Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Memory Usage On Vista 32 Bit.


  • This topic is locked This topic is locked
16 replies to this topic

#1 Patrick Casher

Patrick Casher

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 08 August 2007 - 03:00 PM

Have hijack this log here. Any help would be apprecated. Thanks Patrick.

(Moderator edit: log post moved to HJT Team Forum for analysis and Member help. jgweed)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:38 PM, on 8/8/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Users\Patrick Casher\Downloads\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://refdesk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9097 bytes

Edited by jgweed, 08 August 2007 - 04:04 PM.


BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:32 AM

Posted 20 August 2007 - 08:20 AM

Hi Patrick Casher, :flowers:

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

Thanks for your patience. :thumbsup:

#3 Patrick Casher

Patrick Casher
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 24 August 2007 - 01:08 PM

Seems to have cleared up some, now around 60%. I removed winamp and the openoffice quickstarter. Would appreciate any additional ideas. Here's a new log. Thanks, Patrick.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:43 PM, on 8/24/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Patrick Casher\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://refdesk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8733 bytes

#4 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:32 AM

Posted 25 August 2007 - 08:00 AM

Hi Patrick Casher, :thumbsup:

Welcome to BleepingComputerForums and thanks again for your patience.

1. Are you using a firewall? I see nothing in your log that would indicate that you have. I urge you to install one. Though not many yet there are several good but for free programmes available like:

PC Tools Firewall Plus
ZoneAlarm

For a tutorial on Firewalls click: Understanding and Using Firewalls!

2. O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

This entry may refer to one of several things, good and bad.
So navigate to the file C:\WINDOWS\SMINST\launcher.exe, right click it and check its properties.
If it is HP or audio related it should be safe to keep. Please report back your findings.

3. We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

4. Print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

5. Download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

6. Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

7. Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
8.

Memory Usage On Vista 32 Bit., Noticed up to over 80% was around 45 before 1 gig ram

I removed winamp and the openoffice quickstarter. Would appreciate any additional ideas.


There are some tools you can use to manage your startup locations such as:

Sysinternal's Autoruns
StartUpMonitor
Startup Manager

Another possibility is:

Go to start > run and type: msconfig
Select the tab: Startup

There you will see all the programs starting up with windows.
Some are not needed and can also cause a system slowdown. Don't disable them all because some are needed! if you're not sure check them at BleepingComputer and castlecops.

You can always access these programs by going to your startmenu > all programs or start them manually via the Programs Folder where they are present.So you can always enable them afterwards again.

Also look at Help! My computer is slow!

Please post the Dr. Web log along with a fresh HijackThis log and the information on the file.

#5 Patrick Casher

Patrick Casher
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 25 August 2007 - 10:49 PM

1. Firewall - When I bought Vista PC's, laptop for myself and desktop for wife, I tried Zonealarm (free) and at the time it wouldn't work with Vista so using Windows firewall. Also had to change to Windows firewall on old XP machine due to networking problems between Vista & XP.

2. Launcher.exe - Didn't see relation to HP or audio - Details showed language as French. - Deleted.

5. DrWeb - Couldn't DL DrWeb-CureIt.exe (4-21-06) or CureIt.exe (8-24-07) but could DL CureIt-Beta.exe so used it.

Here's the fresh HiJackThis log and CureIt-Beta Log: Thanks, Patrick.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:52 PM, on 8/25/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Patrick Casher\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://refdesk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8726 bytes

stressreducers.exe;C:\download;Joke.Puncher;Incurable.Moved.;
defrag.js;C:\Program Files\Hewlett-Packard\HP Health Check\ActiveCheck\objects;Modification of VBS.Generic.217;Moved.;
GTDown.ocx;C:\Program Files\HP\HPNetworkAssistant\BrowserPlugins;Adware.Gdown.origin;Incurable.Moved.;
Teledat330Stats.exe;C:\Speedstream;BackDoor.Midori.origin;Incurable.Moved.;

Edited by Patrick Casher, 25 August 2007 - 10:52 PM.


#6 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:32 AM

Posted 26 August 2007 - 02:56 PM

Hi Patrick Casher, :thumbsup:

Firewall - When I bought Vista PC's, laptop for myself and desktop for wife, I tried Zonealarm (free) and at the time it wouldn't work with Vista so using Windows firewall. Also had to change to Windows firewall on old XP machine due to networking problems between Vista & XP.


The ones I suggested in my previous post work for Vista so please be sure to have one up and running. Furthermore the third party firewalls do a better job than the Windows firewall since that doesn't check your outgoing traffic.

Couldn't DL DrWeb-CureIt.exe (4-21-06) or CureIt.exe (8-24-07) but could DL CureIt-Beta.exe so used it.


Why not? The link works okay ....

Let's dig some deeper.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#7 Patrick Casher

Patrick Casher
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 26 August 2007 - 04:45 PM

1. Firewall - Your right zone alarm now works with Vista. I installed it. Seems to use a little more memory but the overhead may be worth it.

2. CureIt - I tried it again ftp://ftp.drweb.com/pub/drweb/cureit/DrWeb-CureIt.exe couldn't get to the web page so just went up a level ftp://ftp.drweb.com/pub/drweb/cureit and was olly able to dl the beta.

3. ComboFix - Administrator window came up saying please wait ComboFix is prepareing to run. Then said out of memory. Same thing in safe mode but gave the following additional info; SWreg.cfreg Application error the instruction at 0x00403ec2 referenced memory at 0x00f0c950 the memory could not be read. Click to terminate program.

4. New HiJackThis Log here:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:24, on 2007-08-26
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Patrick Casher\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://refdesk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8997 bytes

#8 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:32 AM

Posted 27 August 2007 - 11:08 AM

Hi Patrick Casher, :thumbsup:

1. For technical reasons Combofix has been pulled, unfortunately.

Note: in order to be able to run the next tool under Vista you must be registered as the administrator!!

Download reglooks from here and save it to your desktop.
Doubleclick reglooks.exe and wait until a logfile appears.
The log will be called result.txt.
Copy and paste the contents of this log in your next reply.

2.

CureIt - I tried it again ftp://ftp.drweb.com/pub/drweb/cureit/DrWeb-CureIt.exe couldn't get to the web page so just went up a level ftp://ftp.drweb.com/pub/drweb/cureit and was olly able to dl the beta.


I get an error message now as well so let's try another scan but first disable Windows defender again!

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Please post the result.txt along with the SAS report and a fresh HijackThis log.

#9 Patrick Casher

Patrick Casher
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 28 August 2007 - 07:54 AM

1. RegLooks - I have admin. priv. dl'ed and tried to run, a window poped up and said Regslooks has stopped working. Sent info to Microsoft. Tried as run as admin. and safe mode no help.

2. SuperAntiSpyware - Stuck in loop, scanned for over 17 hours and over 1 million files. Stopped. Did get a log see below. I try an keep on top of spyware running Windows Defender, Ad-aware once a week, keeping host and restricted sites updated with SpywareBlaster.

3. Long shutdown time - Noticed, maybe since ZoneAlarm, maybe I'll try and back it out and see if it makes a difference.

Here's the logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/28/2007 at 07:27 AM

Application Version : 3.9.1008

Core Rules Database Version : 3292
Trace Rules Database Version: 1303

Scan type : Complete Scan
Total Scan Time : 17:13:17

Memory items scanned : 683
Memory threats detected : 0
Registry items scanned : 7824
Registry threats detected : 0
File items scanned : 1018095
File threats detected : 6

Adware.Tracking Cookie
C:\Users\Patrick Casher\AppData\Roaming\Microsoft\Windows\Cookies\patrick_casher@ads.ookla[2].txt
C:\Users\Patrick Casher\AppData\Roaming\Microsoft\Windows\Cookies\patrick_casher@www.click2houston[1].txt
C:\Users\Patrick Casher\AppData\Roaming\Microsoft\Windows\Cookies\patrick_casher@cf-db01.clickfacts[2].txt
C:\Users\Patrick Casher\AppData\Roaming\Microsoft\Windows\Cookies\patrick_casher@click2houston[1].txt
C:\Users\Patrick Casher\AppData\Roaming\Microsoft\Windows\Cookies\patrick_casher@ads.bigfoot[1].txt
C:\Users\Patrick Casher\AppData\Roaming\Microsoft\Windows\Cookies\patrick_casher@pt.crossmediaservices[1].txt


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:52, on 2007-08-28
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Windows\system32\WerCon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Users\Patrick Casher\Desktop\NetPop.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Patrick Casher\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://refdesk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9176 bytes

#10 Patrick Casher

Patrick Casher
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 28 August 2007 - 05:46 PM

Some way some how someone with an IP address from Nigeria (82.128.6.169) found out my eBay password and changed my email address at eBay. I complained to the abuse email address of their ISP but don't know if it will help. Got my account back at eBay thru their support help.

#11 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:32 AM

Posted 29 August 2007 - 05:53 AM

Hi Patrick Casher, :thumbsup:

RegLooks - I have admin. priv. dl'ed and tried to run, a window poped up and said Regslooks has stopped working. Sent info to Microsoft. Tried as run as admin. and safe mode no help.


1. Delete all files related to Reglooks on your desktop.

2. Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

3. Download reglooks againg from here and save it to your desktop.
Doubleclick reglooks.exe and wait until a logfile appears.
The log will be called result.txt.
Copy and paste the contents of this log in your next reply.

Edited by Falu, 29 August 2007 - 05:54 AM.


#12 Patrick Casher

Patrick Casher
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 29 August 2007 - 07:26 PM

1. Cleaned files-

2. RegLooks - Ran good this time. Here's the Log;

REGLOOKS logfile

version 0.971
2007-08-29 19:19:05.32
running from: "C:\Users\Patrick Casher\Desktop"

--- SSODL regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
only standard or legit regkeys found


--- STS regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
only standard or legit regkeys found


--- USERINIT regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit"="C:\\Windows\\system32\\userinit.exe,"


--- SHELL regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="explorer.exe"


--- SYSTEM regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon


--- APPINIT_DLLS regkey ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"=""


--- NOTIFY regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
only standard or legit regkeys found


--- BOOTEXECUTE regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute= autocheck autochk *\0\0


--- SHELLEXECUTEHOOKS regkey ---

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks


--- AUTORUN regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
"AutoRun"=""


--- HKLM\Run regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Windows Defender"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,57,69,\
6e,64,6f,77,73,20,44,65,66,65,6e,64,65,72,5c,4d,53,41,53,43,75,69,2e,65,78,\
65,20,2d,68,69,64,65,00
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"QPService"="\"C:\\Program Files\\HP\\QuickPlay\\QPService.exe\""
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"QlbCtrl"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,48,65,77,6c,65,\
74,74,2d,50,61,63,6b,61,72,64,5c,48,50,20,51,75,69,63,6b,20,4c,61,75,6e,63,\
68,20,42,75,74,74,6f,6e,73,5c,51,6c,62,43,74,72,6c,2e,65,78,65,20,2f,53,74,\
61,72,74,00
"HP Health Check Scheduler"="C:\\Program Files\\Hewlett-Packard\\HP Health Check\\HPHC_Scheduler.exe"
"WAWifiMessage"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,48,65,77,\
6c,65,74,74,2d,50,61,63,6b,61,72,64,5c,48,50,20,57,69,72,65,6c,65,73,73,20,\
41,73,73,69,73,74,61,6e,74,5c,57,69,46,69,4d,73,67,2e,65,78,65,00
"hpWirelessAssistant"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,48,\
65,77,6c,65,74,74,2d,50,61,63,6b,61,72,64,5c,48,50,20,57,69,72,65,6c,65,73,\
73,20,41,73,73,69,73,74,61,6e,74,5c,48,50,57,41,4d,61,69,6e,2e,65,78,65,00
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"NvSvc"="RUNDLL32.EXE C:\\Windows\\system32\\nvsvc.dll,nvsvcStart"
"NvCplDaemon"="RUNDLL32.EXE C:\\Windows\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\Windows\\system32\\NvMcTray.dll,NvTaskbarInit"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
[Run\OptionalComponents]
@=""
[Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""
[Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
@=""
[Run\OptionalComponents\MSFS]
"Installed"="1"
@=""


--- HKLM\RunOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKLM RunOnce keys found


--- HKLM\RunOnceEx regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
regkey does not exist


--- HKLM\RunServices regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
no HKLM RunServices keys found


--- HKLM\RunServicesOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
regkey does not exist


--- HKCU\Run regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Sidebar"="C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun"
"ehTray.exe"="C:\\Windows\\ehome\\ehTray.exe"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"


--- HKCU\RunOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKCU RunOnce keys found


--- HKCU\RunOnceEx regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
regkey does not exist


--- HKCU\RunServices regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
no HKCU RunServices keys found


--- HKCU\RunServicesOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
regkey does not exist


--- HKU\.DEFAULT\Run regkeys ---

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\.DEFAULT\Run keys found


--- HKU\S-1-5-18\Run regkeys ---

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\S-1-5-18\Run keys found


--- HKU\S-1-5-19\Run regkeys ---

HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Sidebar"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,57,69,6e,64,6f,\
77,73,20,53,69,64,65,62,61,72,5c,53,69,64,65,62,61,72,2e,65,78,65,20,2f,64,\
65,74,65,63,74,4d,65,6d,00
"WindowsWelcomeCenter"="rundll32.exe oobefldr.dll,ShowWelcomeCenter"


--- HKU\S-1-5-20\Run regkeys ---

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Sidebar"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,57,69,6e,64,6f,\
77,73,20,53,69,64,65,62,61,72,5c,53,69,64,65,62,61,72,2e,65,78,65,20,2f,64,\
65,74,65,63,74,4d,65,6d,00
"WindowsWelcomeCenter"="rundll32.exe oobefldr.dll,ShowWelcomeCenter"


--- HKLM\Explorer\Run regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
no HKLM Explorer\Run keys found


--- HKCU\Explorer\Run regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
no HKCU Explorer\Run keys found


--- Image File Execution regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
no debuggers found


--- BROWSER HELPER OBJECTS regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}" FILE ="C:\\Program Files\\Yahoo!\\Companion\\Installs\\cpn\\yt.dll"
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" regkey not found (ERROR)
"{22BF413B-C6D2-4d91-82A9-A0F997BA588C}" FILE ="C:\\Program Files\\Skype\\Toolbars\\Internet Explorer\\SkypeIEPlugin.dll"
"{53707962-6F74-2D53-2644-206D7942484F}" FILE ="C:\\Program Files\\Spybot - Search & Destroy\\SDHelper.dll"
"{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}" FILE ="C:\\Program Files\\Yahoo!\\Common\\yiesrvc.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" FILE ="C:\\Program Files\\Java\\jre1.6.0_02\\bin\\ssv.dll"


--- TOOLBAR regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" FILE ="C:\\Program Files\\Yahoo!\\Companion\\Installs\\cpn\\yt.dll"


--- URLSEARCHHOOKS regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
only standard regkeys found


--- CONTEXTMENUHANDLERS regkeys ---

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
"avast" CLSID ={472083B0-C522-11CF-8763-00608CC02F24} FILE ="C:\\Program Files\\Alwil Software\\Avast4\\ashShell.dll"
"BriefcaseMenu" CLSID ={85BBD920-42A0-1069-A2E4-08002B30309D} FILE ="syncui.dll"
"Open With" CLSID ={09799AFB-AD67-11d1-ABCD-00C04FC30936} FILE =%SystemRoot%\system32\shell32.dll
"Open With EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\shell32.dll
"Sharing" CLSID ={f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} FILE ="ntshrui.dll"
"Yahoo! Mail" CLSID ={5464D816-CF16-4784-B9F3-75C0DB52B499} FILE ="C:\\PROGRA~1\\Yahoo!\\Common\\ymmapi.dll"
"{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" Start Menu Pin FILE =%SystemRoot%\system32\shell32.dll

HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers
"EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\shell32.dll
"Sharing" CLSID ={f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} FILE ="ntshrui.dll"

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers
"avast" CLSID ={472083B0-C522-11CF-8763-00608CC02F24} FILE ="C:\\Program Files\\Alwil Software\\Avast4\\ashShell.dll"
"BriefcaseMenu" CLSID ={85BBD920-42A0-1069-A2E4-08002B30309D} FILE ="syncui.dll"
"Create ISO Image from directory" CLSID ={34F4B935-17DC-4885-8BC9-CCD1ADF42F93} FILE ="C:\\Program Files\\Alex Feinman\\ISO Recorder\\ISORecorder.dll"


--- ALTERNATESHELL regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
"AlternateShell"="cmd.exe"


--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
AppInfo
KeyIso
NTDS
ProfSvc
sacsvr
SWPRV
TabletInputService
TBS
TrustedInstaller
volmgr.sys
volmgrx.sys
{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
{D48179BE-EC20-11D1-B6B8-00C04FA372A7}
{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}


--- SAFEBOOT NETWORK SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
AppInfo
BFE
bowser
dfsc
Dot3Svc
Eaphost
IKEEXT
KeyIso
MPSDrv
MPSSvc
mrxsmb
mrxsmb10
mrxsmb20
NativeWifiP
netprofm
NlaSvc
Nsi
nsiproxy.sys
NTDS
PolicyAgent
ProfSvc
rdbss
rdpencdd.sys
sacsvr
SCardSvr
SWPRV
TabletInputService
TBS
TrustedInstaller
VDS
volmgr.sys
volmgrx.sys
Wlansvc
{50DD5230-BA8A-11D1-BF5D-0000F805F530}
{533C5B84-EC70-11D2-9505-00C04F79DEAF}
{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
{D48179BE-EC20-11D1-B6B8-00C04FA372A7}
{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}


--- SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AddFiltr
"DisplayName"="AddFiltr"
"C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\adsi
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AeLookupSvc
"DisplayName"="@%SystemRoot%\\system32\\aelupsvc.dll,-1"
%systemroot%\system32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Appinfo
"DisplayName"="@%systemroot%\\system32\\appinfo.dll,-100"
%SystemRoot%\system32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswMonFlt
"DisplayName"="aswMonFlt"
system32\DRIVERS\aswMonFlt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswRdr
"DisplayName"="aswRdr"
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswTdi
"DisplayName"="avast! Network Shield Support"
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswUpdSv
"DisplayName"="avast! iAVS4 Control Service"
"C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudioEndpointBuilder
"DisplayName"="@%SystemRoot%\\system32\\audiosrv.dll,-204"
%SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast! Antivirus
"DisplayName"="avast! Antivirus"
"C:\Program Files\Alwil Software\Avast4\ashServ.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast! Mail Scanner
"DisplayName"="avast! Mail Scanner"
"C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast! Web Scanner
"DisplayName"="avast! Web Scanner"
"C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BCM43XV
"DisplayName"="Broadcom Extensible 802.11 Network Adapter Driver"
system32\DRIVERS\bcmwl6.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
"DisplayName"="@%SystemRoot%\\system32\\bfe.dll,-1001"
%systemroot%\system32\svchost.exe -k LocalServiceNoNetwork

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bowser
"DisplayName"="Bowser"
system32\DRIVERS\bowser.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrFiltLo
"DisplayName"="Brother USB Mass-Storage Lower Filter Driver"
\SystemRoot\system32\drivers\brfiltlo.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrFiltUp
"DisplayName"="Brother USB Mass-Storage Upper Filter Driver"
\SystemRoot\system32\drivers\brfiltup.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrUsbSer
"DisplayName"="Brother MFC USB Serial WDM Driver"
\SystemRoot\system32\drivers\brusbser.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthEnum
"DisplayName"="Bluetooth Request Block Driver"
system32\DRIVERS\BthEnum.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthPan
"DisplayName"="Bluetooth Device (Personal Area Network)"
system32\DRIVERS\bthpan.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT
"DisplayName"="Bluetooth Port Driver"
System32\Drivers\BTHport.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthServ
"DisplayName"="@%SystemRoot%\\System32\\bthserv.dll,-101"
%SystemRoot%\system32\svchost.exe -k bthsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHUSB
"DisplayName"="Bluetooth Radio USB Driver"
System32\Drivers\BTHUSB.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertPropSvc
"DisplayName"="@%SystemRoot%\\System32\\certprop.dll,-11"
%SystemRoot%\system32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CLCapSvc
"DisplayName"="CyberLink Background Capture Service (CBCS)"
"C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CLFS
"DisplayName"="Common Log (CLFS)"
System32\CLFS.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CLSched
"DisplayName"="CyberLink Task Scheduler (CTS)"
"C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CLTNetCnService
"DisplayName"="Symantec Lic NetConnect service"
"c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crcdisk
"DisplayName"="Crcdisk Filter Driver"
system32\drivers\crcdisk.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DCLocator
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DfsC
"DisplayName"="Dfs Client Driver"
System32\Drivers\dfsc.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR
"DisplayName"="@dfsrres.dll,-101"
%SystemRoot%\system32\DFSR.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dot3svc
"DisplayName"="@%systemroot%\\system32\\dot3svc.dll,-1102"
%SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl
"DisplayName"="LDDM Graphics Subsystem"
\SystemRoot\System32\drivers\dxgkrnl.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\E100B
"DisplayName"="Intel® PRO Adapter Driver"
system32\DRIVERS\e100b325.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\E1G60
"DisplayName"="Intel® PRO/1000 NDIS 6 Adapter Driver"
system32\DRIVERS\E1G60I32.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eabfiltr
system32\DRIVERS\eabfiltr.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eabusb
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EapHost
"DisplayName"="@%systemroot%\\system32\\eapsvc.dll,-1"
%SystemRoot%\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ecache
"DisplayName"="ReadyBoost Caching Driver"
System32\drivers\ecache.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ehRecvr
"DisplayName"="@%SystemRoot%\\ehome\\ehrecvr.exe,-101"
%systemroot%\ehome\ehRecvr.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ehSched
"DisplayName"="@%SystemRoot%\\ehome\\ehsched.exe,-101"
%systemroot%\ehome\ehsched.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ehstart
"DisplayName"="@%SystemRoot%\\ehome\\ehstart.dll,-101"
%windir%\system32\svchost.exe -k LocalServiceNoNetwork

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EmdCache
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EMDMgmt
"DisplayName"="@%SystemRoot%\\system32\\emdmgmt.dll,-1000"
%systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESENT
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fdPHost
"DisplayName"="@%systemroot%\\system32\\fdPHost.dll,-100"
%SystemRoot%\system32\svchost.exe -k LocalService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FDResPub
"DisplayName"="@%systemroot%\\system32\\fdrespub.dll,-100"
%SystemRoot%\system32\svchost.exe -k LocalService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FileInfo
"DisplayName"="File Information FS MiniFilter"
system32\drivers\fileinfo.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Filetrace
"DisplayName"="FileTrace"
system32\drivers\filetrace.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache3.0.0.0
"DisplayName"="@%SystemRoot%\\system32\\PresentationHost.exe,-3309"
%systemroot%\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gpsvc
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HBtnKey
system32\DRIVERS\cpqbttn.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HdAudAddService
"DisplayName"="Microsoft UAA Function Driver for High Definition Audio Service"
system32\drivers\CHDART.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HDAudBus
"DisplayName"="Microsoft UAA Bus Driver for High Definition Audio"
system32\DRIVERS\HDAudBus.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hkmsvc
"DisplayName"="@%SystemRoot%\\system32\\kmsvc.dll,-6"
%SystemRoot%\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HP Health Check Service
"DisplayName"="HP Health Check Service"
"C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hpqwmiex
"DisplayName"="hpqwmiex"
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HSFHWAZL
system32\DRIVERS\VSTAZL3.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HSF_DPV
system32\DRIVERS\HSX_DPV.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HSXHWAZL
system32\DRIVERS\HSXHWAZL.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ialm
system32\DRIVERS\igdkmd32.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IDriverT
"DisplayName"="InstallDriver Table Manager"
"C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc
"DisplayName"="@%systemroot%\\Microsoft.NET\\Framework\\v3.0\\Windows Communication Foundation\\ServiceModelInstallRC.dll,-8193"
"%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IKEEXT
"DisplayName"="@%SystemRoot%\\system32\\ikeext.dll,-501"
%systemroot%\system32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPBusEnum
"DisplayName"="@%systemroot%\\system32\\IPBusEnum.dll,-102"
%SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iphlpsvc
"DisplayName"="@%SystemRoot%\\system32\\iphlpsvc.dll,-200"
%SystemRoot%\System32\svchost.exe -k NetSvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iScsiPrt
"DisplayName"="iScsiPort Driver"
system32\DRIVERS\msiscsi.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid
"DisplayName"="Keyboard HID Driver"
system32\DRIVERS\kbdhid.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KeyIso
"DisplayName"="@keyiso.dll,-100"
%SystemRoot%\system32\lsass.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KtmRm
"DisplayName"="@comres.dll,-2946"
%SystemRoot%\System32\svchost.exe -k NetworkService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdio
"DisplayName"="Link-Layer Topology Discovery Mapper I/O Driver"
system32\DRIVERS\lltdio.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc
"DisplayName"="@%SystemRoot%\\system32\\lltdres.dll,-1"
%SystemRoot%\System32\svchost.exe -k LocalService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lsa
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv
"DisplayName"="UAC File Virtualization"
\SystemRoot\system32\drivers\luafv.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MMCSS
"DisplayName"="@%systemroot%\\system32\\mmcss.dll,-100"
%SystemRoot%\system32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\monitor
"DisplayName"="Microsoft Monitor Class Function Driver Service"
system32\DRIVERS\monitor.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpsdrv
"DisplayName"="@%SystemRoot%\\system32\\FirewallAPI.dll,-23092"
System32\drivers\mpsdrv.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
"DisplayName"="@%SystemRoot%\\system32\\FirewallAPI.dll,-23090"
%SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MREMP50
"DisplayName"="MREMP50 NDIS Protocol Driver"
\??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MREMP50a64
"DisplayName"="MREMP50a64 NDIS Protocol Driver"
\??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRESP50
"DisplayName"="MRESP50 NDIS Protocol Driver"
\??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRESP50a64
"DisplayName"="MRESP50a64 NDIS Protocol Driver"
\??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msisadrv
"DisplayName"="ISA/EISA Class Driver"
system32\drivers\msisadrv.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI
"DisplayName"="@%SystemRoot%\\system32\\iscsidsc.dll,-5000"
%systemroot%\system32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsRPC
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSCNTRS
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTEE
"DisplayName"="Microsoft Streaming Tee/Sink-to-Sink Converter"
system32\drivers\MSTEE.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent
"DisplayName"="@%SystemRoot%\\system32\\qagentrt.dll,-6"
%SystemRoot%\System32\svchost.exe -k NetworkService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NativeWifiP
"DisplayName"="NativeWiFi Filter"
system32\DRIVERS\nwifi.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netprofm
"DisplayName"="@%SystemRoot%\\system32\\netprof.dll,-246"
%SystemRoot%\System32\svchost.exe -k LocalService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nsi
"DisplayName"="@%SystemRoot%\\system32\\nsisvc.dll,-200"
%systemroot%\system32\svchost.exe -k LocalService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nsiproxy
"DisplayName"="NSI proxy service"
system32\drivers\nsiproxy.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odserv
"DisplayName"="Microsoft Office Diagnostics Service"
"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc
"DisplayName"="@%SystemRoot%\\system32\\p2psvc.dll,-8004"
%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc
"DisplayName"="@%SystemRoot%\\system32\\p2psvc.dll,-8006"
%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PcaSvc
"DisplayName"="@%SystemRoot%\\system32\\pcasvc.dll,-1"
%systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PEAUTH
"DisplayName"="PEAUTH"
system32\drivers\peauth.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pla
"DisplayName"="@%systemroot%\\system32\\pla.dll,-500"
%SystemRoot%\System32\svchost.exe -k LocalServiceNoNetwork

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg
"DisplayName"="@%SystemRoot%\\system32\\p2psvc.dll,-8002"
%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc
"DisplayName"="@%SystemRoot%\\system32\\p2psvc.dll,-8000"
%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProfSvc
"DisplayName"="@%systemroot%\\system32\\profsvc.dll,-300"
%systemroot%\system32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PxHelp20
"DisplayName"="PxHelp20"
System32\Drivers\PxHelp20.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QWAVE
"DisplayName"="@%SystemRoot%\\system32\\qwave.dll,-1"
%windir%\system32\svchost.exe -k LocalService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QWAVEdrv
"DisplayName"="@%SystemRoot%\\system32\\drivers\\qwavedrv.sys,-1"
\SystemRoot\system32\drivers\qwavedrv.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPENCDD
"DisplayName"="RDP Encoder Mirror Driver"
system32\drivers\rdpencdd.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
"DisplayName"="@regsvc.dll,-1"
%SystemRoot%\system32\svchost.exe -k regsvc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RFCOMM
"DisplayName"="Bluetooth Device (RFCOMM Protocol TDI)"
system32\DRIVERS\rfcomm.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rimmptsk
system32\DRIVERS\rimmptsk.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rimsptsk
system32\DRIVERS\rimsptsk.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rismxdp
"DisplayName"="Ricoh xD-Picture Card Driver"
system32\DRIVERS\rixdptsk.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RoxMediaDB9
"DisplayName"="RoxMediaDB9"
"C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rspndr
"DisplayName"="Link-Layer Topology Discovery Responder"
system32\DRIVERS\rspndr.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCPolicySvc
"DisplayName"="@%SystemRoot%\\System32\\certprop.dll,-13"
%SystemRoot%\system32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sdbus
system32\DRIVERS\sdbus.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SDRSVC
"DisplayName"="@%SystemRoot%\\system32\\sdrsvc.dll,-107"
%SystemRoot%\system32\svchost.exe -k SDRSVC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Serenum
"DisplayName"="Serenum Filter Driver"
\SystemRoot\system32\drivers\serenum.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceModelEndpoint 3.0.0.0
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceModelOperation 3.0.0.0
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceModelService 3.0.0.0
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv
"DisplayName"="@%SystemRoot%\\System32\\SessEnv.dll,-1026"
%SystemRoot%\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sffp_mmc
"DisplayName"="SFF Storage Protocol Driver for MMC"
\SystemRoot\system32\drivers\sffp_mmc.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sffp_sd
"DisplayName"="SFF Storage Protocol Driver for SDBus"
\SystemRoot\system32\drivers\sffp_sd.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\slsvc
"DisplayName"="@%SystemRoot%\\system32\\SLsvc.exe,-101"
%SystemRoot%\system32\SLsvc.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SLUINotify
"DisplayName"="@%SystemRoot%\\system32\\SLUINotify.dll,-103"
%SystemRoot%\system32\svchost.exe -k LocalService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Smb
"DisplayName"="@%SystemRoot%\\system32\\tcpipcfg.dll,-50005"
system32\DRIVERS\smb.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMSvcHost 3.0.0.0
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPTRAP
"DisplayName"="@%SystemRoot%\\system32\\snmptrap.exe,-3"
%SystemRoot%\System32\snmptrap.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spldr
"DisplayName"="Security Processor Loader Driver"
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stllssvr
"DisplayName"="stllssvr"
"C:\Program Files\Common Files\SureThing Shared\stllssvr.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysMain
"DisplayName"="@%SystemRoot%\\system32\\sysmain.dll,-1000"
%systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TabletInputService
"DisplayName"="@%SystemRoot%\\system32\\TabSvc.dll,-100"
%SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TBS
"DisplayName"="@%SystemRoot%\\system32\\tbssvc.dll,-100"
%SystemRoot%\System32\svchost.exe -k LocalService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdx
"DisplayName"="@%SystemRoot%\\system32\\tcpipcfg.dll,-50004"
system32\DRIVERS\tdx.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\THREADORDER
"DisplayName"="@%systemroot%\\system32\\mmcss.dll,-102"
%SystemRoot%\system32\svchost.exe -k LocalService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrustedInstaller
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tssecsrv
"DisplayName"="Terminal Services Security Filter Driver"
System32\DRIVERS\tssecsrv.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tunmp
"DisplayName"="Microsoft Tun Miniport Adapter Driver"
system32\DRIVERS\tunmp.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tunnel
"DisplayName"="Microsoft IPv6 Tunnel Miniport Adapter Driver"
system32\DRIVERS\tunnel.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uagp35
"DisplayName"="Microsoft AGPv3.5 Filter"
\SystemRoot\system32\drivers\uagp35.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UGatherer
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UGTHRSVC
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UI0Detect
"DisplayName"="@%SystemRoot%\\system32\\ui0detect.exe,-101"
%SystemRoot%\system32\UI0Detect.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UIUSys
"DisplayName"="Conexant Setup API"
system32\DRIVERS\UIUSYS.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uliagpkx
"DisplayName"="Uli AGP Bus Filter"
\SystemRoot\system32\drivers\uliagpkx.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\umbus
"DisplayName"="UMBus Enumerator Driver"
system32\DRIVERS\umbus.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usb
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbccgp
"DisplayName"="Microsoft USB Generic Parent Driver"
system32\DRIVERS\usbccgp.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbohci
"DisplayName"="Microsoft USB Open Host Controller Miniport Driver"
system32\DRIVERS\usbohci.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbvideo
"DisplayName"="USB Video Device (WDM)"
System32\Drivers\usbvideo.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UxSms
"DisplayName"="@%SystemRoot%\\system32\\dwm.exe,-2000"
%SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vds
"DisplayName"="@%SystemRoot%\\system32\\vds.exe,-100"
%SystemRoot%\System32\vds.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vga
system32\DRIVERS\vgapnp.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\volmgr
"DisplayName"="Volume Manager Driver"
system32\drivers\volmgr.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\volmgrx
"DisplayName"="Dynamic Volume Manager"
System32\drivers\volmgrx.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc
"DisplayName"="@%SystemRoot%\\system32\\wcncsvc.dll,-3"
%SystemRoot%\System32\svchost.exe -k LocalService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WcsPlugInService
"DisplayName"="@%SystemRoot%\\system32\\WcsPlugInService.dll,-200"
%SystemRoot%\system32\svchost.exe -k wcssvc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wdf01000
"DisplayName"="Kernel Mode Driver Frameworks service"
system32\drivers\Wdf01000.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdiServiceHost
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdiSystemHost
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc
"DisplayName"="@%SystemRoot%\\system32\\wecsvc.dll,-200"
%SystemRoot%\system32\svchost.exe -k NetworkService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport
"DisplayName"="@%SystemRoot%\\System32\\wercplsupport.dll,-101"
%SystemRoot%\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc
"DisplayName"="@%SystemRoot%\\System32\\wersvc.dll,-100"
%SystemRoot%\System32\svchost.exe -k WerSvcGroup

