Whilst WinPfind was unning I got two alerts, one for a file nemed CSXAO.exe.ren and one for RDSNDIN.exe.ren
Here are the various logs:
Blacklight:
09/06/05 08:43:06 [Info]: BlackLight Engine 1.0.23 initialized
09/06/05 08:43:06 [Info]: OS: 5.1 build 2600 (Service Pack 1)
09/06/05 08:43:06 [Note]: 4019 0
09/06/05 08:43:06 [Note]: 4019 1
09/06/05 08:43:07 [Note]: 4019 2
09/06/05 08:43:07 [Note]: 4019 3
09/06/05 08:43:07 [Note]: 4019 4
09/06/05 08:43:07 [Note]: 4005 0
09/06/05 08:43:22 [Note]: 4006 0
09/06/05 08:43:22 [Note]: 4011 1356
09/06/05 08:43:23 [Note]: 4018 1344
09/06/05 08:43:23 [Info]: Hidden process: C:\WINDOW\System32\rdsndin.exe
09/06/05 08:43:23 [Note]: 4018 3968
09/06/05 08:43:23 [Info]: Hidden process: C:\WINDOW\System32\ntfsnlpa.exe
09/06/05 08:43:24 [Note]: FSRAW library version 1.7.1011
09/06/05 08:43:28 [Info]: Hidden file: C:\WINDOW\SYSTEM32\WBEM\WBEMTEST.EXE
09/06/05 08:43:29 [Info]: Hidden file: C:\WINDOW\SYSTEM32\HCLEAN32.EXE
09/06/05 08:43:30 [Note]: 4002 5
09/06/05 08:43:30 [Note]: 4003 1
09/06/05 08:43:30 [Info]: Hidden file: C:\WINDOW\System32\rdsndin.exe
09/06/05 08:43:30 [Note]: 4002 5
09/06/05 08:43:30 [Note]: 4003 1
09/06/05 08:43:30 [Info]: Hidden file: C:\WINDOW\System32\ntfsnlpa.exe
09/06/05 08:43:30 [Info]: Hidden file: C:\WINDOW\SYSTEM32\CSXAO.EXE
09/06/05 08:43:30 [Note]: 4002 32
09/06/05 08:43:30 [Note]: 4003 1
09/06/05 08:43:32 [Info]: Hidden file: C:\WINDOW\SYSTEM32\LOADCT~1.EXE
09/06/05 08:47:08 [Note]: 4007 0
WinPfind:
»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
PECompact2 31/08/2005 07:20:24 15707121 C:\WINDOW\VPTNFILE.809
qoologic 31/08/2005 07:20:24 15707121 C:\WINDOW\VPTNFILE.809
SAHAgent 31/08/2005 07:20:24 15707121 C:\WINDOW\VPTNFILE.809
UPX! 31/08/2005 07:20:26 1044560 C:\WINDOW\vsapi32.dll
aspack 31/08/2005 07:20:26 1044560 C:\WINDOW\vsapi32.dll
UPX! 31/08/2005 07:20:28 170053 C:\WINDOW\tsc.exe
PECompact2 31/08/2005 07:20:24 15707121 C:\WINDOW\LPT$VPN.809
qoologic 31/08/2005 07:20:24 15707121 C:\WINDOW\LPT$VPN.809
SAHAgent 31/08/2005 07:20:24 15707121 C:\WINDOW\LPT$VPN.809
Checking %System% folder...
UPX! 06/09/2005 08:36:56 45568 C:\WINDOW\SYSTEM32\ntfsnlpa.exe.ren
PEC2 18/08/2001 12:00:00 41397 C:\WINDOW\SYSTEM32\dfrg.msc
winsync 18/08/2001 12:00:00 1309184 C:\WINDOW\SYSTEM32\wbdbase.deu
PTech 03/08/2005 10:33:42 520456 C:\WINDOW\SYSTEM32\LegitCheckControl.DLL
PECompact2 04/08/2005 10:01:54 1449304 C:\WINDOW\SYSTEM32\MRT.exe
aspack 04/08/2005 10:01:54 1449304 C:\WINDOW\SYSTEM32\MRT.exe
Umonitor 29/08/2002 11:41:10 631808 C:\WINDOW\SYSTEM32\rasdlg.dll
Checking %System%\Drivers folder and sub-folders...
Items found in C:\WINDOW\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
04/09/2005 19:59:14 H 54156 C:\WINDOW\QTFont.qfn
24/08/2005 15:26:14 RH 749 C:\WINDOW\WindowsShell.Manifest
06/09/2005 08:48:52 S 2048 C:\WINDOW\bootstat.dat
24/08/2005 15:26:14 RH 749 C:\WINDOW\system32\ncpa.cpl.manifest
24/08/2005 15:26:14 RH 749 C:\WINDOW\system32\nwc.cpl.manifest
24/08/2005 15:26:14 RH 749 C:\WINDOW\system32\sapi.cpl.manifest
24/08/2005 15:26:14 RH 749 C:\WINDOW\system32\wuaucpl.cpl.manifest
24/08/2005 15:26:14 RH 749 C:\WINDOW\system32\cdplayer.exe.manifest
24/08/2005 15:26:28 RH 488 C:\WINDOW\system32\logonui.exe.manifest
24/08/2005 15:26:28 RH 488 C:\WINDOW\system32\WindowsLogon.manifest
24/08/2005 17:37:18 H 4212 C:\WINDOW\system32\zllictbl.dat
06/09/2005 08:51:42 H 1024 C:\WINDOW\system32\config\system.LOG
06/09/2005 09:34:20 H 1024 C:\WINDOW\system32\config\software.LOG
06/09/2005 08:51:08 H 1024 C:\WINDOW\system32\config\default.LOG
24/08/2005 14:53:52 H 1024 C:\WINDOW\system32\config\userdiff.LOG
24/08/2005 14:53:50 H 1024 C:\WINDOW\system32\config\TempKey.LOG
06/09/2005 08:49:36 H 1024 C:\WINDOW\system32\config\SAM.LOG
06/09/2005 08:59:02 H 1024 C:\WINDOW\system32\config\SECURITY.LOG
31/08/2005 17:37:04 H 1024 C:\WINDOW\system32\config\systemprofile\ntuser.dat.LOG
24/08/2005 14:55:36 HS 62 C:\WINDOW\system32\config\systemprofile\Local Settings\desktop.ini
24/08/2005 15:27:14 HS 113 C:\WINDOW\system32\config\systemprofile\Local Settings\History\desktop.ini
24/08/2005 15:27:14 HS 113 C:\WINDOW\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
24/08/2005 15:27:14 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
24/08/2005 15:27:14 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
31/08/2005 09:31:04 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NW7ULK0S\desktop.ini
31/08/2005 09:31:04 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EMK2V8GT\desktop.ini
31/08/2005 09:31:04 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\71MN7CE5\desktop.ini
31/08/2005 09:31:04 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G8VUX12F\desktop.ini
24/08/2005 14:55:36 HS 62 C:\WINDOW\system32\config\systemprofile\Start Menu\desktop.ini
24/08/2005 15:29:06 HS 205 C:\WINDOW\system32\config\systemprofile\Start Menu\Programs\desktop.ini
24/08/2005 15:29:06 HS 482 C:\WINDOW\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
24/08/2005 15:29:06 HS 84 C:\WINDOW\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
24/08/2005 15:29:06 HS 348 C:\WINDOW\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
24/08/2005 15:29:06 HS 84 C:\WINDOW\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
24/08/2005 15:26:32 HS 181 C:\WINDOW\system32\config\systemprofile\SendTo\desktop.ini
24/08/2005 14:55:36 HS 62 C:\WINDOW\system32\config\systemprofile\Application Data\desktop.ini
27/08/2005 11:58:34 HS 388 C:\WINDOW\system32\Microsoft\Protect\S-1-5-18\cf81c631-793c-4f64-8a21-ed442f8e4119
27/08/2005 11:58:34 HS 24 C:\WINDOW\system32\Microsoft\Protect\S-1-5-18\Preferred
02/09/2005 12:56:30 HS 388 C:\WINDOW\system32\Microsoft\Protect\S-1-5-18\User\83d06362-c076-44ea-8294-3311c520a179
02/09/2005 12:56:30 HS 24 C:\WINDOW\system32\Microsoft\Protect\S-1-5-18\User\Preferred
24/08/2005 15:29:12 H 237568 C:\WINDOW\repair\ntuser.dat
31/08/2005 09:27:54 H 0 C:\WINDOW\inf\oem6.inf
01/09/2005 13:09:04 H 0 C:\WINDOW\inf\oem7.inf
24/08/2005 15:27:58 HS 67 C:\WINDOW\Fonts\desktop.ini
06/09/2005 08:48:54 H 6 C:\WINDOW\Tasks\SA.DAT
24/08/2005 15:27:10 RHS 242478 C:\WINDOW\PCHEALTH\HELPCTR\PackageStore\package_1.cab
24/08/2005 15:27:10 RHS 19959 C:\WINDOW\PCHEALTH\HELPCTR\PackageStore\package_2.cab
24/08/2005 15:27:10 RHS 727 C:\WINDOW\PCHEALTH\HELPCTR\PackageStore\package_3.cab
02/09/2005 11:30:46 RHS 70111 C:\WINDOW\PCHEALTH\HELPCTR\PackageStore\package_5.cab
24/08/2005 15:26:30 H 65 C:\WINDOW\Downloaded Program Files\desktop.ini
24/08/2005 15:26:30 H 65 C:\WINDOW\Offline Web Pages\desktop.ini
Checking for CPL files...
Microsoft Corporation 29/08/2002 11:41:28 121856 C:\WINDOW\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 11:41:28 578560 C:\WINDOW\SYSTEM32\appwiz.cpl
Microsoft Corporation 18/08/2001 12:00:00 150016 C:\WINDOW\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 29/08/2002 11:41:28 292352 C:\WINDOW\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29/08/2002 11:41:28 65536 C:\WINDOW\SYSTEM32\joy.cpl
Microsoft Corporation 18/08/2001 12:00:00 187904 C:\WINDOW\SYSTEM32\main.cpl
Microsoft Corporation 18/08/2001 12:00:00 559616 C:\WINDOW\SYSTEM32\mmsys.cpl
Microsoft Corporation 18/08/2001 12:00:00 35840 C:\WINDOW\SYSTEM32\ncpa.cpl
Microsoft Corporation 18/08/2001 12:00:00 256000 C:\WINDOW\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 18/08/2001 12:00:00 36864 C:\WINDOW\SYSTEM32\odbccp32.cpl
Microsoft Corporation 18/08/2001 12:00:00 109056 C:\WINDOW\SYSTEM32\powercfg.cpl
Microsoft Corporation 18/08/2001 12:00:00 28160 C:\WINDOW\SYSTEM32\telephon.cpl
Microsoft Corporation 18/08/2001 12:00:00 90112 C:\WINDOW\SYSTEM32\timedate.cpl
Microsoft Corporation 18/08/2001 13:00:00 66048 C:\WINDOW\SYSTEM32\access.cpl
Apple Computer, Inc. 23/09/2004 18:57:40 323072 C:\WINDOW\SYSTEM32\QuickTime.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOW\SYSTEM32\wuaucpl.cpl
Sun Microsystems, Inc. 03/06/2005 03:52:54 49265 C:\WINDOW\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 29/08/2002 11:41:28 268288 C:\WINDOW\SYSTEM32\sysdm.cpl
Microsoft Corporation 29/08/2002 11:41:28 129024 C:\WINDOW\SYSTEM32\desk.cpl
Microsoft Corporation 18/08/2001 12:00:00 36864 C:\WINDOW\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 18/08/2001 13:00:00 66048 C:\WINDOW\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 18/08/2001 12:00:00 150016 C:\WINDOW\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 18/08/2001 12:00:00 187904 C:\WINDOW\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18/08/2001 12:00:00 35840 C:\WINDOW\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18/08/2001 12:00:00 559616 C:\WINDOW\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 18/08/2001 12:00:00 256000 C:\WINDOW\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 18/08/2001 12:00:00 109056 C:\WINDOW\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 18/08/2001 12:00:00 28160 C:\WINDOW\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 18/08/2001 12:00:00 90112 C:\WINDOW\SYSTEM32\dllcache\timedate.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
24/08/2005 15:29:06 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Checking files in %ALLUSERSPROFILE%\Application Data folder...
24/08/2005 14:55:36 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
24/08/2005 15:29:06 HS 84 C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
24/08/2005 14:55:36 HS 62 C:\Documents and Settings\Daddy\Application Data\desktop.ini
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{97F51F2B-E87A-4349-84B1-2D91CB2C0C1B}
= C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{97F51F2B-E87A-4349-84B1-2D91CB2C0C1B}
= C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOW\System32\msdxm.ocx
{ACB1E670-3217-45C4-A021-6B829A8A27CB} = McAfee VirusScan : C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{08BEC6AA-49FC-4379-3587-4B21E286C19E} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{08BEC6AA-49FC-4379-3587-4B21E286C19E} = :
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SpeedTouch USB Diagnostics "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
NavRegReminder "C:\WINDOW\temp\NavBrowser.exe" /r /i "C:\WINDOW\temp\NavLoad.ini"
srvprc C:\WINDOW\System32/srvprc.exe /i
dmfvt.exe C:\WINDOW\System32\dmfvt.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
hclean32.exe C:\WINDOW\System32\hclean32.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOW\System32\ctfmon.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
McAfee.InstantUpdate.Monitor "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
PPWebCap C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoBandCustomize 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOW\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOW\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
HiJack This:
Logfile of HijackThis v1.99.1
Scan saved at 10:28:28, on 06/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\system32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\svchost.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOW\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOW\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WinPFind\WinPFind.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.cpfc.prem...uk/page/WelcomeO1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOW\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOW\temp\NavBrowser.exe" /r /i "C:\WINDOW\temp\NavLoad.ini"
O4 - HKLM\..\Run: [srvprc] C:\WINDOW\System32/srvprc.exe /i
O4 - HKLM\..\Run: [dmfvt.exe] C:\WINDOW\System32\dmfvt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOW\System32\hclean32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOW\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....k/?linkid=39204O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) -
https://mysupport.na...pdatePortal.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros...b?1125476817452O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1125476791795O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft...free/asinst.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
https://download.mac...ash/swflash.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcaf...566/mcfscan.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{540466FE-396D-4FAC-9EC3-A2617F8B5EFA}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{82FEEA85-2356-4BBB-BA15-CE11D19C9845}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{83EC49F0-5351-488B-8B75-494AFA746BF6}: NameServer = 195.95.218.18 85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{540466FE-396D-4FAC-9EC3-A2617F8B5EFA}: NameServer = 195.95.218.18,85.255.112.11
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOW\system32\drivers\KodakCCS.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe