..
  • Uncheck the Quick Scan ... box
  • Click on Scan.
  • Click on Save Log... and save as C:\adsspy.txt
  • NotePad will open a new window.
  • Copy and paste the text from the log into your next post.

  • 0

Advertisements


#11
The Aphex Twin

The Aphex Twin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Good to hear. I ran the HiJack scan and it is below. I didn't know if you wanted be to remove them yet so I haven't.

C:\WINDOWS\intuprof.ini : czaokk (11592 bytes)
C:\WINDOWS\msgsocm.log : nadhgx (3567 bytes)
C:\WINDOWS\Soap Bubbles.bmp : usptlj (7305 bytes)
C:\WINDOWS\tsoc.log : ztmoah (11592 bytes)
C:\WINDOWS\twunk_16.exe : rmfccs (7305 bytes)

Thanks again!
Shaun
  • 0

#12
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Very good. Now you can trash those offending ones.

color=blue]Delete Hidden Data Streams:[/color]
  • Open HiJackThis.
  • Click on the Open Misc Tools Section button.
  • Click on Open ADS Spy..
  • Uncheck the Quick Scan ... box
  • Click on Scan.
  • Place a tick next to all of the items listed in your last post
  • Click Remove Selected.
  • Close the HijackThis window.

Shut down & Reboot normally:

Run HijackThis again:
  • Select the Run a system scan and save a logfile button. The logfile will open in Notepad.
  • Start your Web browser and navigate back to this thread.
  • Click the Add Reply button
  • Copy and Paste the text into the Reply window.
Please include a note to tell me how your PC is running now.

Cheers,

sage5

Edited by sage5, 01 August 2008 - 05:20 PM.

  • 0

#13
The Aphex Twin

The Aphex Twin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Sage5,

I rebooted my computer. It seemed to take a little bit booting up but it always had. I did notice my clock change back to military time and I had switched it to regular.

Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:38:58, on 8/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F7BD53D-ED89-416C-93E7-F54AB8212445} - C:\WINDOWS\System32\byXPFUOg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: {92421fea-1aca-921b-7044-cb41f408ee3b} - {b3ee804f-14bc-4407-b129-aca1aef12429} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 4746 bytes


Thanks again,
Shaun
  • 0

#14
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi The Aphex Twin,


Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O2 - BHO: (no name) - {1F7BD53D-ED89-416C-93E7-F54AB8212445} - C:\WINDOWS\System32\byXPFUOg.dll (file missing)
O2 - BHO: {92421fea-1aca-921b-7044-cb41f408ee3b} - {b3ee804f-14bc-4407-b129-aca1aef12429} - (no file)

  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.


Create a Startup list:
  • Open HiJackThis
  • Click on the Open Misc Tools Section button.
  • Make sure that the 2 boxes next to the Generate Startuplist log button are ticked
  • Now click on the Generate Startuplist log button.
  • NotePad will open a new window.
  • Copy and paste the text from the log into your next post.

  • 0

#15
The Aphex Twin

The Aphex Twin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Sage5,

Here is the startup list:

StartupList report, 8/3/2008, 6:55:45 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Logitech Utility = Logi_MwX.Exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
HP Software Update = C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
PWRISOVM.EXE = C:\Program Files\PowerISO\PWRISOVM.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

NVIEW = rundll32.exe nview.dll,nViewLoadHook

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\ComFile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1 %*)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll - {00C6482D-C502-44C8-8409-FCE54AD9C208}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{0000000A-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...0367/wmavax.CAB

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\System32\macromed\Shockwave 10\Download.dll
CODEBASE = http://active.macrom...tor/cabs/sw.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...386/wmv9dmo.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9d.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Lavasoft Ad-Aware Service: "C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe" (autostart)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AEGIS Protocol (IEEE 802.1x) v3.4.3.0: System32\DRIVERS\AegisP.sys (autostart)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Service for Avance AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
avast! iAVS4 Control Service: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" (disabled)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "C:\Program Files\Alwil Software\Avast4\ashServ.exe" (disabled)
avast! Mail Scanner: "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (disabled)
avast! Web Scanner: "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (disabled)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Crypkey License: crypserv.exe (disabled)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
hpqcxs08: %SystemRoot%\system32\svchost.exe -k hpdevmgmt (manual start)
HP CUE DeviceDiscovery Service: %SystemRoot%\system32\svchost.exe -k hpdevmgmt (autostart)
IEEE-1284.4 Driver HPZid412: System32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: System32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: System32\DRIVERS\HPZius12.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (disabled)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: %systemroot%\system32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
iTouch Keyboard Filter: System32\DRIVERS\itchfltr.sys (manual start)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Logitech PS/2 Mouse Filter Driver: System32\DRIVERS\L8042pr2.Sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Logitech Mouse Class Filter Driver: System32\DRIVERS\LMouFlt2.Sys (manual start)
Lucent Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: %systemroot%\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
Net Driver HPZ12: %SystemRoot%\System32\svchost.exe -k HPZ12 (autostart)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NetworkX: \SystemRoot\system32\ckldrv.sys (system)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
Pcdr Helper Driver: \??\C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys (manual start)
PcdrNt: \SystemRoot\System32\drivers\PcdrNt.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: \SystemRoot\System32\DRIVERS\pciide.sys (disabled)
PCLEPCI: \??\C:\WINDOWS\System32\drivers\pclepci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: %SystemRoot%\System32\svchost.exe -k HPZ12 (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
Iomega Parallel Port Legacy Filter Driver: System32\DRIVERS\ppa3.sys (system)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Linksys Home Wireless-G USB Adapter Driver: System32\DRIVERS\rt73.sys (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
S3Psddr: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS AGP Filter: System32\DRIVERS\SISAGP.sys (system)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
srescan: System32\ZoneLabs\srescan.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{BE729BBE-0AA6-4883-84A0-F061FBF1E882} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (disabled)
WUSB54GCSVC: "C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe" (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Intel® Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (system)
Intel® Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 35,466 bytes
Report generated in 0.469 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Thanks,
Shaun
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP