Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Slow, spys, trojans, etc.. Pls HELP :-( [CLOSED]

Started by coolrider69 , Dec 07 2007 08:49 AM

  • This topic is locked This topic is locked

#31
coolrider69
Posted 07 December 2007 - 10:11 PM

coolrider69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Getting re-directs, virus....

results of test...

C:\WINDOWS\system32\iifcc.dll - 321120 Bytes

have a new ie window dir.philadelphialivingideas.com/?u=1-ysMERqpUqXta6djlJWd.......

Virus details are 3 occurrences...

;"";"Virus identified Obfustat.VTX";"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wiosropf.dll";"12/7/2007 9:50:20 PM";"wiosropf.dll";"142.5 KB"
;"";"Virus found Lop";"C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WLUN0LAJ\hctp[1]";"12/7/2007 9:50:34 PM";"hctp[1]";"83.5 KB"
;"";"Virus found Lop";"C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1U30XMJ\ptch[1]";"12/7/2007 9:50:44 PM";"ptch[1]";"78.5 KB"

I'm loosing more hair by the second !!! :-( :)
  • 0

Advertisements

#32
coolrider69
Posted 07 December 2007 - 10:11 PM

coolrider69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
when i posted that, i got another re-direct.....
  • 0

#33
RatHat
Posted 07 December 2007 - 10:27 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, first off, navigate to C:\Program Files\Trend Micro\HijackThis and locate the file HijackThis.exe

When you have found it, rename it by right clicking on the file, and choosing "Rename" from the pop out menu, to CoolRider.exe (The reason for this is that some malware actually hides from HijackThis, and this gets around it).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now, download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


After that download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it
  • Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log in your next reply
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. --

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Finally, download ComboFix from Here or Here to your Desktop.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\iifcc.dll
C:\WINDOWS\system32\ccfii.ini
C:\WINDOWS\system32\ccfii.ini2

Folder::

Driver::

Registry::



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • C:\NoLop.log
  • A new HijackThis (CoolRider) log.

  • 0

#34
coolrider69
Posted 07 December 2007 - 11:07 PM

coolrider69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
ATF cleaner found nothing
nolop log:

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Administrator\Desktop
[12/7/2007]
[10:36:48 PM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Adobe
C:\Documents and Settings\Administrator\Application Data\Adobeum
C:\Documents and Settings\Administrator\Application Data\Arcsoft
C:\Documents and Settings\Administrator\Application Data\Avg7
C:\Documents and Settings\Administrator\Application Data\Google
C:\Documents and Settings\Administrator\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Administrator\Application Data\Hotsync
C:\Documents and Settings\Administrator\Application Data\Icaclient
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
C:\Documents and Settings\Administrator\Application Data\Leadertech
C:\Documents and Settings\Administrator\Application Data\Macromedia
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Move Networks
C:\Documents and Settings\Administrator\Application Data\Mozilla
C:\Documents and Settings\Administrator\Application Data\Nero
C:\Documents and Settings\Administrator\Application Data\Smartftp
C:\Documents and Settings\Administrator\Application Data\Superantispyware.com
C:\Documents and Settings\Administrator\Application Data\Virtual Mechanics
C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Adobe Systems
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Hewlett-packard
C:\Documents and Settings\All Users\Application Data\Hotsync
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
C:\Documents and Settings\All Users\Application Data\Lavasoft
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Microsoft Help
C:\Documents and Settings\All Users\Application Data\Nero
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Superantispyware.com
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Virtual Mechanics -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft


Combofix report is...

ComboFix 07-12-07.3 - Administrator 2007-12-07 22:46:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.491 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\Dnloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\Dnloads\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\ccfii.ini
C:\WINDOWS\system32\ccfii.ini2
C:\WINDOWS\system32\iifcc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ccfii.ini
C:\WINDOWS\system32\ccfii.ini2
C:\WINDOWS\system32\iifcc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
.

2007-12-07 22:36 . 2007-12-07 22:36 106 --a------ C:\delete.bat
2007-12-07 22:28 . 2007-12-07 22:28 2,508 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-07 21:49 . 2007-12-07 21:49 74,304 --a------ C:\WINDOWS\system32\mfdivsva.exe
2007-12-07 13:33 . 2007-12-07 13:33 <DIR> d-------- C:\Deckard
2007-12-07 10:02 . 2007-12-07 10:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-07 07:16 . 2007-12-07 07:16 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-12-07 07:04 . 2007-12-07 07:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-07 07:03 . 2007-12-07 15:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-07 07:03 . 2007-12-07 07:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-07 06:51 . 2007-12-07 06:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-06 22:03 . 2007-12-06 22:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-06 22:03 . 2007-12-07 22:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-06 20:45 . 2007-12-06 21:14 <DIR> d-------- C:\Program Files\Mozilla Firefox(2)
2007-12-06 20:45 . 2007-12-06 20:45 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-04 16:08 . 2007-12-04 18:41 310 --a------ C:\WINDOWS\wininit.ini
2007-12-04 13:42 . 2007-12-04 13:42 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-04 13:42 . 2007-12-07 07:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-04 13:42 . 2007-12-04 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-04 13:33 . 2007-12-04 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-03 18:19 . 2007-12-03 18:19 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-03 18:19 . 2007-12-07 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-03 18:10 . 2007-12-03 18:10 <DIR> d-------- C:\KAV
2007-12-01 10:20 . 2007-12-06 22:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-01 03:00 . 2007-12-01 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-30 21:18 . 2007-11-30 21:18 748 --a------ C:\WINDOWS\ST4UNST.000
2007-11-30 21:13 . 2007-11-30 21:20 55 --a------ C:\WINDOWS\xm.url
2007-11-30 11:02 . 2007-11-30 16:22 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-11-30 10:09 . 2007-11-30 10:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nero
2007-11-30 10:03 . 2007-11-30 10:03 <DIR> d-------- C:\Program Files\Nero
2007-11-30 10:02 . 2007-11-30 10:06 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-30 10:02 . 2007-11-30 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-11-29 14:33 . 2006-10-04 08:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2007-11-29 14:33 . 2006-10-04 08:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2007-11-29 14:33 . 2006-10-04 08:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2007-11-29 14:32 . 2007-11-29 14:32 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-29 14:30 . 2007-11-29 14:30 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-29 14:30 . 2007-11-29 14:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-28 17:47 . 2007-11-28 17:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks
2007-11-28 12:34 . 2007-11-28 12:35 <DIR> d-------- C:\Program Files\TVAnts
2007-11-28 12:33 . 2007-11-28 12:33 <DIR> d-------- C:\WINDOWS\uninstall\Satellite TV for PC Elite
2007-11-28 12:33 . 2007-11-28 12:33 <DIR> d-------- C:\WINDOWS\uninstall
2007-11-28 12:33 . 2006-04-29 04:07 5,533,696 --a------ C:\WINDOWS\system32\OLD8A.tmp
2007-11-28 12:25 . 2007-11-28 12:25 <DIR> d-------- C:\Program Files\Google
2007-11-25 22:46 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2007-11-25 22:46 . 2007-08-03 15:09 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2007-11-25 22:46 . 2007-11-15 18:46 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2007-11-25 22:45 . 2007-12-07 06:40 <DIR> d-------- C:\Program Files\LogMeIn
2007-11-25 22:45 . 2007-11-15 18:46 87,352 --a------ C:\WINDOWS\system32\LMIinit.dll
2007-11-25 22:45 . 2007-11-25 22:45 1,024 --a------ C:\.rnd
2007-11-22 10:52 . 2007-11-22 10:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-11-22 10:51 . 2007-11-22 10:52 <DIR> d-------- C:\Program Files\Jasc Software Inc
2007-11-22 10:44 . 2003-08-11 10:13 344,064 -ra------ C:\WINDOWS\system32\msvcr70.dll
2007-11-22 10:44 . 2003-08-11 10:07 14,604 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2007-11-19 17:20 . 2007-11-19 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-11-19 17:17 . 2007-02-13 20:23 103,424 --a------ C:\WINDOWS\system32\hpzpnp.dll
2007-11-19 17:17 . 2006-09-01 14:29 30,208 --a------ C:\WINDOWS\system32\HPZIPT12.DLL
2007-11-19 17:17 . 2006-09-01 15:18 20,480 --a------ C:\WINDOWS\system32\HPZISN12.DLL
2007-11-19 16:58 . 2007-11-19 16:58 <DIR> d-------- C:\HP LJ 4x50 Series
2007-11-15 18:46 . 2007-11-15 18:46 23,736 --a------ C:\WINDOWS\system32\lmimirr.dll
2007-11-15 18:46 . 2007-11-15 18:46 10,040 --a------ C:\WINDOWS\system32\lmimirr2.dll
2007-11-15 15:25 . 2006-02-20 22:27 81,987 --a------ C:\WINDOWS\system32\AUCPLMNT.DLL
2007-11-15 15:21 . 2007-11-15 15:25 <DIR> d-------- C:\Program Files\Canon
2007-11-13 09:25 . 2007-11-30 12:46 73 --a------ C:\WINDOWS\webica.ini
2007-11-12 18:18 . 2007-11-12 18:18 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2007-11-09 21:50 . 2007-11-09 21:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SmartFTP
2007-11-09 21:49 . 2007-11-09 21:49 <DIR> d-------- C:\Program Files\SmartFTP Client 2.5 Setup Files
2007-11-09 21:49 . 2007-11-09 21:49 <DIR> d-------- C:\Program Files\SmartFTP Client
2007-11-09 21:39 . 2007-11-09 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Virtual Mechanics
2007-11-09 21:39 . 2007-11-09 21:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Virtual Mechanics
2007-11-09 21:38 . 2007-11-09 21:38 <DIR> d-------- C:\Program Files\Virtual Mechanics

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-07 04:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-04 02:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-04 00:18 --------- d-----w C:\Program Files\Symantec
2007-12-04 00:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-04 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-22 16:29 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-18 18:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-13 15:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ICAClient
2007-11-07 21:21 --------- d-----w C:\Program Files\Common Files\Intel
2007-11-07 19:21 --------- d-----w C:\Program Files\Citrix
2007-11-07 18:08 --------- d-----w C:\Program Files\CounterPath
2007-11-04 16:58 --------- d-----w C:\Program Files\palmOne
2007-11-04 16:26 --------- d-----w C:\Program Files\Palm Inc
2007-11-04 16:17 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys
2007-11-04 04:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-11-04 04:31 --------- d-----w C:\Program Files\Stellar Phoenix Windows Data Recovery
2007-11-04 02:08 --------- d-----w C:\Program Files\Drive Rescue
2007-11-03 20:26 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-03 20:05 --------- d-----w C:\Program Files\Belkin
2007-11-03 18:50 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-11-03 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-11-03 18:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Arcsoft
2007-11-03 18:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
2007-11-03 18:06 --------- d-----w C:\Program Files\Windows Desktop Search
2007-11-03 18:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Leadertech
2007-11-03 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\HotSync
2007-11-03 16:57 53,248 ----a-w C:\WINDOWS\PalmDevC.dll
2007-11-03 16:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-03 16:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\HotSync
2007-11-02 23:19 --------- d-----w C:\Program Files\MXpie Patch
2007-11-02 23:18 --------- d-----w C:\Program Files\WinMX
2007-11-02 23:01 --------- d-----w C:\Program Files\Windows XP Home-Pro-2003 SP2 Crack
2007-11-02 22:27 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-11-02 22:01 --------- d-----w C:\Program Files\MSBuild
2007-11-02 22:01 --------- d-----w C:\Program Files\Microsoft Works
2007-11-02 21:15 --------- d-----w C:\Program Files\Sophos
2007-11-02 20:19 --------- d-----w C:\Program Files\TOSHIBA
2007-11-02 20:09 --------- d-----w C:\Program Files\SigmaTel
2007-11-02 17:53 --------- d-----w C:\Program Files\Intel
2007-11-02 17:30 --------- d-----w C:\Program Files\Synaptics
2007-11-02 06:31 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Groove Explorer Icon Overlay 1 (GFS Unread Stub)]
@={99FD978C-D287-4F50-827F-B2C658EDA8E7}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Groove Explorer Icon Overlay 2 (GFS Stub)]
@={AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)]
@={920E6DB1-9907-4370-B3A0-BAFC03D81399}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Groove Explorer Icon Overlay 3 (GFS Folder)]
@={16F3DD56-1AF5-4347-846D-7C10C4192619}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Groove Explorer Icon Overlay 4 (GFS Unread Mark)]
@={2916C86E-86A6-43FE-8112-43ABE6BF8DCC}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Offline Files]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SmartFTP Drop]
@={EA5A76F7-8138-4B53-B0F5-ADCC730CAFBD}

[HKEY_CLASSES_ROOT\CLSID\{99FD978C-D287-4F50-827F-B2C658EDA8E7}]
2006-10-27 00:48 2210608 --a------ C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

[HKEY_CLASSES_ROOT\CLSID\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}]
2006-10-27 00:48 2210608 --a------ C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

[HKEY_CLASSES_ROOT\CLSID\{920E6DB1-9907-4370-B3A0-BAFC03D81399}]
2006-10-27 00:48 2210608 --a------ C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

[HKEY_CLASSES_ROOT\CLSID\{16F3DD56-1AF5-4347-846D-7C10C4192619}]
2006-10-27 00:48 2210608 --a------ C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

[HKEY_CLASSES_ROOT\CLSID\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}]
2006-10-27 00:48 2210608 --a------ C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

[HKEY_CLASSES_ROOT\CLSID\{EA5A76F7-8138-4B53-B0F5-ADCC730CAFBD}]
2007-11-08 01:51 406840 --a------ C:\Program Files\SmartFTP Client\sfShellTools.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eyeBeam SIP Client"="C:\Program Files\CounterPath\X-Lite\x-lite.exe" [2007-06-05 08:52]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 12:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-04-15 15:05 C:\WINDOWS\system32\nwiz.exe]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2003-04-15 20:01]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"TFncKy"="TFncKy.exe" []
"TPSMain"="TPSMain.exe" [2003-09-25 10:19 C:\WINDOWS\system32\TPSMain.exe]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2003-08-03 16:01]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-11-02 15:05]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 09:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-06 22:02]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-06 22:03]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]
palmOne Registration.lnk - C:\Program Files\palmOne\register.exe [2004-11-10 12:36:44]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\Belkin\Bluetooth Software\BTTray.exe [2006-06-07 17:05:38]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"qrgnqleh"=rundll32.exe "C:\Program Files\qrgnqleh\klcnuvol.dll",Init
"rsfghcze"=regsvr32 /u "C:\Documents and Settings\All Users\Application Data\rsfghcze.dll"
"<NO NAME>"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-07 22:54:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-07 22:56:45 - machine was rebooted
.
--- E O F ---

I will run HijackThis now, and report in another post
  • 0

#35
coolrider69
Posted 07 December 2007 - 11:11 PM

coolrider69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
HijackThis file...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:50 PM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\CounterPath\X-Lite\x-lite.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Trend Micro\HijackThis\CoolRider.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\CounterPath\X-Lite\x-lite.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1194044977829
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9730 bytes


The system seems stable, and a lot faster too!

We will keep our fingers crossed.

Thanks for your help :)

We will take this up in the am

Coolrider
  • 0

#36
RatHat
Posted 08 December 2007 - 04:44 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Good morning!

ATF cleaner found nothing

ATF won't find and report anything, but it does clean all your temp files and folders. This was where LOP was reported as being, so after looking at the NoLop log, we may have got that bugger!

OK, the combofix log is showing me a couple of suspicious files so I would like to get them analysed:

Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\system32\mfdivsva.exe
  • Click on the submit button
  • When the scan is complete, highlight all the results and copy them into Notepad
  • Save the Notepad file to your desktop as mfdivsva.txt
  • Please post the contents in your next reply.
Do the same thing for these files:

C:\Program Files\qrgnqleh\klcnuvol.dll
C:\Documents and Settings\All Users\Application Data\rsfghcze.dll

Saving each result as a text file named after the file you have scanned.

Post me the contents of those three scans, and let me know if you have had any more problems this morning.

Regards,
RatHat
  • 0

#37
coolrider69
Posted 08 December 2007 - 08:35 AM

coolrider69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Ran all 3, got the same resulting message.
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

HOWEVER, when the first ran,
C:\WINDOWS\system32\mfdivsva.exe,
AVG popped up with Trojan Horse BackDoor.Agent.PTA
So I sent it to the Vault
  • 0

#38
RatHat
Posted 08 December 2007 - 10:23 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
AVG popped up with Trojan Horse BackDoor.Agent.PTA
So I sent it to the Vault

Good to see AVG is working without any conflicts! You sound like you enjoyed sending that file to the vault!

Now just to make sure, lets run an online scan to see if there is any more crap hiding in there:

TrendMicro™ HouseCall Java Scan
  • Please go HERE to run the Trend Micro™ HouseCall Scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • Under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  • You may receive a Security Warning about the TrendMicro Java applet, click YES.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.

If you have problems running the Java Scan, try the Active X scan:


TrendMicro™ HouseCall ActiveX Scan
  • Please go HERE to run the Trend Micro™ HouseCall Scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • Under "Browser plug-in" Installing and using Housecall kernel, click the Starting HouseCall>> button.
  • You may receive a prompt to install the ActiveX, click install.
  • If you are taken back to the main page, click Launching HouseCall>> button again.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.

I would also like you to run Combofix again, this time without a script:
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall


When done, post me the cCombofix and HijackThis logs, and let me know how your computer is behaving now.

Regards,
RatHat
  • 0

#39
coolrider69
Posted 09 December 2007 - 02:04 AM

coolrider69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
There is still a Trojan
I need to get this solved asap.
I am leaving town on biz in 18 hrs.... for 2 weeks and need this laptop argh...
Here is Virus Vault:
Trojan horse BackDoor.Agent.PTA C:\WINDOWS\system32\mfdivsva.exe 12/8/2007 8:28 mfdivsva.exe 72.56 KB
Trojan horse Generic9.ACFR C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ikooqdro.dll 12/9/2007 1:40 ikooqdro.dll 52 KB
Virus identified Obfustat.VTX C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wiosropf.dll 12/7/2007 21:50 wiosropf.dll 142.5 KB
Virus found Lop C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WLUN0LAJ\hctp[1] 12/7/2007 21:50 hctp[1] 83.5 KB
Virus found Lop C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1U30XMJ\ptch[1] 12/7/2007 21:50 ptch[1] 78.5 KB

Here is Combifix file:
ComboFix 07-12-07.3 - Administrator 2007-12-09 1:38:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.563 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\Dnloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.

2007-12-09 01:31 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-09 01:31 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-09 01:31 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-09 01:31 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-09 01:31 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-08 19:08 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-08 18:10 . 2007-12-08 19:15 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-08 09:14 . 2007-12-08 09:14 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-07 22:36 . 2007-12-07 22:36 106 --a------ C:\delete.bat
2007-12-07 22:28 . 2007-12-09 01:32 2,508 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-07 13:33 . 2007-12-07 13:33 <DIR> d-------- C:\Deckard
2007-12-07 10:02 . 2007-12-07 10:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-07 07:16 . 2007-12-07 07:16 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-12-07 07:04 . 2007-12-07 07:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-07 07:03 . 2007-12-07 15:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-07 07:03 . 2007-12-07 07:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-07 06:51 . 2007-12-07 06:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-06 22:03 . 2007-12-06 22:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-06 22:03 . 2007-12-08 08:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-06 20:45 . 2007-12-06 21:14 <DIR> d-------- C:\Program Files\Mozilla Firefox(2)
2007-12-06 20:45 . 2007-12-06 20:45 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-04 16:08 . 2007-12-04 18:41 310 --a------ C:\WINDOWS\wininit.ini
2007-12-04 13:42 . 2007-12-04 13:42 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-04 13:42 . 2007-12-07 07:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-04 13:42 . 2007-12-04 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-04 13:33 . 2007-12-04 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-03 18:19 . 2007-12-03 18:19 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-03 18:19 . 2007-12-07 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-03 18:10 . 2007-12-03 18:10 <DIR> d-------- C:\KAV
2007-12-01 10:20 . 2007-12-06 22:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-01 03:00 . 2007-12-01 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-30 21:18 . 2007-11-30 21:18 748 --a------ C:\WINDOWS\ST4UNST.000
2007-11-30 21:13 . 2007-11-30 21:20 55 --a------ C:\WINDOWS\xm.url
2007-11-30 11:02 . 2007-11-30 16:22 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-11-30 10:09 . 2007-11-30 10:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nero
2007-11-30 10:03 . 2007-11-30 10:03 <DIR> d-------- C:\Program Files\Nero
2007-11-30 10:02 . 2007-11-30 10:06 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-30 10:02 . 2007-11-30 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-11-29 14:33 . 2006-10-04 08:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2007-11-29 14:33 . 2006-10-04 08:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2007-11-29 14:33 . 2006-10-04 08:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2007-11-29 14:32 . 2007-11-29 14:32 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-29 14:30 . 2007-11-29 14:30 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-29 14:30 . 2007-11-29 14:31 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-28 17:47 . 2007-11-28 17:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks
2007-11-28 12:34 . 2007-11-28 12:35 <DIR> d-------- C:\Program Files\TVAnts
2007-11-28 12:33 . 2007-11-28 12:33 <DIR> d-------- C:\WINDOWS\uninstall\Satellite TV for PC Elite
2007-11-28 12:33 . 2007-11-28 12:33 <DIR> d-------- C:\WINDOWS\uninstall
2007-11-28 12:33 . 2006-04-29 04:07 5,533,696 --a------ C:\WINDOWS\system32\OLD8A.tmp
2007-11-28 12:25 . 2007-11-28 12:25 <DIR> d-------- C:\Program Files\Google
2007-11-25 22:46 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2007-11-25 22:46 . 2007-08-03 15:09 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2007-11-25 22:46 . 2007-11-15 18:46 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2007-11-25 22:45 . 2007-12-09 01:29 <DIR> d-------- C:\Program Files\LogMeIn
2007-11-25 22:45 . 2007-11-15 18:46 87,352 --a------ C:\WINDOWS\system32\LMIinit.dll
2007-11-25 22:45 . 2007-11-25 22:45 1,024 --a------ C:\.rnd
2007-11-22 10:52 . 2007-11-22 10:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-11-22 10:51 . 2007-11-22 10:52 <DIR> d-------- C:\Program Files\Jasc Software Inc
2007-11-22 10:44 . 2003-08-11 10:13 344,064 -ra------ C:\WINDOWS\system32\msvcr70.dll
2007-11-22 10:44 . 2003-08-11 10:07 14,604 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2007-11-19 17:20 . 2007-11-19 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-11-19 17:17 . 2007-02-13 20:23 103,424 --a------ C:\WINDOWS\system32\hpzpnp.dll
2007-11-19 17:17 . 2006-09-01 14:29 30,208 --a------ C:\WINDOWS\system32\HPZIPT12.DLL
2007-11-19 17:17 . 2006-09-01 15:18 20,480 --a------ C:\WINDOWS\system32\HPZISN12.DLL
2007-11-19 16:58 . 2007-11-19 16:58 <DIR> d-------- C:\HP LJ 4x50 Series
2007-11-15 18:46 . 2007-11-15 18:46 23,736 --a------ C:\WINDOWS\system32\lmimirr.dll
2007-11-15 18:46 . 2007-11-15 18:46 10,040 --a------ C:\WINDOWS\system32\lmimirr2.dll
2007-11-15 15:25 . 2006-02-20 22:27 81,987 --a------ C:\WINDOWS\system32\AUCPLMNT.DLL
2007-11-15 15:21 . 2007-11-15 15:25 <DIR> d-------- C:\Program Files\Canon
2007-11-13 09:25 . 2007-11-30 12:46 73 --a------ C:\WINDOWS\webica.ini
2007-11-12 18:18 . 2007-11-12 18:18 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2007-11-09 21:50 . 2007-11-09 21:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SmartFTP
2007-11-09 21:49 . 2007-11-09 21:49 <DIR> d-------- C:\Program Files\SmartFTP Client 2.5 Setup Files
2007-11-09 21:49 . 2007-11-09 21:49 <DIR> d-------- C:\Program Files\SmartFTP Client
2007-11-09 21:39 . 2007-11-09 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Virtual Mechanics
2007-11-09 21:39 . 2007-11-09 21:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Virtual Mechanics
2007-11-09 21:38 . 2007-11-09 21:38 <DIR> d-------- C:\Program Files\Virtual Mechanics

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-07 04:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-04 02:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-04 00:18 --------- d-----w C:\Program Files\Symantec
2007-12-04 00:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-04 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-22 16:29 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-18 18:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-13 15:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ICAClient
2007-11-07 21:21 --------- d-----w C:\Program Files\Common Files\Intel
2007-11-07 19:21 --------- d-----w C:\Program Files\Citrix
2007-11-07 18:08 --------- d-----w C:\Program Files\CounterPath
2007-11-04 16:58 --------- d-----w C:\Program Files\palmOne
2007-11-04 16:26 --------- d-----w C:\Program Files\Palm Inc
2007-11-04 16:17 16,694 ----a-w C:\WINDOWS\system32\drivers\PalmUSBD.sys
2007-11-04 04:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-11-04 04:31 --------- d-----w C:\Program Files\Stellar Phoenix Windows Data Recovery
2007-11-04 02:08 --------- d-----w C:\Program Files\Drive Rescue
2007-11-03 20:26 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-03 20:05 --------- d-----w C:\Program Files\Belkin
2007-11-03 18:50 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-11-03 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-11-03 18:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Arcsoft
2007-11-03 18:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
2007-11-03 18:06 --------- d-----w C:\Program Files\Windows Desktop Search
2007-11-03 18:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Leadertech
2007-11-03 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\HotSync
2007-11-03 16:57 53,248 ----a-w C:\WINDOWS\PalmDevC.dll
2007-11-03 16:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-03 16:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\HotSync
2007-11-02 23:19 --------- d-----w C:\Program Files\MXpie Patch
2007-11-02 23:18 --------- d-----w C:\Program Files\WinMX
2007-11-02 22:27 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-11-02 22:01 --------- d-----w C:\Program Files\MSBuild
2007-11-02 22:01 --------- d-----w C:\Program Files\Microsoft Works
2007-11-02 21:15 --------- d-----w C:\Program Files\Sophos
2007-11-02 20:19 --------- d-----w C:\Program Files\TOSHIBA
2007-11-02 20:09 --------- d-----w C:\Program Files\SigmaTel
2007-11-02 17:53 --------- d-----w C:\Program Files\Intel
2007-11-02 17:30 --------- d-----w C:\Program Files\Synaptics
2007-11-02 06:31 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-12 15:19 8,784 ----a-w C:\WINDOWS\system32\ractrlkeyhook.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-07_22.55.32.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-21 21:53:44 385,536 ----a-w C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Groove Explorer Icon Overlay 1 (GFS Unread Stub)]
@={99FD978C-D287-4F50-827F-B2C658EDA8E7}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Groove Explorer Icon Overlay 2 (GFS Stub)]
@={AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)]
@={920E6DB1-9907-4370-B3A0-BAFC03D81399}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Groove Explorer Icon Overlay 3 (GFS Folder)]
@={16F3DD56-1AF5-4347-846D-7C10C4192619}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Groove Explorer Icon Overlay 4 (GFS Unread Mark)]
@={2916C86E-86A6-43FE-8112-43ABE6BF8DCC}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Offline Files]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SmartFTP Drop]
@={EA5A76F7-8138-4B53-B0F5-ADCC730CAFBD}

[HKEY_CLASSES_ROOT\CLSID\{99FD978C-D287-4F50-827F-B2C658EDA8E7}]
2006-10-27 00:48 2210608 --a------ C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

[HKEY_CLASSES_ROOT\CLSID\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}]
2006-10-27 00:48 2210608 --a------ C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

[HKEY_CLASSES_ROOT\CLSID\{920E6DB1-9907-4370-B3A0-BAFC03D81399}]
2006-10-27 00:48 2210608 --a------ C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

[HKEY_CLASSES_ROOT\CLSID\{16F3DD56-1AF5-4347-846D-7C10C4192619}]
2006-10-27 00:48 2210608 --a------ C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

[HKEY_CLASSES_ROOT\CLSID\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}]
2006-10-27 00:48 2210608 --a------ C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

[HKEY_CLASSES_ROOT\CLSID\{EA5A76F7-8138-4B53-B0F5-ADCC730CAFBD}]
2007-11-08 01:51 406840 --a------ C:\Program Files\SmartFTP Client\sfShellTools.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eyeBeam SIP Client"="C:\Program Files\CounterPath\X-Lite\x-lite.exe" [2007-06-05 08:52]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 12:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-04-15 15:05 C:\WINDOWS\system32\nwiz.exe]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2003-04-15 20:01]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"TFncKy"="TFncKy.exe" []
"TPSMain"="TPSMain.exe" [2003-09-25 10:19 C:\WINDOWS\system32\TPSMain.exe]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2003-08-03 16:01]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-11-02 15:05]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 09:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-06 22:02]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-06 22:03]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]
palmOne Registration.lnk - C:\Program Files\palmOne\register.exe [2004-11-10 12:36:44]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\Belkin\Bluetooth Software\BTTray.exe [2006-06-07 17:05:38]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"qrgnqleh"=rundll32.exe "C:\Program Files\qrgnqleh\klcnuvol.dll",Init
"rsfghcze"=regsvr32 /u "C:\Documents and Settings\All Users\Application Data\rsfghcze.dll"
"<NO NAME>"=

R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\system32\47.tmp
S3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 01:40:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-09 1:40:42
C:\ComboFix2.txt ... 2007-12-07 22:56
.
--- E O F ---
  • 0

#40
RatHat
Posted 09 December 2007 - 04:40 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please describe exactly what happens when the trojan appears, and also what other problem your computer shows.

Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take a while, so please be patient



When you have done that, lets have a really deep look into your computer!

Download to your Desktop:
- ISeeYouXP by ShadowPuterDude

Double-click ISeeYouXP.exe, ISeeYouXp will be extracted to C:\ISeeYouXP.

Using Windows Explorer (right click the Start button and select Explore to open Windows Explorer) navigate to C:\ISeeYouXP and locate:
ISeeYouXP.bat

Double-click to run the script. When complete attach the log in your next reply.

Possible Error Messages
  • If your ISeeYouXP.txt log appears to be empty or semi-empty or you get an error message similar to the below when running ISeeYouXP.bat and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OS
    C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Window applications.

    To fix the above error message, choose the download below which is appropriate for your system
    • For Windows XP Pro: download and run: XPproFix
    • For Windows XP Home: download and run: XPHomeFix
    • For Windows 2000: download and run: W2KFix
    Then run ISeeYouXP.bat again and attach the log.
  • A possible second type of error message may occur as shown in the quote box below! If you get either of these two messages, perform the Resolution steps given in this: Virtual Device Driver Error Message in 16-Bit MS-DOS Subsystem
16 bit MS-DOS Subsystem
drive:\program path
XXXX. An installable Virtual Device Driver failed DLL initialization. Choose 'Close' to terminate the application.

-or-

16 bit MS-DOS Subsystem
drive:\program path
SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers. VDD. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application.

After attempting to fix the above errors, run ISeeYouXP.bat and attach the log in your next reply.


Regards,
RatHat

Edited by RatHat, 09 December 2007 - 08:37 AM.

  • 0

Advertisements

#41
coolrider69
Posted 09 December 2007 - 11:00 AM

coolrider69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
F-Secure report:

Scanning Report
Sunday, December 09, 2007 08:54:42 - 10:35:32
Computer name: SCOTT
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 9 malware found
Malware.BHMQ (virus)
C:\WINDOWS\SYSTEM32\BASSMOD.DLL (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 41161
System: 4533
Not scanned: 2
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 8
Submitted: 1
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-11-28
F-Secure AVP: 7.0.171, 2007-12-09
F-Secure Orion: 1.2.37, 2007-12-09
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0597-150-72
F-Secure Pegasus: 1.19.0, 2007-11-03
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

********************************************

doing ISEEYOUXP now
  • 0

#42
coolrider69
Posted 09 December 2007 - 11:13 AM

coolrider69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Edited by coolrider69, 09 December 2007 - 11:15 AM.

  • 0

#43
coolrider69
Posted 09 December 2007 - 11:18 AM

coolrider69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
********************************************************************************
***
ISeeYouXP v2.0 Beta 13

ISeeYouXP v1.3.0-v2.0 Beta 13 Copyright - ShadowPuterDude
ISeeYouXP v1.2.9 and earlier Copyright - PhilliePhan
------------------------------------------------------------------------------------
**** PLEASE NOTE THAT MOST (if not ALL) OF THE ITEMS BELOW ARE NOT BADDIES! ****
**** PLEASE CONSULT A KNOWLEDGEABLE PERSON BEFORE TAKING ANY ACTION. ****
********************************************************************************
***

Windows/Browser/Java Versions:

Microsoft Windows XP Professional
Version: 5.1.2600
Service Pack: 2.0
Windows Directory: C:\WINDOWS

Internet Explorer
Version: 6.0.2900.2180
Build: 62900.2180
Language: English (United States)
Path: C:\Program Files\Internet Explorer


Boot State: Normal boot

Scan done at 11:02:47.31, Sun 12/09/2007

------------------------------------------------------------------------------------

ISeeYouXP installation folder and files

"C:\ISeeYouXP\"
bootst~1.vbs May 28 2007 359 "bootstate.vbs"
change.log Oct 17 2007 4902 "change.log"
chodefix.bat Apr 18 2007 5387 "chodefix.bat"
fixchode.reg Apr 18 2007 528 "fixChode.reg"
fixexp~1.bat Feb 24 2007 487 "FixExplorerPolicies.bat"
getunk~1.bat Aug 12 2006 1478 "GetUnKeys.bat"
grep.exe Dec 24 2004 160768 "grep.exe"
hideit.bat Oct 17 2007 1072 "HideIT.bat"
ieinfo.vbs May 28 2007 514 "ieinfo.vbs"
iesecu~1.bat Oct 28 2007 72 "IESecurityZones.bat"
iesecu~1.vbs Nov 7 2007 2399 "IESecurityZones.vbs"
iseeyo~1.bat Oct 17 2007 209237 "ISeeYouXP.bat"
libico~1.dll Mar 16 2004 898048 "libiconv2.dll"
libintl3.dll Oct 9 2004 101888 "libintl3.dll"
locate.com Jan 14 2005 11254 "locate.com"
md5sum.exe Aug 5 2007 49152 "md5sum.exe"
msconf~1.bat Feb 24 2007 578 "MSConfigFix.bat"
osinfo.vbs May 28 2007 598 "osinfo.vbs"
pcbutts.txt Mar 25 2007 5167 "PCBUTTS.TXT"
pcre.dll Nov 14 2004 183313 "pcre.dll"
pv.exe Mar 2 2006 73728 "pv.exe"
regedi~1.bat Mar 30 2007 650 "RegEditFix.bat"
regfix.bat Apr 18 2007 145 "Regfix.bat"
servic~1.vbs May 28 2007 672 "servicesinfo.vbs"
showit.bat Oct 17 2007 1013 "ShowIT.bat"
swreg.exe Apr 5 2007 139776 "swreg.exe"
system~1.bat Feb 28 2007 369 "SystemRestoreFix.bat"
taskmg~1.bat Feb 24 2007 288 "TaskMgrFix.bat"

28 items found: 28 files, 0 directories.
Total of file sizes: 1,853,842 bytes 1.77 M
3 Dir(s) 60,845,436,928 bytes free

------------------------------------------------------------------------------------

System Environment Variables

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SCOTT
ComSpec=C:\WINDOWS\system32\cmd.exe
errcode=0
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\SCOTT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Common Files\Nero\Lib\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=SCOTT
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS

------------------------------------------------------------------------------------

Showing any Pocket Killbox backup files

No matches found.

------------------------------------------------------------------------------------

Displaying BOOT.INI:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

------------------------------------------------------------------------------------

Displaying SYSTEM.INI:

; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON

------------------------------------------------------------------------------------

Displaying WIN.INI:

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo2
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo2
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmp=MPEGVideo2
wmv=MPEGVideo2
wmx=MPEGVideo2
wvx=MPEGVideo2
wpl=MPEGVideo
m2v=MPEGVideo
mod=MPEGVideo
[CKSN]
winNT=open

------------------------------------------------------------------------------------

Displaying AUTOEXEC.BAT:


------------------------------------------------------------------------------------

Displaying CONFIG.SYS:


------------------------------------------------------------------------------------

Displaying Running Processes:

PROCESS PID PRIO PATH
smss.exe 784 Normal C:\WINDOWS\System32\smss.exe
csrss.exe 848 Normal C:\WINDOWS\system32\csrss.exe
winlogon.exe 872 High C:\WINDOWS\system32\winlogon.exe
services.exe 920 Normal C:\WINDOWS\system32\services.exe
lsass.exe 932 Normal C:\WINDOWS\system32\lsass.exe
svchost.exe 1080 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1156 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1192 Normal C:\WINDOWS\System32\svchost.exe
svchost.exe 1248 Normal C:\WINDOWS\System32\svchost.exe
svchost.exe 1352 Normal C:\WINDOWS\System32\svchost.exe
aawservice.exe 1984 Normal C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
spoolsv.exe 172 Normal C:\WINDOWS\system32\spoolsv.exe
guard.exe 1300 Normal C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
avgamsvr.exe 1344 Normal C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
avgupsvc.exe 1376 Normal C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
btwdins.exe 1452 Normal C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
CFSvcs.exe 1476 Normal C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
crypserv.exe 1240 High C:\WINDOWS\system32\crypserv.exe
mdm.exe 1940 Normal C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
NBService.exe 232 Normal C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
nvsvc32.exe 488 Normal C:\WINDOWS\system32\nvsvc32.exe
svchost.exe 500 Normal C:\WINDOWS\System32\svchost.exe
SearchIndexer.exe 200 Normal C:\WINDOWS\system32\SearchIndexer.exe
alg.exe 2136 Normal C:\WINDOWS\System32\alg.exe
00THotkey.exe 2376 Normal C:\WINDOWS\system32\00THotkey.exe
TFncKy.exe 2400 Normal C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
TPSMain.exe 2408 Normal C:\WINDOWS\system32\TPSMain.exe
stacmon.exe 2464 Normal C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
avgas.exe 2472 Normal C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
GrooveMonitor.exe 2480 Normal C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
Acrotray.exe 2488 Normal C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
avgcc.exe 2780 Normal C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
x-lite.exe 2792 High C:\Program Files\CounterPath\X-Lite\x-lite.exe
NMBgMonitor.exe 2808 Normal C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
ctfmon.exe 2816 Normal C:\WINDOWS\system32\ctfmon.exe
TPSBattM.exe 2840 Normal C:\WINDOWS\system32\TPSBattM.exe
NMIndexingService.exe 2944 Normal C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
SUPERAntiSpyware.exe 2952 Normal C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
NMIndexStoreSvr.exe 3064 Normal C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
BTTray.exe 3112 Normal C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
Hotsync.exe 3144 Normal C:\Program Files\palmOne\Hotsync.exe
ONENOTEM.EXE 3632 Normal C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
explorer.exe 4064 Normal C:\WINDOWS\explorer.exe
SBCSSvc.exe 1296 Normal C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
SBCSTray.exe 2800 Normal C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
IEXPLORE.EXE 4012 Normal C:\Program Files\Internet Explorer\IEXPLORE.EXE
OUTLOOK.EXE 3800 Normal C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
SearchFilterHost.exe 2924 Below Normal C:\WINDOWS\system32\SearchFilterHost.exe
SearchProtocolHost.exe 2756 Below Normal C:\WINDOWS\system32\SearchProtocolHost.exe
cmd.exe 2356 Normal C:\WINDOWS\system32\cmd.exe
ntvdm.exe 2888 Normal C:\WINDOWS\system32\ntvdm.exe
wmiprvse.exe 392 Normal C:\WINDOWS\System32\wbem\wmiprvse.exe
pv.exe 3488 Normal C:\ISEEYO~1\pv.exe

------------------------------------------------------------------------------------

Displaying Windows Services:

Name: aawservice
Display Name: Ad-Aware 2007 Service
Description: Protects your computer from spyware
Path Name: "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"
Start Mode: Auto
State: Running

Name: Adobe LM Service
Display Name: Adobe LM Service
Description: AdobeLM Service
Path Name: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
Start Mode: Manual
State: Stopped

Name: Alerter
Display Name: Alerter
Description: Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\svchost.exe -k LocalService
Start Mode: Disabled
State: Stopped

Name: ALG
Display Name: Application Layer Gateway Service
Description: Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.
Path Name: C:\WINDOWS\System32\alg.exe
Start Mode: Manual
State: Running

Name: AppMgmt
Display Name: Application Management
Description: Provides software installation services such as Assign, Publish, and Remove.
Path Name: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Manual
State: Stopped

Name: AudioSrv
Display Name: Windows Audio
Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: AVG Anti-Spyware Guard
Display Name: AVG Anti-Spyware Guard
Description:
Path Name: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Start Mode: Auto
State: Running

Name: Avg7Alrt
Display Name: AVG7 Alert Manager Server
Description:
Path Name: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
Start Mode: Auto
State: Running

Name: Avg7UpdSvc
Display Name: AVG7 Update Service
Description:
Path Name: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
Start Mode: Auto
State: Running

Name: BITS
Display Name: Background Intelligent Transfer Service
Description: Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: Browser
Display Name: Computer Browser
Description: Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: btwdins
Display Name: Bluetooth Service
Description: Handles installation and removal of Bluetooth devices.
Path Name: C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
Start Mode: Auto
State: Running

Name: CFSvcs
Display Name: ConfigFree Service
Description:
Path Name: C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
Start Mode: Auto
State: Running

Name: cisvc
Display Name: Indexing Service
Description: Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
Path Name: C:\WINDOWS\system32\cisvc.exe
Start Mode: Manual
State: Stopped

Name: ClipSrv
Display Name: ClipBook
Description: Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\system32\clipsrv.exe
Start Mode: Disabled
State: Stopped

Name: COMSysApp
Display Name: COM+ System Application
Description: Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
Start Mode: Manual
State: Stopped

Name: Crypkey License
Display Name: Crypkey License
Description:
Path Name: crypserv.exe
Start Mode: Auto
State: Running

Name: CryptSvc
Display Name: Cryptographic Services
Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: DcomLaunch
Display Name: DCOM Server Process Launcher
Description: Provides launch functionality for DCOM services.
Path Name: C:\WINDOWS\system32\svchost -k DcomLaunch
Start Mode: Auto
State: Running

Name: Dhcp
Display Name: DHCP Client
Description: Manages network configuration by registering and updating IP addresses and DNS names.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: dmadmin
Display Name: Logical Disk Manager Administrative Service
Description: Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
Path Name: C:\WINDOWS\System32\dmadmin.exe /com
Start Mode: Manual
State: Stopped

Name: dmserver
Display Name: Logical Disk Manager
Description: Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: Dnscache
Display Name: DNS Client
Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\svchost.exe -k NetworkService
Start Mode: Auto
State: Running

Name: ERSvc
Display Name: Error Reporting Service
Description: Allows error reporting for services and applictions running in non-standard environments.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: Eventlog
Display Name: Event Log
Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Path Name: C:\WINDOWS\system32\services.exe
Start Mode: Auto
State: Running

Name: EventSystem
Display Name: COM+ Event System
Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual
State: Running

Name: FastUserSwitchingCompatibility
Display Name: Fast User Switching Compatibility
Description: Provides management for applications that require assistance in a multiple user environment.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual
State: Running

Name: helpsvc
Display Name: Help and Support
Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: HidServ
Display Name: HID Input Service
Description: Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: HTTPFilter
Display Name: HTTP SSL
Description: This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\svchost.exe -k HTTPFilter
Start Mode: Manual
State: Stopped

Name: ImapiService
Display Name: IMAPI CD-Burning COM Service
Description: Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\imapi.exe
Start Mode: Manual
State: Stopped

Name: Irmon
Display Name: Infrared Monitor
Description: Supports infrared devices installed on the computer and detects other devices that are in range.
Path Name: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: lanmanserver
Display Name: Server
Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: lanmanworkstation
Display Name: Workstation
Description: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: LiveUpdate
Display Name: LiveUpdate
Description: LiveUpdate Core Engine
Path Name: "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"
Start Mode: Manual
State: Stopped

Name: LmHosts
Display Name: TCP/IP NetBIOS Helper
Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Path Name: C:\WINDOWS\System32\svchost.exe -k LocalService
Start Mode: Auto
State: Running

Name: LMIMaint
Display Name: LogMeIn Maintenance Service
Description:
Path Name: "C:\Program Files\LogMeIn\x86\RaMaint.exe"
Start Mode: Auto
State: Stopped

Name: LogMeIn
Display Name: LogMeIn
Description:
Path Name: "C:\Program Files\LogMeIn\x86\LogMeIn.exe"
Start Mode: Auto
State: Stopped

Name: MDM
Display Name: Machine Debug Manager
Description: Supports local and remote debugging for Visual Studio and script debuggers. If this service is stopped, the debuggers will not function properly.
Path Name: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe"
Start Mode: Auto
State: Running

Name: Messenger
Display Name: Messenger
Description: Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Disabled
State: Stopped

Name: Microsoft Office Groove Audit Service
Display Name: Microsoft Office Groove Audit Service
Description:
Path Name: "C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe"
Start Mode: Manual
State: Stopped

Name: mnmsrvc
Display Name: NetMeeting Remote Desktop Sharing
Description: Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\mnmsrvc.exe
Start Mode: Manual
State: Stopped

Name: MSDTC
Display Name: Distributed Transaction Coordinator
Description: Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\msdtc.exe
Start Mode: Manual
State: Stopped

Name: MSIServer
Display Name: Windows Installer
Description: Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\system32\msiexec.exe /V
Start Mode: Manual
State: Stopped

Name: Nero BackItUp Scheduler 3
Display Name: Nero BackItUp Scheduler 3
Description: Nero BackItUp Scheduler 3 is responsible to control all jobs created using Nero BackItUp 3. These jobs can create backups of selected files/folders/partitions or complete hard disk to hard disk, network drive, disc or FTP.
Path Name: C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
Start Mode: Auto
State: Running

Name: NetDDE
Display Name: Network DDE
Description: Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\system32\netdde.exe
Start Mode: Disabled
State: Stopped

Name: NetDDEdsdm
Display Name: Network DDE DSDM
Description: Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\system32\netdde.exe
Start Mode: Disabled
State: Stopped

Name: Netlogon
Display Name: Net Logon
Description: Supports pass-through authentication of account logon events for computers in a domain.
Path Name: C:\WINDOWS\System32\lsass.exe
Start Mode: Manual
State: Stopped

Name: Netman
Display Name: Network Connections
Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual
State: Running

Name: Nla
Display Name: Network Location Awareness (NLA)
Description: Collects and stores network configuration and location information, and notifies applications when this information changes.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual
State: Running

Name: NMIndexingService
Display Name: NMIndexingService
Description:
Path Name: "C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe"
Start Mode: Manual
State: Running

Name: NtLmSsp
Display Name: NT LM Security Support Provider
Description: Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
Path Name: C:\WINDOWS\System32\lsass.exe
Start Mode: Manual
State: Stopped

Name: NtmsSvc
Display Name: Removable Storage
Description:
Path Name: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Manual
State: Stopped

Name: NVSvc
Display Name: NVIDIA Driver Helper Service
Description:
Path Name: C:\WINDOWS\system32\nvsvc32.exe
Start Mode: Auto
State: Running

Name: odserv
Display Name: Microsoft Office Diagnostics Service
Description: Run portions of Microsoft Office Diagnostics.
Path Name: "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE"
Start Mode: Manual
State: Stopped

Name: ose
Display Name: Office Source Engine
Description: Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports.
Path Name: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
Start Mode: Manual
State: Stopped

Name: PlugPlay
Display Name: Plug and Play
Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Path Name: C:\WINDOWS\system32\services.exe
Start Mode: Auto
State: Running

Name: Pml Driver HPZ12
Display Name: Pml Driver HPZ12
Description:
Path Name: C:\WINDOWS\System32\svchost.exe -k HPZ12
Start Mode: Auto
State: Running

Name: PolicyAgent
Display Name: IPSEC Services
Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
Path Name: C:\WINDOWS\System32\lsass.exe
Start Mode: Auto
State: Running

Name: ProtectedStorage
Display Name: Protected Storage
Description: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
Path Name: C:\WINDOWS\system32\lsass.exe
Start Mode: Auto
State: Running

Name: RasAuto
Display Name: Remote Access Auto Connection Manager
Description: Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual
State: Stopped

Name: RasMan
Display Name: Remote Access Connection Manager
Description: Creates a network connection.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual
State: Running

Name: RDSessMgr
Display Name: Remote Desktop Help Session Manager
Description: Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
Path Name: C:\WINDOWS\system32\sessmgr.exe
Start Mode: Manual
State: Stopped

Name: RemoteAccess
Display Name: Routing and Remote Access
Description: Offers routing services to businesses in local area and wide area network environments.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Disabled
State: Stopped

Name: RemoteRegistry
Display Name: Remote Registry
Description: Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\system32\svchost.exe -k LocalService
Start Mode: Auto
State: Running

Name: RpcLocator
Display Name: Remote Procedure Call (RPC) Locator
Description: Manages the RPC name service database.
Path Name: C:\WINDOWS\System32\locator.exe
Start Mode: Manual
State: Stopped

Name: RpcSs
Display Name: Remote Procedure Call (RPC)
Description: Provides the endpoint mapper and other miscellaneous RPC services.
Path Name: C:\WINDOWS\system32\svchost -k rpcss
Start Mode: Auto
State: Running

Name: RSVP
Display Name: QoS RSVP
Description: Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
Path Name: C:\WINDOWS\System32\rsvp.exe
Start Mode: Manual
State: Stopped

Name: SamSs
Display Name: Security Accounts Manager
Description: Stores security information for local user accounts.
Path Name: C:\WINDOWS\system32\lsass.exe
Start Mode: Auto
State: Running

Name: SCardSvr
Display Name: Smart Card
Description: Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\SCardSvr.exe
Start Mode: Manual
State: Stopped

Name: Schedule
Display Name: Task Scheduler
Description: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: seclogon
Display Name: Secondary Logon
Description: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: SENS
Display Name: System Event Notification
Description: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
Path Name: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: SharedAccess
Display Name: Windows Firewall/Internet Connection Sharing (ICS)
Description: Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: ShellHWDetection
Display Name: Shell Hardware Detection
Description:
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: Spooler
Display Name: Print Spooler
Description: Loads files to memory for later printing.
Path Name: C:\WINDOWS\system32\spoolsv.exe
Start Mode: Auto
State: Running

Name: srservice
Display Name: System Restore Service
Description: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: SSDPSRV
Display Name: SSDP Discovery Service
Description: Enables discovery of UPnP devices on your home network.
Path Name: C:\WINDOWS\System32\svchost.exe -k LocalService
Start Mode: Manual
State: Running

Name: stisvc
Display Name: Windows Image Acquisition (WIA)
Description: Provides image acquisition services for scanners and cameras.
Path Name: C:\WINDOWS\System32\svchost.exe -k imgsvc
Start Mode: Manual
State: Stopped

Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\dllhost.exe /Processid:{5CF752E2-3412-44AF-B51D-C9BF642EE24B}
Start Mode: Manual
State: Stopped

Name: SysmonLog
Display Name: Performance Logs and Alerts
Description: Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\system32\smlogsvc.exe
Start Mode: Manual
State: Stopped

Name: TapiSrv
Display Name: Telephony
Description: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual
State: Running

Name: TermService
Display Name: Terminal Services
Description: Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
Path Name: C:\WINDOWS\System32\svchost -k DComLaunch
Start Mode: Manual
State: Running

Name: Themes
Display Name: Themes
Description: Provides user experience theme management.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: TlntSvr
Display Name: Telnet
Description: Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\tlntsvr.exe
Start Mode: Manual
State: Stopped

Name: TrkWks
Display Name: Distributed Link Tracking Client
Description: Maintains links between NTFS files within a computer or across computers in a network domain.
Path Name: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: upnphost
Display Name: Universal Plug and Play Device Host
Description: Provides support to host Universal Plug and Play devices.
Path Name: C:\WINDOWS\System32\svchost.exe -k LocalService
Start Mode: Manual
State: Stopped

Name: UPS
Display Name: Uninterruptible Power Supply
Description: Manages an uninterruptible power supply (UPS) connected to the computer.
Path Name: C:\WINDOWS\System32\ups.exe
Start Mode: Manual
State: Stopped

Name: VSS
Display Name: Volume Shadow Copy
Description: Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\vssvc.exe
Start Mode: Manual
State: Stopped

Name: W32Time
Display Name: Windows Time
Description: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: WebClient
Display Name: WebClient
Description: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\System32\svchost.exe -k LocalService
Start Mode: Auto
State: Running

Name: winmgmt
Display Name: Windows Management Instrumentation
Description: Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Path Name: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: WmdmPmSN
Display Name: Portable Media Serial Number Service
Description: Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual
State: Stopped

Name: Wmi
Display Name: Windows Management Instrumentation Driver Extensions
Description: Provides systems management information to and from drivers.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual
State: Stopped

Name: WmiApSrv
Display Name: WMI Performance Adapter
Description: Provides performance library information from WMI HiPerf providers.
Path Name: C:\WINDOWS\System32\wbem\wmiapsrv.exe
Start Mode: Manual
State: Stopped

Name: WMPNetworkSvc
Display Name: Windows Media Player Network Sharing Service
Description: Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play
Path Name: "C:\Program Files\Windows Media Player\WMPNetwk.exe"
Start Mode: Manual
State: Stopped

Name: wscsvc
Display Name: Security Center
Description: Monitors system security settings and configurations.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: WSearch
Display Name: Windows Search
Description: Provides content indexing and property caching for file, email and other content (via extensibility APIs). The service responds to file and email notifications to index modified content. If the service is stopped or disabled, the Explorer will not be able to display virtual folder views of items, and search in the Explorer will fall back to item-by-item slow search.
Path Name: C:\WINDOWS\system32\SearchIndexer.exe /Embedding
Start Mode: Auto
State: Running

Name: wuauserv
Display Name: Automatic Updates
Description: Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: WudfSvc
Display Name: Windows Driver Foundation - User-mode Driver Framework
Description: Manages user-mode driver host processes
Path Name: C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
Start Mode: Manual
State: Stopped

Name: WZCSVC
Display Name: Wireless Zero Configuration
Description: Provides automatic configuration for the 802.11 adapters
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto
State: Running

Name: xmlprov
Display Name: Network Provisioning Service
Description: Manages XML configuration files on a domain basis for automatic network provisioning.
Path Name: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual
State: Stopped

Name: SBCSSvc
Display Name: Sunbelt CounterSpy Antispyware
Description: Manages your antispyware application
Path Name: "C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe"
Start Mode: Auto
State: Running


------------------------------------------------------------------------------------

Displaying LOG for Microsoft Windows Malicious Software Removal Tool:

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.34, October 2007
Started On Mon Nov 05 16:04:22 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Mon Nov 05 16:05:29 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.35, November 2007
Started On Wed Nov 14 23:05:37 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Nov 14 23:06:21 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.35, November 2007
Started On Thu Dec 06 17:09:01 2007

Extended Scan Results
----------------
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\Application Data\Move Networks\ie_bin\qsp2ie07074039.dll (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\Desktop\Dnloads\Recover\Documents and Settings\Scott G\My Documents\My Music\Clone CD 4.4.3.1.0 + KeyGen.zip->clone cd 4.4.3.1.0 and serial + keygen/SetupCloneCD 4.4.3.1.exe->(PaquetBuilder)->CloneCD.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\Desktop\Dnloads\Recover\Documents and Settings\Scott G\My Documents\My Music\Clone CD 4.4.3.1.0 + KeyGen.zip->clone cd 4.4.3.1.0 and serial + keygen/SetupCloneCD 4.4.3.1.exe->CloneCD.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\Desktop\Dnloads\Recover\Documents and Settings\Scott G\My Documents\My Music\Nero.8.[solo.Keygen].[TESTED.ok].sblokka.plug-in.by.MAXTRIX.[GBM].rar->Nero.8.[solo.Keygen].[TESTED.ok].sblokka.plug-in.by.MAXTRIX.[GBM]\Betamaster Keygen\keygen_update3 by Betamaster.exe (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Cheetah DVD Burner v1.65.rar->Cheetah DVD Burner v1.65\CheetahDVDBurner.exe->(CABSfx)->\Disk1\data2.cab->(ishld#0049) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\DIVX6.0.3withkeygen.rar->DivXCreate.exe->(nsis-6-$(ENVVAR))#93 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\DIVX6.0.3withkeygen.rar->DivXCreate.exe->(nsis-6-$(PLUGINSDIR)\GoogleDesktopSearch-de.exe) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\DIVX6.0.3withkeygen.rar->DivXCreate.exe->(nsis-6-$(PLUGINSDIR)\GoogleDesktopSearch-ja.exe) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DivX521XP2K.exe->(nsis-6-$(PLUGINSDIR)\README_de.txt) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DivX521XP2K.exe->(nsis-6-$(PLUGINSDIR)\README_ja.txt) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DivX521XP2K.exe->(nsis-6-License_en.txt) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DivX521XP2K.exe->(nsis-6-lang_de.qm) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DivX521XP2K.exe->(nsis-6-$(PLUGINSDIR)\GoogleToolbarInstallerXP2K_fr.exe) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#8 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#9 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#11 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#14 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#19 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#21 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#22 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#23 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#24 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#25 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#26 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#27 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#28 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#29 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#30 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(PLUGINSDIR)\prefman.dll) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#32 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#34 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#35 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#37 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#38 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-README.txt) (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx 1.0.6 + DivX 5.2.1 with keygens.rar->Dr Divx 1.0.6 + DivX 5.2.1 with keygens\DrDivX106.exe->(nsis-6-$(ENVVAR))#62 (code 0x0000000D (13))
->Scan ERROR: resource file://C:\Documents and Settings\Administrator\My Documents\Downloads\DVD and CD Authoring Tools\Dr Divx
  • 0

#44
coolrider69
Posted 09 December 2007 - 11:20 AM

coolrider69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

  • 0

#45
coolrider69
Posted 09 December 2007 - 11:21 AM

coolrider69

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Part 3 ....

----------------------------------------------------------------------------
Current User ZoneMap ProtocolDefaults
----------------------------------------------------------------------------



HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\protocoldefaults
<NO NAME> REG_SZ
http REG_DWORD 3 (0x3)
https REG_DWORD 3 (0x3)
ftp REG_DWORD 3 (0x3)
file REG_DWORD 3 (0x3)
@ivt REG_DWORD 1 (0x1)
shell REG_DWORD 0 (0x0)

----------------------------------------------------------------------------
Default URL Prefix Keys
----------------------------------------------------------------------------



HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\url

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\url\DefaultPrefix
<NO NAME> REG_SZ http://

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\url\Prefixes
ftp REG_SZ ftp://
gopher REG_SZ gopher://
home REG_SZ http://
mosaic REG_SZ http://
www REG_SZ http://

--------------------------------------------------------------------------
Startup Items Disabled via MSCONFIG:
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Select AutoRun Registry Keys:
--------------------------------------------------------------------------



HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
eyeBeam SIP Client REG_SZ "C:\Program Files\CounterPath\X-Lite\x-lite.exe"
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} REG_SZ "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
ctfmon.exe REG_SZ C:\WINDOWS\system32\ctfmon.exe
SUPERAntiSpyware REG_SZ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe


HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce


HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices


HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
NvCplDaemon REG_SZ RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz REG_SZ nwiz.exe /installquiet
00THotkey REG_SZ C:\WINDOWS\system32\00THotkey.exe
000StTHK REG_SZ 000StTHK.exe
TFncKy REG_SZ TFncKy.exe
TPSMain REG_SZ TPSMain.exe
SigmaTel StacMon REG_SZ C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
!AVG Anti-Spyware REG_SZ "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
GrooveMonitor REG_SZ "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
Acrobat Assistant 7.0 REG_SZ "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
UserFaultCheck REG_EXPAND_SZ %systemroot%\system32\dumprep 0 -u
LogMeIn GUI REG_SZ "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
NeroFilterCheck REG_SZ C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
NBKeyScan REG_SZ "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
AVG7_CC REG_SZ C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
<NO NAME> REG_SZ
SBCSTray REG_SZ C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe


HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce


HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex


HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices


HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservicesonce


HKEY_USERS\.default\software\microsoft\windows\currentversion\run
AVG7_Run REG_SZ C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE


HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run
AVG7_Run REG_SZ C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE


HKEY_USERS\s-1-5-19\software\microsoft\windows\currentversion\run
AVG7_Run REG_SZ C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE


HKEY_USERS\s-1-5-20\software\microsoft\windows\currentversion\run
AVG7_Run REG_SZ C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE

--------------------------------------------------------------------------
WinLogon Notify Registry Key:
--------------------------------------------------------------------------



HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
DllName REG_SZ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
Logon REG_SZ SABWINLOLogon
Logoff REG_SZ SABWINLOLogoff
Startup REG_SZ SABWINLOStartup
Shutdown REG_SZ SABWINLOShutdown
Asynchronous REG_DWORD 0 (0x0)
Impersonate REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
Asynchronous REG_DWORD 0 (0x0)
Impersonate REG_DWORD 0 (0x0)
DllName REG_EXPAND_SZ crypt32.dll
Logoff REG_SZ ChainWlxLogoffEvent

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
Asynchronous REG_DWORD 0 (0x0)
Impersonate REG_DWORD 0 (0x0)
DllName REG_EXPAND_SZ cryptnet.dll
Logoff REG_SZ CryptnetWlxLogoffEvent

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
DLLName REG_SZ cscdll.dll
Logon REG_SZ WinlogonLogonEvent
Logoff REG_SZ WinlogonLogoffEvent
ScreenSaver REG_SZ WinlogonScreenSaverEvent
Startup REG_SZ WinlogonStartupEvent
Shutdown REG_SZ WinlogonShutdownEvent
StartShell REG_SZ WinlogonStartShellEvent
Impersonate REG_DWORD 0 (0x0)
Asynchronous REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit
Asynchronous REG_DWORD 0 (0x0)
DllName REG_EXPAND_SZ LMIinit.dll
Impersonate REG_DWORD 0 (0x0)
Lock REG_SZ WLEventLock
Logoff REG_SZ WLEventLogoff
Logon REG_SZ WLEventLogon
Shutdown REG_SZ WLEventShutdown
StartScreenSaver REG_SZ WLEventStartScreenSaver
StartShell REG_SZ WLEventStartShell
Startup REG_SZ WLEventStartup
StopScreenSaver REG_SZ WLEventStopScreenSaver
Unlock REG_SZ WLEventUnlock

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon
LoginDomain REG_SZ SCOTT

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
DLLName REG_SZ wlnotify.dll
Logon REG_SZ SCardStartCertProp
Logoff REG_SZ SCardStopCertProp
Lock REG_SZ SCardSuspendCertProp
Unlock REG_SZ SCardResumeCertProp
Enabled REG_DWORD 1 (0x1)
Impersonate REG_DWORD 1 (0x1)
Asynchronous REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
Asynchronous REG_DWORD 0 (0x0)
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0 (0x0)
StartShell REG_SZ SchedStartShell
Logoff REG_SZ SchedEventLogOff

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
Logoff REG_SZ WLEventLogoff
Impersonate REG_DWORD 0 (0x0)
Asynchronous REG_DWORD 1 (0x1)
DllName REG_EXPAND_SZ sclgntfy.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
DLLName REG_SZ WlNotify.dll
Lock REG_SZ SensLockEvent
Logon REG_SZ SensLogonEvent
Logoff REG_SZ SensLogoffEvent
Safe REG_DWORD 1 (0x1)
MaxWait REG_DWORD 600 (0x258)
StartScreenSaver REG_SZ SensStartScreenSaverEvent
StopScreenSaver REG_SZ SensStopScreenSaverEvent
Startup REG_SZ SensStartupEvent
Shutdown REG_SZ SensShutdownEvent
StartShell REG_SZ SensStartShellEvent
PostShell REG_SZ SensPostShellEvent
Disconnect REG_SZ SensDisconnectEvent
Reconnect REG_SZ SensReconnectEvent
Unlock REG_SZ SensUnlockEvent
Impersonate REG_DWORD 1 (0x1)
Asynchronous REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
Asynchronous REG_DWORD 0 (0x0)
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0 (0x0)
Logoff REG_SZ TSEventLogoff
Logon REG_SZ TSEventLogon
PostShell REG_SZ TSEventPostShell
Shutdown REG_SZ TSEventShutdown
StartShell REG_SZ TSEventStartShell
Startup REG_SZ TSEventStartup
MaxWait REG_DWORD 600 (0x258)
Reconnect REG_SZ TSEventReconnect
Disconnect REG_SZ TSEventDisconnect

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
DLLName REG_SZ wlnotify.dll
Logon REG_SZ RegisterTicketExpiredNotificationEvent
Logoff REG_SZ UnregisterTicketExpiredNotificationEvent
Impersonate REG_DWORD 1 (0x1)
Asynchronous REG_DWORD 1 (0x1)

--------------------------------------------------------------------------
Shared Task Scheduler Registry Items:
--------------------------------------------------------------------------



HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon

--------------------------------------------------------------------------
Scheduled Tasks:
--------------------------------------------------------------------------

Volume in drive C has no label.
Volume Serial Number is A89D-B2B2

Directory of C:\WINDOWS\tasks

12/07/2007 10:49 PM <DIR> .
12/07/2007 10:49 PM <DIR> ..
08/23/2001 06:00 AM 65 desktop.ini
12/09/2007 01:29 AM 6 SA.DAT
2 File(s) 71 bytes

Total Files Listed:
2 File(s) 71 bytes
2 Dir(s) 60,844,429,312 bytes free
HR C:\WINDOWS\tasks\desktop.ini
A H C:\WINDOWS\tasks\SA.DAT

----------------------------------------------------------------------------
ShellExecuteHooks Registry Keys
----------------------------------------------------------------------------



HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks
{AEB6717E-7E19-11d0-97EE-00C04FD91972} REG_SZ
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} REG_SZ AVG Anti-Spyware 7.5
{B5A7F190-DDA6-4420-B3BA-52453494E6CD} REG_SZ Groove GFS Stub Execution Hook
{56F9679E-7826-4C84-81F3-532071A8BCC5} REG_SZ
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} REG_SZ

----------------------------------------------------------------------------
ShellServiceObjectDelayLoad Registry Keys
----------------------------------------------------------------------------



HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload
PostBootReminder REG_SZ {7849596a-48ea-486e-8937-a2a3009f31a9}
CDBurn REG_SZ {fbeb8a05-beee-4442-804e-409d6c4515e9}
WebCheck REG_SZ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
SysTray REG_SZ {35CEC8A3-2BE6-11D2-8773-92E220524153}

----------------------------------------------------------------------------
ModuleUsage Registry Keys:
----------------------------------------------------------------------------



HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/ca.pub
.Owner REG_SZ {0B79F48A-E8D6-11DB-9283-E25056D89593}
{0B79F48A-E8D6-11DB-9283-E25056D89593} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/common.dat
.Owner REG_SZ {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D}
{F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/daas_s.dll
.Owner REG_SZ {0B79F48A-E8D6-11DB-9283-E25056D89593}
{0B79F48A-E8D6-11DB-9283-E25056D89593} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/DGTx.ocx
.Owner REG_SZ {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D}
{F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/driveragent.ocx
.Owner REG_SZ {E8F628B5-259A-4734-97EE-BA914D7BE941}
{E8F628B5-259A-4734-97EE-BA914D7BE941} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/fsauc.dll
.Owner REG_SZ {0B79F48A-E8D6-11DB-9283-E25056D89593}
{0B79F48A-E8D6-11DB-9283-E25056D89593} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/fscax.dll
.Owner REG_SZ {0B79F48A-E8D6-11DB-9283-E25056D89593}
{0B79F48A-E8D6-11DB-9283-E25056D89593} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/Housecall_ActiveX.dll
.Owner REG_SZ {215B8138-A3CF-44C5-803F-8226143CFC0A}
{215B8138-A3CF-44C5-803F-8226143CFC0A} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/LMIProxyHelper.exe
.Owner REG_SZ {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9}
{FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/RACtrl.dll
.Owner REG_SZ {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9}
{FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/toolkit_widget.gif
.Owner REG_SZ {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D}
{F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/unicows.dll
.Owner REG_SZ {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9}
{FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/unknown.dat
.Owner REG_SZ {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D}
{F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/system32/asycfilt.dll
.Owner REG_SZ Unknown Owner
{F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/system32/Codejock.CommandBars.v10.4.0.ocx
.Owner REG_SZ {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D}
{F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/system32/Codejock.DockingPane.v10.4.0.ocx
.Owner REG_SZ {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D}
{F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/system32/Codejock.PropertyGrid.v10.4.0.ocx
.Owner REG_SZ {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D}
{F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/system32/Codejock.ReportControl.v10.4.0.ocx
.Owner REG_SZ {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D}
{F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/system32/COMCAT.DLL
.Owner REG_SZ Unknown Owner
{F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/system32/mfc42.dll
.Owner REG_SZ Unknown Owner
{215B8138-A3CF-44C5-803F-8226143CFC0A} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/system32/MSCOMCTL.OCX
.Owner REG_SZ Unknown Owner
{F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/system32/msvbvm60.dll
.Owner REG_SZ Unknown Owner
{F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/system32/msvcp60.dll
.Owner REG_SZ Unknown Owner
{215B8138-A3CF-44C5-803F-8226143CFC0A} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/system32/msvcrt.dll
.Owner REG_SZ Unknown Owner
{215B8138-A3CF-44C5-803F-8226143CFC0A} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/system32/muweb.dll
.Owner REG_SZ {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/system32/oleaut32.dll
.Owner REG_SZ Unknown Owner
{F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/system32/olepro32.dll
.Owner REG_SZ Unknown Owner
{F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} REG_SZ
{215B8138-A3CF-44C5-803F-8226143CFC0A} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/system32/ractrlkeyhook.dll
.Owner REG_SZ {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9}
{FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/system32/stdole2.tlb
.Owner REG_SZ Unknown Owner
{F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} REG_SZ

----------------------------------------------------------------------------
BHO Registry Keys:
----------------------------------------------------------------------------



HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
<NO NAME> REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{53707962-6F74-2D53-2644-206D7942484F}

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
<NO NAME> REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{AE7CD045-E861-484f-8273-0445EE161910}
<NO NAME> REG_SZ

--------------------------------------------------------------------------
Select Policy Keys:
--------------------------------------------------------------------------



HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer
NoDriveTypeAutoRun REG_BINARY ff000000

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run


HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run


HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system


HKEY_CURRENT_USER\software\policies\microsoft\internet explorer

HKEY_CURRENT_USER\software\policies\microsoft\internet explorer\Control Panel


HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer
NoDriveAutoRun REG_DWORD 67108863 (0x3ffffff)
NoDriveTypeAutoRun REG_DWORD 255 (0xff)

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run


HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run


HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system
dontdisplaylastusername REG_DWORD 0 (0x0)
legalnoticecaption REG_SZ
legalnoticetext REG_SZ
shutdownwithoutlogon REG_DWORD 1 (0x1)
undockwithoutlogon REG_DWORD 1 (0x1)


HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer
NoDriveTypeAutoRun REG_DWORD 145 (0x91)

HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run


HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run


HKEY_USERS\.default\software\microsoft\windows\currentversion\policies

HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\Explorer

HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system


HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer
NoDriveTypeAutoRun REG_DWORD 145 (0x91)

HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\run


HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\run


HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system

********************************************************************************
***

Checking File System for suspicious Files

--------------------------------------------------------------------------
Items in the Root Directory:
--------------------------------------------------------------------------

Locating all files created in C:\

"C:\"
$VAULT$.AVG Dec 6 2007 "$VAULT$.AVG"
rnd~1 Nov 25 2007 1024 ".rnd"
autoexec.bat Nov 2 2007 0 "AUTOEXEC.BAT"
boot.ini Nov 2 2007 211 "boot.ini"
ckinfo.txt Nov 3 2007 384 "CKINFO.TXT"
combofix.txt Dec 9 2007 17951 "ComboFix.txt"
combof~1.txt Dec 7 2007 17320 "ComboFix2.txt"
comlog.txt Nov 7 2007 0 "COMLOG.txt"
config.sys Nov 2 2007 0 "CONFIG.SYS"
DECKARD Dec 7 2007 "Deckard"
delete.bat Dec 7 2007 106 "delete.bat"
DOCUME~1 Nov 2 2007 "Documents and Settings"
export.txt Dec 7 2007 46 "Export.txt"
HPLJ4X~1 Nov 19 2007 "HP LJ 4x50 Series"
io.sys Nov 2 2007 0 "IO.SYS"
ISEEYO~1 Dec 9 2007 "ISeeYouXP"
KAV Dec 3 2007 "KAV"
libsrt~1.txt Nov 7 2007 0 "libSRTP_log.txt"
msdos.sys Nov 2 2007 0 "MSDOS.SYS"
MSOCACHE Nov 2 2007 "MSOCache"
nolop.log Dec 7 2007 3029 "NoLop.log"
ntdetect.com Nov 2 2007 47564 "NTDETECT.COM"
ntldr Nov 2 2007 250032 "ntldr"
pagefile.sys Dec 9 2007 1610612736 "pagefile.sys"
PROGRA~1 Nov 2 2007 "Program Files"
QOOBOX Dec 7 2007 "qoobox"
rapport.txt Dec 9 2007 4597 "rapport.txt"
RECYCLER Nov 2 2007 "RECYCLER"
SYSTEM~1 Nov 2 2007 "System Volume Information"
WINDOWS Nov 2 2007 "WINDOWS"
_OTMOV~1 Dec 7 2007 "_OTMoveIt"

31 items found: 18 files (6 H/S), 13 directories (4 H/S).
Total of file sizes: 1,610,955,000 bytes 1.50 G

--------------------------------------------------------------------------
Locating all Backup files on C:
--------------------------------------------------------------------------

Locating all *.BAK* files

"C:\WINDOWS\"
imsins.bak Nov 30 2007 1393 "imsins.BAK"

"C:\WINDOWS\inf\"
mplayer2.bak Aug 23 2001 18755 "mplayer2.bak"

"C:\WINDOWS\ERDNT\subs\"
software.bak Dec 7 2007 30830592 "software.bak"
system.bak Dec 7 2007 6303744 "system.bak"

"C:\WINDOWS\system32\config\"
default.bak Dec 7 2007 1572864 "default.bak"
sam.bak Dec 7 2007 24576 "SAM.bak"
security.bak Dec 7 2007 262144 "SECURITY.bak"
software.bak Dec 7 2007 30932992 "software.bak"
system.bak Dec 7 2007 6553600 "system.bak"

"C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\"
brndlog.bak Nov 2 2007 141 "brndlog.bak"

"C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\"
brndlog.bak Nov 2 2007 113 "brndlog.bak"

"C:\WINDOWS\PCHEALTH\HELPCTR\Config\Cache\"
profes~1.bak Nov 22 2007 170900 "Professional_32_1033.dat.bak"

"C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\"
opa12.bak Oct 17 2002 8200 "OPA12.BAK"

"C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\"
brndlog.bak Nov 2 2007 113 "brndlog.bak"

"C:\Documents and Settings\Administrator\Desktop\Dnloads\Recover\Documents and Settings\All Users\DRM\"
drmv1.bak Oct 30 2007 4348 "DRMv1.bak"

"C:\Documents and Settings\Administrator\Desktop\Dnloads\Recover\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\"
brndlog.bak Apr 8 2007 113 "brndlog.bak"

"C:\Documents and Settings\Administrator\Desktop\Dnloads\Recover\Documents and Settings\Administrator.SCOTT\Application Data\Microsoft\Internet Explorer\"
brndlog.bak Apr 8 2007 113 "brndlog.bak"

"C:\Documents and Settings\Administrator\Desktop\Dnloads\Recover\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\"
brndlog.bak Apr 8 2007 113 "brndlog.bak"

"C:\Documents and Settings\Administrator\Desktop\Dnloads\Recover\Documents and Settings\Scott G\Application Data\Microsoft\Internet Explorer\"
brndlog.bak Apr 8 2007 141 "brndlog.bak"

"C:\Documents and Settings\Administrator\Desktop\Dnloads\Recover\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\"
opa11.bak Oct 17 2002 8200 "OPA11.BAK"

"C:\Documents and Settings\Administrator\Desktop\Dnloads\Recover\Documents and Settings\Scott G\Local Settings\Application Data\Microsoft\Internet Explorer\"
brndlog.bak Apr 8 2007 8662 "brndlog.bak"

"C:\Documents and Settings\Administrator\Desktop\Dnloads\Recover\Documents and Settings\Scott G\Local Settings\Application Data\Microsoft\Outlook\"
extend~1.bak May 9 2007 519 "extend.dat.bak87"

"C:\Documents and Settings\Administrator\Desktop\Dnloads\Recover\Documents and Settings\Scott G\Local Settings\Application Data\Qurb4\Outlook\"
sentmail.bak Nov 1 2007 14397 "SentMail.bak"

"C:\Documents and Settings\Administrator\Desktop\Dnloads\Recover\Documents and Settings\Scott G\Application Data\Mozilla\Firefox\Profiles\nxkql0xe.default\"
bookma~1.bak Nov 1 2007 29691 "bookmarks.bak"
bookma~2.bak Oct 16 2007 31443 "bookmarks.html.sbsd.bak"

"C:\Documents and Settings\Administrator\Desktop\Dnloads\Recover\Documents and Settings\Scott G\My Documents\KB Home\Sitedocs 7-14-06\Scott\Chaos Data\"
appt.bak Jul 27 2006 16646 "appt.bak"
notes.bak Jul 27 2006 1040 "notes.bak"
phone.bak Jul 27 2006 106461 "phone.bak"
todo.bak Jul 27 2006 3352 "todo.bak"

"C:\Documents and Settings\Administrator\Desktop\Dnloads\Recover\Documents and Settings\Scott G\My Documents\KB Home\Sitedocs 7-14-06\Scott\Chaos Data\Oakpoint Leads\"
appt.bak Jun 15 2006 728 "appt.bak"
notes.bak Jun 15 2006 689 "notes.bak"
phone.bak Jun 15 2006 10803 "phone.bak"
todo.bak Jun 15 2006 1031 "todo.bak"

"C:\Documents and Settings\Administrator\Desktop\Dnloads\Recover\Documents and Settings\Scott G\My Documents\KB Home\Sitedocs 7-14-06\Scott\Chaos Data\Realtors\"
appt.bak Jul 3 2006 728 "appt.bak"
notes.bak Jul 3 2006 689 "notes.bak"
phone.bak Jul 3 2006 36371 "phone.bak"
todo.bak Jul 3 2006 731 "todo.bak"

37 items found: 37 files (1 H/S), 0 directories.
Total of file sizes: 76,957,136 bytes 73.39 M

--------------------------------------------------------------------------
Locating all copies of Internet Explorer on C:
--------------------------------------------------------------------------

Locating all copies of Internet Explorer

"C:\Program Files\Internet Explorer\"
iexplore.exe Aug 4 2004 93184 "iexplore.exe"

"C:\WINDOWS\$NtServicePackUninstall$\"
iexplore.exe Aug 23 2001 91136 "iexplore.exe"

"C:\WINDOWS\ServicePackFiles\i386\"
iexplore.exe Aug 4 2004 93184 "iexplore.exe"

"C:\WINDOWS\system32\dllcache\"
iexplore.exe Aug 4 2004 93184 "iexplore.exe"

4 items found: 4 files, 0 directories.
Total of file sizes: 370,688 bytes 362.00 K

--------------------------------------------------------------------------
Locating all copies of Windows Explorer on C:
--------------------------------------------------------------------------

Locating all copies of Windows Explorer

"C:\WINDOWS\"
explorer.exe Jun 13 2007 1033216 "explorer.exe"

"C:\WINDOWS\$NtUninstallKB938828$\"
explorer.exe Aug 4 2004 1032192 "explorer.exe"

"C:\WINDOWS\$NtServicePackUninstall$\"
explorer.exe Aug 23 2001 1000960 "explorer.exe"

"C:\WINDOWS\ServicePackFiles\i386\"
explorer.exe Aug 4 2004 1032192 "explorer.exe"

"C:\WINDOWS\system32\dllcache\"
explorer.exe Jun 13 2007 1033216 "explorer.exe"

"C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\"
explorer.exe Jun 13 2007 1033216 "explorer.exe"

6 items found: 6 files, 0 directories.
Total of file sizes: 6,164,992 bytes 5.88 M

--------------------------------------------------------------------------
Items in Document and Settings:
--------------------------------------------------------------------------

Listing contents of C:\Documents and Settings

"C:\Documents and Settings\"
ADMINI~1 Nov 2 2007 "Administrator"
ALLUSE~1 Nov 2 2007 "All Users"
DEFAUL~1 Nov 2 2007 "Default User"
LOCALS~1 Nov 2 2007 "LocalService"
NETWOR~1 Nov 2 2007 "NetworkService"

5 items found: 0 files, 5 directories (3 H/S).

--------------------------------------------------------------------------
Desktop Items:
--------------------------------------------------------------------------

Locating all files created in C:\Documents and Settings\Administrator\Desktop within the last 90 days.

"C:\Documents and Settings\Administrator\Desktop\"
anothe~1.log Dec 7 2007 9784 "another_hijackthis.log"
ce1.jpg Nov 22 2007 3491994 "ce1.jpg"
ce2.jpg Nov 22 2007 3493143 "ce2.jpg"
ce2.psd Nov 22 2007 17276632 "ce2.psd"
citrix.url Nov 7 2007 304 "Citrix.url"
combofix.txt Dec 9 2007 17951 "combofix.txt"
DNLOADS Nov 3 2007 "Dnloads"
dscf0083.jpg Nov 18 2007 2270994 "DSCF0083.JPG"
dscf0090.jpg Nov 18 2007 2223701 "DSCF0090.JPG"
dscf00~1.jpg Nov 22 2007 3698515 "DSCF0090-1.jpg"
dscf00~2.jpg Nov 22 2007 3296283 "DSCF0090c.jpg"
dss.txt Dec 7 2007 33981 "dss.txt"
export.txt Dec 7 2007 46 "Export.txt"
extra.txt Dec 7 2007 17718 "extra.txt"
f-secure.txt Dec 9 2007 2595 "f-secure.txt"
hijack~1.lnk Dec 7 2007 1734 "HijackThis.lnk"
hijack~1.log Dec 7 2007 14643 "hijackthis.log"
hijack~1.txt Dec 7 2007 6566 "HiJackThis_uninstall_list.txt"
hijack~2.txt Dec 7 2007 9731 "hijackthis again.txt"
hijack~3.txt Dec 9 2007 10314 "hijackthis now.txt"
iseeyo~1.lnk Dec 9 2007 534 "ISeeYouXP.lnk"
kasper~1.txt Dec 7 2007 32608 "kaspersky_online_report.txt"
klcnuvol.txt Dec 8 2007 128 "klcnuvol.txt"
log.txt Dec 7 2007 17320 "log.txt"
main.txt Dec 7 2007 33981 "main.txt"
mfsivsva.txt Dec 8 2007 128 "mfsivsva.txt"
moved.txt Dec 7 2007 7646 "moved.txt"
newotm~1.txt Dec 7 2007 171 "New otm.txt"
NEWFOL~1 Nov 23 2007 "New Folder"
new_hi~1.log Dec 7 2007 9685 "new_hijackthis.log"
new_wi~1.txt Dec 7 2007 46714 "new_WinPFind3.Txt"
ok3352~1.doc Dec 7 2007 13715 "OK.docx"
otm.txt Dec 7 2007 1045 "otm.txt"
palmde~1.lnk Nov 4 2007 1639 "Palm Desktop.lnk"
rsfghcze.txt Dec 8 2007 128 "rsfghcze.txt"
satell~1.lnk Nov 28 2007 228 "Satellite TV for PC - Read Me.lnk"
shortc~1.lnk Dec 7 2007 831 "Shortcut to CoolRider.exe.lnk"
sitesp~1.lnk Nov 9 2007 2055 "SiteSpinnerV2.lnk"
SMITFR~1 Dec 7 2007 "SmitfraudFix"
smitfr~1.txt Dec 7 2007 4859 "smitfraudrapport.txt"
virusl~1.csv Dec 7 2007 496 "viruslist.csv"
virusl~1.tab Dec 9 2007 753 "viruslault.tab"
winmx.lnk Nov 2 2007 638 "WinMX.lnk"
WINPFI~1 Dec 7 2007 "WinPFind3u"
winpfi~1.txt Dec 7 2007 452427 "WinPFind3.Txt"
x-lite.lnk Nov 7 2007 784 "X-Lite.lnk"

46 items found: 42 files, 4 directories.
Total of file sizes: 36,505,142 bytes 34.81 M

Locating all files created in C:\Documents and Settings\All Users\Desktop\ within the last 90 days.

"C:\Documents and Settings\All Users\Desktop\"
ad-awa~1.lnk Dec 4 2007 1790 "Ad-Aware 2007.lnk"
ad-wat~1.lnk Dec 4 2007 1790 "Ad-Watch 2007.lnk"
avg75~1.lnk Dec 6 2007 1532 "AVG 7.5.lnk"
counte~1.lnk Dec 9 2007 1821 "CounterSpy.lnk"
neroho~1.lnk Nov 30 2007 2254 "Nero Home.lnk"
nerost~1.lnk Nov 30 2007 2352 "Nero StartSmart.lnk"
smartf~1.lnk Nov 9 2007 1844 "SmartFTP Client.lnk"
supera~1.lnk Dec 7 2007 780 "SUPERAntiSpyware Free Edition.lnk"
toshib~1.lnk Nov 2 2007 1541 "TOSHIBA Console.lnk"

9 items found: 9 files, 0 directories.
Total of file sizes: 15,704 bytes 15.34 K

--------------------------------------------------------------------------
Start Menu Items:
--------------------------------------------------------------------------

Locating all files created inC:\Documents and Settings\Administrator\Start Menu within the last 90 days.

"C:\Documents and Settings\Administrator\Start Menu\"
desktop.ini Nov 2 2007 62 "desktop.ini"
PROGRAMS Nov 2 2007 "Programs"

2 items found: 1 file (1 H/S), 1 directory.
Total of file sizes: 62 bytes 0.06 K

Locating all files created in C:\Documents and Settings\Administrator\Start Menu\Programs\Startup within the last 90 days.

"C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\"
adobeg~1.lnk Nov 22 2007 988 "Adobe Gamma.lnk"
desktop.ini Nov 2 2007 84 "desktop.ini"
onenot~1.lnk Nov 28 2007 947 "OneNote 2007 Screen Clipper and Launcher.lnk"
palmon~1.lnk Dec 3 2007 751 "palmOne Registration.lnk"

4 items found: 4 files (1 H/S), 0 directories.
Total of file sizes: 2,770 bytes 2.70 K

Locating all files created in C:\Documents and Settings\All Users\Start Menu within the last 90 days.

"C:\Documents and Settings\All Users\Start Menu\"
desktop.ini Nov 2 2007 272 "desktop.ini"
micros~1.lnk Nov 2 2007 1566 "Microsoft Update.lnk"
myblue~1.lnk Nov 3 2007 324 "My Bluetooth Places.lnk"
PROGRAMS Nov 2 2007 "Programs"
setpro~1.lnk Nov 2 2007 1563 "Set Program Access and Defaults.lnk"
window~1.lnk Nov 2 2007 1507 "Windows Update.lnk"
window~2.lnk Nov 2 2007 398 "Windows Catalog.lnk"

7 items found: 6 files (1 H/S), 1 directory.
Total of file sizes: 5,630 bytes 5.50 K

Locating all files created in C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ within the last 90 days.

"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\"
blueto~1.lnk Nov 3 2007 633 "Bluetooth.lnk"
desktop.ini Nov 2 2007 84 "desktop.ini"
hotsyn~1.lnk Nov 4 2007 1556 "HotSync Manager.lnk"

3 items found: 3 files (1 H/S), 0 directories.
Total of file sizes: 2,273 bytes 2.22 K

--------------------------------------------------------------------------
Application Data Items:
--------------------------------------------------------------------------

Locating all files created in C:\Documents and Settings\Administrator\Application Data\ within the last 90 days.

"C:\Documents and Settings\Administrator\Application Data\"
ADOBE Nov 3 2007 "Adobe"
ADOBEUM Nov 3 2007 "AdobeUM"
ARCSOFT Nov 3 2007 "Arcsoft"
AVG7 Dec 6 2007 "AVG7"
commas~1.cal Nov 7 2007 10667 "Comma Separated Values (Windows).CAL"
desktop.ini Nov 2 2007 62 "desktop.ini"
GOOGLE Nov 28 2007 "Google"
HELP Nov 27 2007 "Help"
HOTSYNC Nov 3 2007 "HotSync"
ICACLI~1 Nov 7 2007 "ICAClient"
IDENTI~1 Nov 2 2007 "Identities"
JASCSO~1 Nov 22 2007 "Jasc Software Inc"
LEADER~1 Nov 3 2007 "Leadertech"
MACROM~1 Nov 3 2007 "Macromedia"
MICROS~1 Nov 2 2007 "Microsoft"
MOVENE~1 Nov 28 2007 "Move Networks"
MOZILLA Dec 6 2007 "Mozilla"
NERO Nov 30 2007 "Nero"
SMARTFTP Nov 9 2007 "SmartFTP"
SUNBEL~1 Dec 9 2007 "Sunbelt Software"
SUPERA~1.COM Dec 7 2007 "SUPERAntiSpyware.com"
VIRTUA~1 Nov 9 2007 "Virtual Mechanics"
WINDOW~1 Nov 3 2007 "Windows Desktop Search"

23 items found: 2 files (1 H/S), 21 directories (1 H/S).
Total of file sizes: 10,729 bytes 10.48 K

Locating all files created in C:\Documents and Settings\Administrator\Local Settings\Application Data\ within the last 90 days.

"C:\Documents and Settings\Administrator\Local Settings\Application Data\"
ADOBE Nov 3 2007 "Adobe"
AHEAD Nov 30 2007 "Ahead"
COUNTE~1 Nov 7 2007 "CounterPath"
dcbc2a~1.ini Dec 3 2007 11264 "DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini"
gdipfo~1.dat Nov 22 2007 69624 "GDIPFONTCACHEV1.DAT"
HELP Nov 27 2007 "Help"
iconca~1.db Dec 7 2007 4846792 "IconCache.db"
IDENTI~1 Nov 3 2007 "Identities"
MICROS~1 Nov 2 2007 "Microsoft"
MICROS~2 Nov 2 2007 "Microsoft Help"
MOZILLA Dec 6 2007 "Mozilla"
PCHEALTH Nov 4 2007 "PCHealth"
SYMANTEC Nov 2 2007 "Symantec"

13 items found: 3 files (1 H/S), 10 directories.
Total of file sizes: 4,927,680 bytes 4.70 M

Locating all files created in C:\Documents and Settings\All Users\Application Data\ within the last 90 days.

"C:\Documents and Settings\All Users\Application Data\"
ADOBE Nov 3 2007 "Adobe"
ADOBES~1 Nov 3 2007 "Adobe Systems"
AVG7 Dec 1 2007 "Avg7"
desktop.ini Nov 2 2007 62 "desktop.ini"
GRISOFT Nov 2 2007 "Grisoft"
HEWLET~1 Nov 19 2007 "Hewlett-Packard"
HOTSYNC Nov 3 2007 "HotSync"
KASPER~1 Dec 3 2007 "Kaspersky Lab"
LAVASOFT Dec 4 2007 "Lavasoft"
MICROS~1 Nov 2 2007 "Microsoft"
MICROS~2 Nov 2 2007 "Microsoft Help"
NERO Nov 30 2007 "Nero"
SPYBOT~1 Dec 4 2007 "Spybot - Search & Destroy"
SUNBEL~1 Dec 9 2007 "Sunbelt Software"
SUPERA~1.COM Dec 7 2007 "SUPERAntiSpyware.com"
svclog.log Dec 9 2007 902 "Svclog.log"
SYMANTEC Nov 2 2007 "Symantec"
VIRTUA~1 Nov 9 2007 "Virtual Mechanics"
WINDOW~1 Nov 2 2007 "Windows Genuine Advantage"

19 items found: 2 files (1 H/S), 17 directories (1 H/S).
Total of file sizes: 964 bytes 0.94 K

--------------------------------------------------------------------------
C:\Documents and Settings\Administrator\Local Settings\TEMP:
--------------------------------------------------------------------------

Locating all files created in C:\Documents and Settings\Administrator\Local Settings\TEMP within the last 90 days.

--------------------------------------------------------------------------
Items in Templates Folder:
--------------------------------------------------------------------------

Locating all files created in C:\Documents and Settings\Administrator\Templates

"C:\Documents and Settings\Administrator\Templates\"
amipro.sam Aug 23 2001 4570 "amipro.sam"
excel.xls Aug 23 2001 5632 "excel.xls"
excel4.xls Aug 23 2001 1518 "excel4.xls"
lotus.wk4 Aug 23 2001 2448 "lotus.wk4"
powerpnt.ppt Aug 23 2001 12288 "powerpnt.ppt"
presenta.shw Aug 23 2001 461 "presenta.shw"
quattro.wb2 Aug 23 2001 4017 "quattro.wb2"
sndrec.wav Aug 23 2001 58 "sndrec.wav"
winword.doc Aug 23 2001 4608 "winword.doc"
winword2.doc Aug 23 2001 1769 "winword2.doc"
wordpfct.wpd Aug 23 2001 30 "wordpfct.wpd"
wordpfct.wpg Aug 23 2001 57 "wordpfct.wpg"

12 items found: 12 files, 0 directories.
Total of file sizes: 37,456 bytes 36.58 K

--------------------------------------------------------------------------
Items in Program Files:
--------------------------------------------------------------------------

Locating all files created in C:\Program Files\ within the last 90 days.

"C:\Program Files\"
ADOBE Nov 3 2007 "Adobe"
BELKIN Nov 3 2007 "Belkin"
CANON Nov 15 2007 "Canon"
CITRIX Nov 7 2007 "Citrix"
COMMON~1 Nov 2 2007 "Common Files"
COMPLU~1 Nov 2 2007 "ComPlus Applications"
COUNTE~1 Nov 7 2007 "CounterPath"
DRIVER~1 Nov 3 2007 "Drive Rescue"
GOOGLE Nov 28 2007 "Google"
GRISOFT Nov 2 2007 "Grisoft"
HIJACK~1 Dec 4 2007 "HijackThis"
INSTAL~1 Nov 2 2007 "InstallShield Installation Information"
INTEL Nov 2 2007 "Intel"
INTERN~1 Nov 2 2007 "Internet Explorer"
JASCSO~1 Nov 22 2007 "Jasc Software Inc"
KASPER~1 Dec 3 2007 "Kaspersky Lab"
LAVASOFT Dec 4 2007 "Lavasoft"
LOGMEIN Nov 25 2007 "LogMeIn"
MESSEN~1 Nov 2 2007 "Messenger"
MICROS~1 Nov 2 2007 "microsoft frontpage"
MICROS~1.2 Nov 3 2007 "Microsoft CAPICOM 2.1.0.2"
MICROS~2 Nov 2 2007 "Microsoft Office"
MICROS~3 Nov 2 2007 "Microsoft Visual Studio"
MICROS~4 Nov 2 2007 "Microsoft Works"
MOVIEM~1 Nov 2 2007 "Movie Maker"
MOZILL~1 Dec 6 2007 "Mozilla Firefox(2)"
MSBUILD Nov 2 2007 "MSBuild"
MSN Nov 7 2007 "MSN"
MSNGAM~1 Nov 2 2007 "MSN Gaming Zone"
MSXML4~1.0 Dec 1 2007 "MSXML 4.0"
MXPIEP~1 Nov 2 2007 "MXpie Patch"
NERO Nov 30 2007 "Nero"
NETMEE~1 Nov 2 2007 "NetMeeting"
ONLINE~1 Nov 2 2007 "Online Services"
OUTLOO~1 Nov 2 2007 "Outlook Express"
PALMIN~1 Nov 4 2007 "Palm Inc"
PALMONE Nov 4 2007 "palmOne"
SIGMATEL Nov 2 2007 "SigmaTel"
SMARTF~1 Nov 9 2007 "SmartFTP Client"
SMARTF~1.5SE Nov 9 2007 "SmartFTP Client 2.5 Setup Files"
SOPHOS Nov 2 2007 "Sophos"
SPYBOT~1 Dec 4 2007 "Spybot - Search & Destroy"
STELLA~1 Nov 3 2007 "Stellar Phoenix Windows Data Recovery"
SUNBEL~1 Dec 9 2007 "Sunbelt Software"
SUPERA~1 Dec 7 2007 "SUPERAntiSpyware"
SYMANTEC Nov 2 2007 "Symantec"
SYNAPT~1 Nov 2 2007 "Synaptics"
TOSHIBA Nov 2 2007 "TOSHIBA"
TRENDM~1 Dec 7 2007 "Trend Micro"
TVANTS Nov 28 2007 "TVAnts"
UNINST~1 Nov 2 2007 "Uninstall Information"
VIRTUA~1 Nov 9 2007 "Virtual Mechanics"
WI459E~1 Nov 3 2007 "Windows Desktop Search"
WI4DF6~1 Nov 29 2007 "Windows Media Connect 2"
WINDOW~1 Nov 2 2007 "Windows NT"
WINDOW~2 Nov 2 2007 "WindowsUpdate"
WINDOW~3 Nov 2 2007 "Windows Media Player"
WINMX Nov 2 2007 "WinMX"
WINRAR Nov 2 2007 "WinRAR"
XEROX Nov 2 2007 "xerox"

60 items found: 0 files, 60 directories (3 H/S).

Locating all files created in C:\Program Files\Common Files\ within the last 90 days.

"C:\Program Files\Common Files\"
ADOBE Nov 3 2007 "Adobe"
ADOBES~1 Nov 3 2007 "Adobe Systems Shared"
DESIGNER Nov 2 2007 "DESIGNER"
INSTAL~1 Nov 2 2007 "InstallShield"
INTEL Nov 7 2007 "Intel"
MICROS~1 Nov 2 2007 "Microsoft Shared"
MSSOAP Nov 2 2007 "MSSoap"
NERO Nov 30 2007 "Nero"
ODBC Nov 2 2007 "ODBC"
SERVICES Nov 2 2007 "Services"
SPEECH~1 Nov 2 2007 "SpeechEngines"
SYMANT~1 Nov 2 2007 "Symantec Shared"
SYSTEM Nov 2 2007 "System"
WISEIN~1 Dec 4 2007 "Wise Installation Wizard"

14 items found: 0 files, 14 directories.

Locating all files created in C:\Program Files\Common Files\Microsoft Shared\Web Folders within the last 90 days.

"C:\Program Files\Common Files\Microsoft Shared\Web Folders\"
1033 Nov 2 2007 "1033"

1 item found: 0 files, 1 directory.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP