View Full Version : Christmas help?
Electric Dragon
12-18-2008, 01:05 AM
Hello,
A friend asked if I could find and delete spyware on his computer to speed it up for him. In other words: clean it out. I am just a little more computer savvy than he is though, but I said I would try.
It is a laptop (Dell 6000), once running (which does take a long startup time, about 5 minutes), it has 11 icons in the bottom right corner.
Here is the hijackthis log from it.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:43 PM, on 12/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CellularSouth\CellularSouth_CDU680\BIN\RDVCH G.EXE
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://media.fastclick.net/w/safepop.cgi?cid=31047&mid=91766&sid=1452&c=21
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ptask] C:\Program Files\NoWayVirus\ptask.exe
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [94c73cd9] rundll32.exe "C:\WINDOWS\system32\mhpvierx.dll",b
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [CellularSouth_CDU680] C:\Program Files\CellularSouth\CellularSouth_CDU680\BIN\RDVCH G.EXE
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - [url]http://wwws.musicmatch.com/mmz/openWebRadio.html[/url] (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [url]http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab[/url]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [url]http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab[/url]
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9538 bytes
Thank you for any help you can give.
Merry Christmas
Dave
classicsoftware
12-18-2008, 02:06 AM
Welcome to http://www.pcguide.com/ubb/pcgubb.gif forums....
First:
How to run a scan with Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.[/QUOTE]
Second:
Please do the following:
Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop (it needs to be run from the Desktop). Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you.
Note:
Do not mouseclick Combofix's window while it is running. That may cause the program to stall...
Third:
Re-boot the system
Post the Combofix Log
Post the MBAM log
Post a new HJT log
Tell us how the system is running.
johnmassey
12-18-2008, 02:50 AM
Try installing avast home. it is a free download and the best for cleaning. I tried zone alarm pro, norton, kaspersky, avg etc etc Avast home was the best. It scans your pc before windows boots up, so spyware cannot lockdown folders, hide themselves in the operating system and so forth. Very good, you won't be disappointed
classicsoftware
12-18-2008, 08:03 AM
Try installing avast home. it is a free download and the best for cleaning. I tried zone alarm pro, norton, kaspersky, avg etc etc Avast home was the best. It scans your pc before windows boots up, so spyware cannot lockdown folders, hide themselves in the operating system and so forth. Very good, you won't be disappointed
I appreciate your offer to help. Please do not post any responses in a malware thread unless you have been approved to do so by one of the moderators. If you were able to read the logs you would have seen this:
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
This indicates Avast is installed and is loading at startup though many of the scanners have been disabled.
Electric Dragon
12-18-2008, 08:50 AM
Just a few notes before I post the logs.
Reboot stalls at the "Windows is shutting down" screen for 8-10 minutes before moving on.
While combofix was preparing its log, a program called "Stopzilla" popped up and wanted to run a scan, I said no and an IE error message appeared about script a script error (I was not able to get his machine to go online at all; I used a jump drive to move programs from my machine to his). Every time I tried to close the script error notice it opened again with the same message. I finally had to control-alt-delete and stop the stopzilla process that way.
Now combofix is done and stopzilla came back again with the same old story. I get rid of it and all the icons on the desktop are gone. I can get to the log but have no way to move it to my machine as nothing is available but control-alt-delete and alt-tab.
Help
ciao
Dave
I reboot and voila, back to normal (but much faster, only 2 minutes to running). I will post the logs next.
Electric Dragon
12-18-2008, 09:12 AM
First, the combofix log:
ComboFix 08-12-17.01 - Admin 2008-12-18 6:17:05.1 - NTFSx86
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\temp\tmpvc14
c:\windows\Fonts\a.zip
c:\windows\IE4 Error Log.txt
c:\windows\system32\bszip.dll
c:\windows\system32\dFrnx18
c:\windows\system32\Ultra.dll
E:\update.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_PACKET
((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.
2008-12-18 05:25 . 2008-12-18 05:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-18 05:25 . 2008-12-18 05:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-18 05:25 . 2008-12-18 05:25 <DIR> d-------- c:\documents and settings\Admin\Application Data\Malwarebytes
2008-12-18 05:25 . 2008-12-03 19:59 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-12-18 05:25 . 2008-12-03 19:59 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-17 22:43 . 2008-12-17 22:53 <DIR> d-------- C:\hjt
2008-12-15 00:05 . 2008-12-15 00:10 <DIR> d-------- C:\CellularSouth_CDU680
2008-12-09 17:07 . 2008-12-17 22:16 <DIR> d-------- c:\program files\CellularSouth
2008-12-09 17:07 . 2006-12-13 20:31 87,040 --a------ c:\windows\SYSTEM32\DRIVERS\cmusbser.sys
2008-12-09 17:05 . 2007-06-28 14:00 315,392 --a------ c:\windows\PINSTALLPROCESS.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-18 12:34 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-18 12:34 --------- d-----w c:\program files\PC Tools AntiVirus
2008-12-18 12:31 --------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2008-12-18 12:01 30,696 ----a-w c:\windows\system32\drivers\kgpcpy.cfg
2008-12-09 23:07 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-09 06:33 --------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2008-08-08 01:40 56,912 -c--a-w c:\documents and settings\James A.Gordon\g2mdlhlpx.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-05-18 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"KernelFaultCheck"="c:\windows\system32\dumprep 0 -k" [X]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-07 98304]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2005-03-14 335970]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-15 53248]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-01-18 217088]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-01-18 458752]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-11-10 598016]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-03 344064]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2008-05-25 1238928]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"CellularSouth_CDU680"="c:\program files\CellularSouth\CellularSouth_CDU680\BIN\RDVCH G.EXE" [2008-09-09 316664]
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
.
- - - - ORPHANS REMOVED - - - -
Toolbar-SITEguard - (no file)
HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
HKLM-Run-BearShare - c:\program files\BearShare\BearShare.exe
HKLM-Run-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
HKLM-Run-avast! - c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
HKLM-Run-ptask - c:\program files\NoWayVirus\ptask.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://media.fastclick.net/w/safepop.cgi?cid=31047&mid=91766&sid=1452&c=21
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - [url]http://wwws.musicmatch.com/mmz/openWebRadio.html[/url]
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - [url]http://wwws.musicmatch.com/mmz/openWebRadio.html[/url] -
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
LSP: vlsp.dll
FF - ProfilePath -
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-12-18 06:31:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(996)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\windows\system32\vlsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\PC Tools AntiVirus\PCTAVSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Verizon Wireless\venturi\Client\VentC.exe
c:\program files\Apoint\ApntEx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Logitech\Video\FxSvr2.exe
.
************************************************** ************************
.
Completion time: 2008-12-18 6:41:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-18 12:41:29
Pre-Run: 64,706,228,224 bytes free
Post-Run: 65,395,253,248 bytes free
134
Electric Dragon
12-18-2008, 09:13 AM
Next the Malwarebyte log:
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2
12/18/2008 5:43:17 AM
mbam-log-2008-12-18 (05-43-17).txt
Scan type: Quick Scan
Objects scanned: 51832
Time elapsed: 5 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 28
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 31
Files Infected: 102
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\SYSTEM32\mhpvierx.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ssqNEurS.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\yqbwdwry.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\WSHTCPIP.DLL (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{4af7d218-a8f3-4989-8b0c-bd5258f11e49} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4af7d218-a8f3-4989-8b0c-bd5258f11e49} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{e3c040f6-11b2-43dd-b89c-90d61d736ce8} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e3c040f6-11b2-43dd-b89c-90d61d736ce8} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{e3c040f6-11b2-43dd-b89c-90d61d736ce8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{4af7d218-a8f3-4989-8b0c-bd5258f11e49} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{ca356d79-679b-4b4c-8e49-5af97014f4c1} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{d49e9d35-254c-4c6a-9d17-95018d228ff5} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{42071713-76d4-11d1-8b24-00a0c9068ff3} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{93ba4344-aa56-403e-87f2-819650fedacd} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\k mixer (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\k mixer (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\kmixer (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s srtln (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\s srtln (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ssrtln (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ugac (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpamBlockerUtility (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\starware (Adware.Starware) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\94c73cd9 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\{42071713-76d4-11d1-8b24-00a0c9068ff3} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\SharedDLLs\C:\WINDOWS\SYSTEM32\lfpcd11n .dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\SharedDLLs\C:\WINDOWS\SYSTEM32\DRIVERS\ ssrtln.sys (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ssqneurs -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ssqneurs -> Delete on reboot.
Folders Infected:
C:\Documents and Settings\Admin\Application Data\SpamBlockerUtility (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\SpamBlockerUtility\IESkins (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\SpamBlockerUtility\v3.0 (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\SpamBlockerUtility\v3.0\HostOI (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\SpamBlockerUtility\v3.0\HostOI\dynamic (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\SpamBlockerUtility\v3.0\HostOL (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\SpamBlockerUtility\v3.0\HostOL\dynamic (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dy namic (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\st atic (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\st atic\1 (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\NowayVirus (Rogue.NowayVirus) -> Quarantined and deleted successfully.
C:\NowayVirus\AVQuar (Rogue.NowayVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\' (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\System Doctor (Rogue.SystemDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMon (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMon\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\NowayVirus (Rogue.NowayVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\NowayVirus\Logs (Rogue.NowayVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\System Doctor Free (Rogue.SystemDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\System Doctor Free\Data (Rogue.SystemDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\System Doctor Free (Rogue.SystemDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\System Doctor Free\Logs (Rogue.SystemDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\System Doctor Unregistered Version (Rogue.SystemDoctor) -> Quarantined and deleted successfully.
Electric Dragon
12-18-2008, 09:15 AM
Files Infected:
C:\WINDOWS\SYSTEM32\yqbwdwry.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ssqNEurS.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\SruENqss.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\SruENqss.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\gdeeqfft.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tffqeedg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mhpvierx.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\xreivphm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM\MSVIDEO.DLL (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\PLACES.EXE (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\anim.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\drmclien.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lsbkntnt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\MSVIDEO.DLL (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\USP10.DLL (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\AUTOCHK.EXE (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\AUTOCONV.EXE (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\AUTOFMT.EXE (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rmjtpkew.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ufeuhpia.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\UNTFS.DLL (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wlgexckk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DESKMON.DLL (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ieakui.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ieapfltr.dat (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\fsvdyxel.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\WSHTCPIP.DLL (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ativcoxx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lfpcd11n.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\VSS_PS.DLL (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DOSX.EXE (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\kmixer.sys (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\ssrtln.sys (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Local Settings\Temp\BellSouthMessengerSetup42.exe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Desktop\Album5_XceedFtp_Hotfix.EXE (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Desktop\AV2009Install_77043307(2).exe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Desktop\AV2009Install_77043307(3).exe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Desktop\AV2009Install_77043307.exe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Desktop\PSPA_MyPublisherPatch_English.exe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\20 Ways to Build Traffic to Your Site.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\A Fine Frenzy - One Cell In the Sea (2007).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Adventure Pinball Forgotten Island.zip (Trojan.Agent) -> Quarantined and deleted successfully.
Electric Dragon
12-18-2008, 09:15 AM
C:\WINDOWS\Fonts\'\AnyDVD 6.3.1.7.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Automatic Print Email 3.022.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Baby Mama (2008).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Barry Manilow - The Greatest Songs of the Seventies (2007).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Broomstick Racer.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Bus Simulator 2008.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Closing the Ring (2007).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Corel Draw X4 Graphics Suite.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Disney#039;s Meet the Robinson#039;s (Wii).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Duplicate Image Finder 1.0.20.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Everything You Need to Start Growing Marijuana.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Ez Contract Proposal 2.0.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Final Draft 7.1.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\FlashMP3 1.2.2 (Portable).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\G-Force 3.7.3 Platinum.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\GIF Creator 5.51.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Glary Utilities Pro 2.5.2.185.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Hacking Firefox.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\ImTOO PsP Video Converter 3.1.8.083.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\MediaWiper 3.08.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Merv Griffin#039;s Crosswords.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Movie Label 2008 3.1.2.555.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Natasha Bedingfield - N.B (2007) (Import).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Natasha Bedingfield - Unwritten (2004).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Nero 8.3.2.1 Lite (Portable).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\NOD32 Antivirus 3.0.621.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Norton Partition Magic 8.05.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Phil Collins - Serious Hits. Live! (1990).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Photo Combiner 4.51.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Photo Movie Creator 2.00.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Qigong for Healing and Relaxation.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Rampage Total Destruction (Wii).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Scallywag In the Lair of the Medusa.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Sony Cinescore 1.0c.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Spiderman 3 (Wii).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Spyware Doctor 5.5.1.321.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Stuffit Deluxe 12.0.0.17.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Surfs Up (Wii).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\System Mechanic 7.5.10.5.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\The Forbidden Kingdom (2008).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\The Joint Rolling Handbook.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Vista Manager 1.5.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Wii Sports (Wii).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\Windows XP Performance Edition SP3 April 2008.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\'\World#039;s Scariest Ghosts Caught on Tape (2000).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\System Doctor\dcmon.exe (Rogue.SystemDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\AdwareAlert\Log\2008 May 21 - 01_10_50 PM_781.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\AdwareAlert\Log\2008 May 22 - 10_38_31 AM_828.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\AdwareAlert\Log\2008 May 24 - 06_55_59 AM_093.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\AdwareAlert\Log\2008 May 24 - 12_06_54 PM_843.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\AdwareAlert\Log\2008 May 25 - 12_41_50 PM_187.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\NowayVirus\PGE.dat (Rogue.NowayVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\NowayVirus\Logs\threats.log (Rogue.NowayVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\James A.Gordon\Application Data\System Doctor Free\Logs\update.log (Rogue.SystemDoctor) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\BM97f40f45.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM97f40f45.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
Electric Dragon
12-18-2008, 09:20 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:39 AM, on 12/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CellularSouth\CellularSouth_CDU680\BIN\RDVCH G.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://media.fastclick.net/w/safepop.cgi?cid=31047&mid=91766&sid=1452&c=21
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\sw g.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [CellularSouth_CDU680] C:\Program Files\CellularSouth\CellularSouth_CDU680\BIN\RDVCH G.EXE
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - [url]http://wwws.musicmatch.com/mmz/openWebRadio.html[/url] (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [url]http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab[/url]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [url]http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab[/url]
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9974 bytes
How is the system currently running?
Electric Dragon
12-18-2008, 02:21 PM
The machine starts quicker (less than 2 minutes) but still takes about 8 or more minutes to shut down.
I am getting an error message about autochk program not found, so it skips it. PC Tools Antivirus says it encounters an error and I must reboot (error 104). Then "no response from server recieved" (Also PC Tools). On reboot, these messages go away.
After rebooting, I get this message from: C-motech RDEVCHG "Run Time Device Change."
Stopzilla insists that there is an infection but lists nothing found. It gives two options: remove now and remove later; I am afraid to remove this nothing.
If I click something with the mouse (start a program), it takes what I consider the normal time to respond and open the program.
Ciao
Dave
classicsoftware
12-18-2008, 10:29 PM
Disable and o remove stopzilla. It may be impeding the scans.
Re-scan with Combofix and MBAM and let me know what happens....
Electric Dragon
12-19-2008, 05:52 AM
I reran mbam and it found no infections. However, with combofix there was a problem. An error message kept coming up while it was running.
regt.cfexe Application Error
Application failed to initialize properly (0xc0000005). Click on Ok to terminate application.
every time I click on OK, the message reappeared. I tried using the X in the upper right corner instead but got the same results. When combofix finished, the message finally stayed gone.
Here is the combofix log:
ComboFix 08-12-17.01 - Admin 2008-12-19 3:36:26.3 - NTFSx86
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\cogfqmlt.ini
c:\windows\system32\gdfbbvyu.ini
c:\windows\system32\lmwiucsh.ini
c:\windows\system32\npkuhxqc.ini
c:\windows\system32\obvhbaqm.ini
c:\windows\system32\ojwupcps.ini
c:\windows\system32\tcviyury.ini
c:\windows\system32\xqjoqhhk.ini
.
((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 )))))))))))))))))))))))))))))))
.
2008-12-18 18:01 . 2008-12-18 18:01 <DIR> d-------- c:\windows\SYSTEM32\vmm32
2008-12-18 17:35 . 2008-12-18 18:40 <DIR> d-------- c:\documents and settings\Admin\Application Data\Winamp
2008-12-18 05:25 . 2008-12-18 05:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-18 05:25 . 2008-12-18 05:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-18 05:25 . 2008-12-18 05:25 <DIR> d-------- c:\documents and settings\Admin\Application Data\Malwarebytes
2008-12-18 05:25 . 2008-12-03 19:59 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-12-18 05:25 . 2008-12-03 19:59 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-17 22:43 . 2008-12-18 07:03 <DIR> d-------- C:\hjt
2008-12-15 00:05 . 2008-12-15 00:10 <DIR> d-------- C:\CellularSouth_CDU680
2008-12-09 17:07 . 2008-12-17 22:16 <DIR> d-------- c:\program files\CellularSouth
2008-12-09 17:07 . 2006-12-13 20:31 87,040 --a------ c:\windows\SYSTEM32\DRIVERS\cmusbser.sys
2008-12-09 17:05 . 2007-06-28 14:00 315,392 --a------ c:\windows\PINSTALLPROCESS.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-19 00:01 --------- d-----w c:\program files\Dell
2008-12-18 23:42 --------- d-----w c:\program files\Google
2008-12-18 23:28 --------- d-----w c:\program files\Yahoo!
2008-12-18 23:24 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2008-12-18 23:20 --------- d-----w c:\program files\MUSICMATCH
2008-12-18 23:17 --------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2008-12-18 22:55 --------- d-----w c:\program files\PC Tools AntiVirus
2008-12-18 21:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-09 23:07 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-09 06:33 --------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2008-08-08 01:40 56,912 -c--a-w c:\documents and settings\James A.Gordon\g2mdlhlpx.exe
.
Electric Dragon
12-19-2008, 05:55 AM
((((((((((((((((((((((((((((( snapshot@2008-12-18_ 6.39.39.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-19 00:01:22 10,134 ----a-r c:\windows\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\ARPPRODUCTICON.exe
+ 2008-12-19 00:01:22 45,056 ----a-r c:\windows\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF2 97A603021_1.exe
+ 2006-08-24 23:49:34 164,180 ----a-w c:\windows\SYSTEM32\DRIVERS\windrvr.sys
+ 2006-08-24 18:49:24 176,128 ----a-w c:\windows\SYSTEM32\rcdscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\procexp90.Sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://www.yahoo.com
mSearch Page =
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*[url]http://www.yahoo.com/ext/search/search.html[/url]
uInternet Connection Wizard,ShellNext = hxxp://media.fastclick.net/w/safepop.cgi?cid=31047&mid=91766&sid=1452&c=21
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - [url]http://wwws.musicmatch.com/mmz/openWebRadio.html[/url]
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - [url]http://wwws.musicmatch.com/mmz/openWebRadio.html[/url] -
LSP: vlsp.dll
FF - ProfilePath -
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-12-19 03:38:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\. NET CLR Data]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\. NET CLR Networking]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\. NETFramework]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\6 to4]
"ServiceDll"="%SystemRoot%\System32\6to4svc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A biosdsk]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a bp480n5]
"ImagePath"="system32\DRIVERS\ABP480N5.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A CPI]
"ImagePath"="system32\DRIVERS\ACPI.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A CPIEC]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a dpu160m]
"ImagePath"="system32\DRIVERS\adpu160m.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a ec]
"ImagePath"="system32\drivers\aec.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A egisP]
"ImagePath"="system32\DRIVERS\AegisP.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A FD]
"ImagePath"="\SystemRoot\System32\drivers\afd.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a gp440]
"ImagePath"="system32\DRIVERS\agp440.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a gpCPQ]
"ImagePath"="system32\DRIVERS\agpCPQ.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A ha154x]
"ImagePath"="system32\DRIVERS\aha154x.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a ic78u2]
"ImagePath"="system32\DRIVERS\aic78u2.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a ic78xx]
"ImagePath"="system32\DRIVERS\aic78xx.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A lerter]
"ServiceDll"="%SystemRoot%\system32\alrsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A LG]
"ImagePath"="%SystemRoot%\System32\alg.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A liIde]
"ImagePath"="system32\DRIVERS\aliide.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a lim1541]
"ImagePath"="system32\DRIVERS\alim1541.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a mdagp]
"ImagePath"="system32\DRIVERS\amdagp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a msint]
"ImagePath"="system32\DRIVERS\amsint.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A pfiltrService]
"ImagePath"="system32\DRIVERS\Apfiltr.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A ppdrv]
"ImagePath"="\??\c:\program files\Dell\NICCONFIGSVC\Appdrv.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A ppMgmt]
"ServiceDll"="%SystemRoot%\System32\appmgmts.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A rp1394]
"ImagePath"="system32\DRIVERS\arp1394.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a sc]
"ImagePath"="system32\DRIVERS\asc.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a sc3350p]
"ImagePath"="system32\DRIVERS\asc3350p.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a sc3550]
"ImagePath"="system32\DRIVERS\asc3550.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A SP.NET]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A SP.NET_1.1.4322]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a spnet_state]
"ImagePath"="%SystemRoot%\Microsoft.NET\Framework\v1.1.4322\asp net_state.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a swTdi]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A syncMac]
"ImagePath"="system32\DRIVERS\asyncmac.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a tapi]
"ImagePath"="system32\DRIVERS\atapi.sys"
Electric Dragon
12-19-2008, 05:56 AM
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A tdisk]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A ti HotKey Poller]
"ImagePath"="%SystemRoot%\system32\Ati2evxx.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a ti2mtag]
"ImagePath"="system32\DRIVERS\ati2mtag.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A tmarpc]
"ImagePath"="system32\DRIVERS\atmarpc.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A udioSrv]
"ServiceDll"="%SystemRoot%\System32\audiosrv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a udstub]
"ImagePath"="system32\DRIVERS\audstub.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\B attC]
"MofImagePath"="System32\Drivers\battc.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\b cm4sbxp]
"ImagePath"="system32\DRIVERS\bcm4sbxp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\B eep]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\B ITS]
"ServiceDll"="c:\windows\system32\qmgr.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\B rowser]
"ServiceDll"="%SystemRoot%\System32\browser.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\b vrp_pci]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\c bidf]
"ImagePath"="system32\DRIVERS\cbidf2k.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\c bidf2k]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\C CDECODE]
"ImagePath"="system32\DRIVERS\CCDECODE.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\c d20xrnt]
"ImagePath"="system32\DRIVERS\cd20xrnt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\C daudio]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\C dfs]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\C drom]
"ImagePath"="system32\DRIVERS\cdrom.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\C hanger]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\C iSvc]
"ImagePath"="%SystemRoot%\system32\cisvc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\C lipSrv]
"ImagePath"="%SystemRoot%\system32\clipsrv.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\C mBatt]
"ImagePath"="system32\DRIVERS\CmBatt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\C mdIde]
"ImagePath"="system32\DRIVERS\cmdide.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\c musbser]
"ImagePath"="system32\DRIVERS\cmusbser.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\C ompbatt]
"ImagePath"="system32\DRIVERS\compbatt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\C OMSysApp]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\C ontentFilter]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\C ontentIndex]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\C pqarray]
"ImagePath"="system32\DRIVERS\cpqarray.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\C ryptSvc]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\d ac2w2k]
"ImagePath"="system32\DRIVERS\dac2w2k.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\d ac960nt]
"ImagePath"="system32\DRIVERS\dac960nt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\D comLaunch]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\D hcp]
"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\D isk]
"ImagePath"="system32\DRIVERS\disk.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\d madmin]
"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\d mboot]
"ImagePath"="System32\drivers\dmboot.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\d mio]
"ImagePath"="System32\drivers\dmio.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\d mload]
"ImagePath"="System32\drivers\dmload.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\d mserver]
"ServiceDll"="%SystemRoot%\System32\dmserver.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\D Music]
"ImagePath"="system32\drivers\DMusic.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\D nscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\d pti2o]
"ImagePath"="system32\DRIVERS\dpti2o.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\d rmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\d rvmcdb]
"ImagePath"="system32\drivers\drvmcdb.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\d rvncdb]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\d rvnddm]
"ImagePath"="system32\drivers\drvnddm.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\D SBrokerService]
"ImagePath"="\"c:\program files\DellSupport\brkrsvc.exe\""
Electric Dragon
12-19-2008, 05:57 AM
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\D Sproct]
"ImagePath"="\??\c:\program files\DellSupport\GTAction\triggers\DSproct.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\d sunidrv]
"ImagePath"="system32\DRIVERS\dsunidrv.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\E 100B]
"ImagePath"="system32\DRIVERS\e100b325.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\E RSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\E ventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\E ventSystem]
"ServiceDll"="c:\windows\system32\es.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\E vtEng]
"ImagePath"="c:\program files\Intel\Wireless\Bin\EvtEng.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\F astfat]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\F astUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\F dc]
"ImagePath"="system32\DRIVERS\fdc.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\F ips]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\F lpydisk]
"ImagePath"="system32\DRIVERS\flpydisk.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\F ltMgr]
"ImagePath"="system32\DRIVERS\fltMgr.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\F s_Rec]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\F tdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\G pc]
"ImagePath"="system32\DRIVERS\msgpc.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\g usvc]
"ImagePath"="\"c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe\""
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\h elpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\H idServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\h pn]
"ImagePath"="system32\DRIVERS\hpn.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\H SFHWICH]
"ImagePath"="system32\DRIVERS\HSFHWICH.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\H SF_DP]
"ImagePath"="system32\DRIVERS\HSF_DP.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\H TTP]
"ImagePath"="System32\Drivers\HTTP.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\H TTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\i 2omgmt]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\i 2omp]
"ImagePath"="system32\DRIVERS\i2omp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\i 8042prt]
"ImagePath"="system32\DRIVERS\i8042prt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\I mapi]
"ImagePath"="system32\DRIVERS\imapi.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\I mapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\i netaccs]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\i ni910u]
"ImagePath"="system32\DRIVERS\ini910u.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\I nport]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\I ntelIde]
"ImagePath"="system32\DRIVERS\intelide.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\i ntelppm]
"ImagePath"="system32\DRIVERS\intelppm.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\I p6Fw]
"ImagePath"="system32\DRIVERS\Ip6Fw.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\I pFilterDriver]
"ImagePath"="System32\DRIVERS\ipfltdrv.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\I pInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\I pNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\I PSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\I RENUM]
"ImagePath"="system32\DRIVERS\irenum.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\I SAPISearch]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\i sapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\I WCA]
"ImagePath"="system32\DRIVERS\iwca.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\K bdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\K SecDD]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\l anmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\l anmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\l brtfdc]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\l dap]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\L icenseService]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\L mHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\L VUSBSta]
"ImagePath"="system32\drivers\lvusbsta.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\m dmxsdk]
"ImagePath"="system32\DRIVERS\mdmxsdk.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M essenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\m nmdd]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\m nmsrvc]
"ImagePath"="c:\windows\system32\mnmsrvc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M odem]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M ouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M ountMgr]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\m raid35x]
"ImagePath"="system32\DRIVERS\mraid35x.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M RxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M RxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M SDTC]
"ImagePath"="c:\windows\system32\msdtc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M sfs]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M SIServer]
"ImagePath"="c:\windows\system32\msiexec.exe /V"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M SKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M SPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M SPQM]
"ImagePath"="system32\drivers\MSPQM.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\m ssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M STEE]
"ImagePath"="system32\drivers\MSTEE.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M up]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N ABTSFEC]
"ImagePath"="system32\DRIVERS\NABTSFEC.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N DIS]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N disIP]
"ImagePath"="system32\DRIVERS\NdisIP.sys"
Electric Dragon
12-19-2008, 05:58 AM
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N disTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N disuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N disWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N DProxy]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N etBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N etBT]
"ImagePath"="system32\DRIVERS\netbt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N etDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N etDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N etlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N etman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N IC1394]
"ImagePath"="system32\DRIVERS\nic1394.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N ICCONFIGSVC]
"ImagePath"="c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N la]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\n m]
"ImagePath"="system32\DRIVERS\NMnt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N pfs]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N tfs]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N tLmSsp]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N tmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N ull]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\n v]
"ImagePath"="system32\DRIVERS\nv4_mini.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N wlnkFlt]
"ImagePath"="system32\DRIVERS\nwlnkflt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N wlnkFwd]
"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N wlnkIpx]
"ImagePath"="system32\DRIVERS\nwlnkipx.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N wlnkNb]
"ImagePath"="system32\DRIVERS\nwlnknb.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N wlnkSpx]
"ImagePath"="system32\DRIVERS\nwlnkspx.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N wSapAgent]
"ServiceDll"="%SystemRoot%\System32\ipxsap.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\o hci1394]
"ImagePath"="system32\DRIVERS\ohci1394.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\o mci]
"ImagePath"="system32\DRIVERS\omci.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P arport]
"ImagePath"="system32\DRIVERS\parport.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P artMgr]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P arVdm]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P CI]
"ImagePath"="system32\DRIVERS\pci.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P CIDump]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P CIIde]
"ImagePath"="system32\DRIVERS\pciide.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P cmcia]
"ImagePath"="system32\DRIVERS\pcmcia.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P CTINDIS5]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P DCOMP]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P DFRAME]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P DRELI]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P DRFRAME]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\p erc2]
"ImagePath"="system32\DRIVERS\perc2.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\p erc2hib]
"ImagePath"="system32\DRIVERS\perc2hib.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P erfDisk]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P erfNet]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P erfOS]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P erfProc]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P lugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P olicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P ortProxy]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P ptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P rotectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P Sched]
"ImagePath"="system32\DRIVERS\psched.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P tilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\P xHelp20]
"ImagePath"="System32\Drivers\PxHelp20.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Q CMerced]
"ImagePath"="system32\DRIVERS\LVCM.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\q l1080]
"ImagePath"="system32\DRIVERS\ql1080.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Q l10wnt]
"ImagePath"="system32\DRIVERS\ql10wnt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\q l12160]
"ImagePath"="system32\DRIVERS\ql12160.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\q l1240]
"ImagePath"="system32\DRIVERS\ql1240.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\q l1280]
"ImagePath"="system32\DRIVERS\ql1280.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R asAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R asAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R asl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R asMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R asPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R aspti]
"ImagePath"="system32\DRIVERS\raspti.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R dbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R DPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R DPDD]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\r dpdr]
"ImagePath"="system32\DRIVERS\rdpdr.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R DPNP]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R DPWD]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R DSessMgr]
"ImagePath"="c:\windows\system32\sessmgr.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\r edbook]
"ImagePath"="system32\DRIVERS\redbook.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R egSrvc]
"ImagePath"="c:\program files\Intel\Wireless\Bin\RegSrvc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R emoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R pcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R pcSs]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\R SVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S 24EventMonitor]
"ImagePath"="c:\program files\Intel\Wireless\Bin\S24EvMon.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s 24trans]
"ImagePath"="system32\DRIVERS\s24trans.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S amSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S CardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S chedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s dbus]
"ImagePath"="system32\DRIVERS\sdbus.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S ecdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s eclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S ENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s erenum]
"ImagePath"="system32\DRIVERS\serenum.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S erial]
"ImagePath"="system32\DRIVERS\serial.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s ffdisk]
"ImagePath"="system32\DRIVERS\sffdisk.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s ffp_sd]
"ImagePath"="system32\DRIVERS\sffp_sd.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S floppy]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S haredAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S hellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S imbad]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s isagp]
"ImagePath"="system32\DRIVERS\sisagp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S LIP]
"ImagePath"="system32\DRIVERS\SLIP.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S MNDIS5]
"ImagePath"="\??\c:\progra~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S parrow]
"ImagePath"="system32\DRIVERS\sparrow.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s plitter]
"ImagePath"="system32\drivers\splitter.sys"
Electric Dragon
12-19-2008, 05:59 AM
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S pooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s r]
"ImagePath"="system32\DRIVERS\sr.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s rservice]
"ServiceDll"="c:\windows\system32\srsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S rv]
"ImagePath"="system32\DRIVERS\srv.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s scdbhk5]
"ImagePath"="system32\drivers\sscdbhk5.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S SDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S TAC97]
"ImagePath"="system32\drivers\STAC97.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S tillCam]
"ImagePath"="system32\DRIVERS\serscan.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s tisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s treamip]
"ImagePath"="system32\DRIVERS\StreamIP.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s wenum]
"ImagePath"="system32\DRIVERS\swenum.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s wmidi]
"ImagePath"="system32\drivers\swmidi.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S wPrv]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{A445BD1E-49EE-4607-B370-5CCA447377C4}"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s ymc810]
"ImagePath"="system32\DRIVERS\symc810.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s ymc8xx]
"ImagePath"="system32\DRIVERS\symc8xx.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s ym_hi]
"ImagePath"="system32\DRIVERS\sym_hi.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s ym_u3]
"ImagePath"="system32\DRIVERS\sym_u3.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s ysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\S ysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\T apiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\T cpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\T cpip6]
"ImagePath"="system32\DRIVERS\tcpip6.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\T DPIPE]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\T DTCP]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\T ermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\T ermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\t fsnboio]
"ImagePath"="system32\dla\tfsnboio.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\t fsncofs]
"ImagePath"="system32\dla\tfsncofs.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\t fsndrct]
"ImagePath"="system32\dla\tfsndrct.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\t fsndres]
"ImagePath"="system32\dla\tfsndres.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\t fsnifs]
"ImagePath"="system32\dla\tfsnifs.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\t fsnopio]
"ImagePath"="system32\dla\tfsnopio.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\t fsnpool]
"ImagePath"="system32\dla\tfsnpool.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\t fsnudf]
"ImagePath"="system32\dla\tfsnudf.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\t fsnudfa]
"ImagePath"="system32\dla\tfsnudfa.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\T hemes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\T osIde]
"ImagePath"="system32\DRIVERS\toside.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\T rkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\T SDDD]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\t unmp]
"ImagePath"="system32\DRIVERS\tunmp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\U dfs]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\u ltra]
"ImagePath"="system32\DRIVERS\ultra.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\U pdate]
"ImagePath"="system32\DRIVERS\update.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\u pnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\U PS]
"ImagePath"="%SystemRoot%\System32\ups.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\u sbaudio]
"ImagePath"="system32\drivers\usbaudio.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\u sbccgp]
"ImagePath"="system32\DRIVERS\usbccgp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\u sbehci]
"ImagePath"="system32\DRIVERS\usbehci.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\u sbhub]
"ImagePath"="system32\DRIVERS\usbhub.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\u sbohci]
"ImagePath"="system32\DRIVERS\usbohci.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\U SBSTOR]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\u sbuhci]
"ImagePath"="system32\DRIVERS\usbuhci.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\V enturi2]
"ImagePath"="c:\program files\verizon wireless\venturi\Client\ventc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\V gaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\v iaagp]
"ImagePath"="system32\DRIVERS\viaagp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\V iaIde]
"ImagePath"="system32\DRIVERS\viaide.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\V olSnap]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\V SS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\V xD]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\w 29n51]
"ImagePath"="system32\DRIVERS\w29n51.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\w 32time]
"ServiceDll"="%systemroot%\system32\w32time.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W 3SVC]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W anarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\w anatw]
"ImagePath"="system32\DRIVERS\wanatw4.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W DICA]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\w dmaud]
"ImagePath"="system32\drivers\wdmaud.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W ebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\w inachsf]
"ImagePath"="system32\DRIVERS\HSF_CNXT.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\w inmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W insock]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W inSock2]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W inTrust]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W LANKEEPER]
"ImagePath"="c:\program files\Intel\Wireless\Bin\WLKeeper.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W mdmPmSN]
"ServiceDll"="c:\windows\system32\MsPMSNSv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W miApRpl]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W miApSrv]
"ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W MPNetworkSvc]
"ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\""
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W S2IFSL]
"ImagePath"="\SystemRoot\System32\drivers\ws2ifsl.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\w scsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W STCODEC]
"ImagePath"="system32\DRIVERS\WSTCODEC.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\w uauserv]
"ServiceDll"="c:\windows\system32\wuauserv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W udfPf]
"ImagePath"="system32\DRIVERS\WudfPf.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W udfRd]
"ImagePath"="system32\DRIVERS\wudfrd.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W udfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\W ZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\x mlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{ 136BDD22-E340-4C23-AE1F-92B590A5EDD2}]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{ 5B151F43-06DD-4AA4-AF84-181F0F7B0470}]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{ 6BE2D299-E2A4-49AF-B85D-7C20CCB6BB93}]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{ A130EB23-DBDD-44BB-B3CC-1A998861FEAC}]
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(576)
c:\windows\system32\vlsp.dll
.
Completion time: 2008-12-19 3:42:50
ComboFix-quarantined-files.txt 2008-12-19 09:42:48
ComboFix2.txt 2008-12-18 12:41:48
Pre-Run: 64,821,424,128 bytes free
Post-Run: 64,798,756,864 bytes free
727
classicsoftware
12-19-2008, 11:27 AM
Please tell me how the system is running? Any change? You are my eyes and ears and you need to let me know what's going on.
Please post a HJT log.
Electric Dragon
12-19-2008, 05:06 PM
Hello,
The system is running fine. Later, I am going to try to get to the internet by hooking it up to my network (while unhooking my computers from it). The cellsouth card requires a password (he didn't mention anything like that to me so I have none to put in and he is unavailable for the next few days). I ran the PCTools antivirus last night and it found three things. Other than that though, everything seems great.
Here is the hjt log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:58, on 2008-12-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CellularSouth\CellularSouth_CDU680\BIN\RDVCH G.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\explorer.exe
C:\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://media.fastclick.net/w/safepop.cgi?cid=31047&mid=91766&sid=1452&c=21
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\sw g.dll (file missing)
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [CellularSouth_CDU680] C:\Program Files\CellularSouth\CellularSouth_CDU680\BIN\RDVCH G.EXE
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - [url]http://wwws.musicmatch.com/mmz/openWebRadio.html[/url] (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [url]http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab[/url]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [url]http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab[/url]
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 6460 bytes
classicsoftware
12-25-2008, 09:39 AM
What did it find and are you on-line yet?
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.