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winachsf
system32\DRIVERS\HSX_CNXT.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Workflow Foundation 3.0.0.0
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc
"DisplayName"="@%SystemRoot%\\system32\\winhttp.dll,-100"
%SystemRoot%\system32\svchost.exe -k LocalService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM
"DisplayName"="@%Systemroot%\\system32\\wsmsvc.dll,-101"
%SystemRoot%\System32\svchost.exe -k NetworkService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wlansvc
"DisplayName"="@%SystemRoot%\\System32\\wlansvc.dll,-257"
%SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiAcpi
"DisplayName"="Microsoft Windows Management Interface for ACPI"
system32\DRIVERS\wmiacpi.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPCSvc
"DisplayName"="@%SystemRoot%\\system32\\wpcsvc.dll,-100"
%SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPDBusEnum
"DisplayName"="@%SystemRoot%\\system32\\wpdbusenum.dll,-100"
%SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSearch
"DisplayName"="@%systemroot%\\system32\\SearchIndexer.exe,-103"
%systemroot%\system32\SearchIndexer.exe /Embedding

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSearchIdxPi
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XAudio
system32\DRIVERS\xaudio.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XAudioService
"DisplayName"="XAudioService"
%SystemRoot%\system32\DRIVERS\xaudio.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{35930A83-2EB5-4418-A001-D817412159D2}
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{FFC858BA-FA28-497E-900D-6A87FD448C6A}
no imagepath value found


--- SECURITYPROVIDERS regkey ---

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
"SecurityProviders"="credssp.dll"


--- SVCHOST regkey ---

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost
LocalService: nsi\0lltdsvc\0SSDPSRV\0upnphost\0SCardSvr\0w32time\0EventSystem\0RemoteRegistry\0WinHttpAutoProxySvc\0lanmanworkstation\0TBS\0SLUINotify\0THREADORDER\0fdrespub\0netprofm\0fdphost\0wcncsvc\0QWAVE\0Mcx2Svc\0WebClient\0\0
LocalSystemNetworkRestricted: hidserv\0UxSms\0WdiSystemHost\0Netman\0trkwks\0AudioEndpointBuilder\0WUDFSvc\0irmon\0sysmain\0IPBusEnum\0dot3svc\0PcaSvc\0EMDMgmt\0TabletInputService\0wlansvc\0WPDBusEnum\0\0
NetworkServiceNetworkRestricted: PolicyAgent\0\0
LocalServiceNoNetwork: PLA\0DPS\0BFE\0mpssvc\0ehstart\0\0
NetworkService: CryptSvc\0DHCP\0TermService\0KtmRm\0DNSCache\0NapAgent\0nlasvc\0WinRM\0WECSVC\0Tapisrv\0\0
termsvcs: TermService\0\0
WerSvcGroup: wersvc\0\0
netsvcs: AeLookupSvc\0wercplsupport\0Themes\0CertPropSvc\0SCPolicySvc\0lanmanserver\0gpsvc\0IKEEXT\0AudioSrv\0FastUserSwitchingCompatibility\0Ias\0Irmon\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Wmi\0WmdmPmSp\0TermService\0wuauserv\0BITS\0ShellHWDetection\0LogonHours\0PCAudit\0helpsvc\0uploadmgr\0iphlpsvc\0seclogon\0AppInfo\0msiscsi\0MMCSS\0ProfSvc\0EapHost\0winmgmt\0schedule\0SessionEnv\0browser\0hkmsvc\0\0
swprv: swprv\0\0
LocalServiceNetworkRestricted: DHCP\0eventlog\0AudioSrv\0LmHosts\0wscsvc\0p2pimsvc\0PNRPSvc\0p2psvc\0WPCSvc\0PnrpAutoReg\0\0
rpcss: RpcSs\0\0
regsvc: RemoteRegistry\0\0
wcssvc: WcsPlugInService\0\0
DcomLaunch: PlugPlay\0DcomLaunch\0\0
wdisvc: WdiServiceHost\0\0
sdrsvc: sdrsvc\0\0
imgsvc: StiSvc\0\0
secsvcs: WinDefend\0\0
bthsvcs: BthServ\0\0


--- WOW-CMDLINE regkeys ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW


--- STARTUP FOLDERS ---

C:\Users\Patrick Casher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Connections.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk


--- TASK SCHEDULER JOBS ---

C:\Windows\tasks\HPCeeScheduleForPatrick Casher.job
C:\Windows\tasks\User_Feed_Synchronization-{D0D47B27-8B7C-4978-A6B4-395F05AA6928}.job


--- File associations ---

.BAT files: ("%1" %*)
.COM files: ("%1" %*)
.EXE files: ("%1" %*)
.HLP files: (%SystemRoot%\winhlp32.exe %1)
.INF files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.INI files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
.PIF files: ("%1" %*)
.REG files: (regedit.exe "%1")
.SCR files: ("%1" /S)
.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.VBS files: ("%SystemRoot%\System32\WScript.exe" "%1" %*)


FINISHED

#13 Patrick Casher

Patrick Casher
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 30 August 2007 - 05:47 AM

Found I didn't have the latest version of Yahoo Messenger so updated it.

#14 Patrick Casher

Patrick Casher
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 30 August 2007 - 09:28 AM

Oops thought I had the latest but it wasn't seem to be having problems installing some kind of error 404 and something with micromedia flash player so uninstalled it. Tried to goto Yahoo messenger website but got blank screen. Guess I'll leave it uninstalled. Maybe try MSM messenger instead.

#15 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:32 AM

Posted 31 August 2007 - 02:56 PM

Hi Patrick Casher, :flowers:

1.

Long shutdown time - Noticed, maybe since ZoneAlarm, maybe I'll try and back it out and see if it makes a difference.


Okay but have whichever one with realtime protection enabled.

2. Please check my recommendations in post 4 to see if you can speed up your computer.

All the logs look clean so I don't think your problems are malware related and therefor ready to go.

3. Remove previous restore points and set a new one to purge any malware that may have been backed up:

Click Start>Help and Support>Undo changes to your computer with System Restore
Click Create A Restore Point then click Next. Give it a name it and then click Create

Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.

This will remove all previous restore points except the newly created one.

4. In order to prevent future infections follow these recommendations:

a. Visit Windows Update on a regular basis to stay current with critical updates.

b. Install and run the following free programs:

* Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here!

* Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found
here! Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

* SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here!

* SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here!

* IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Keep all these programs (including your anti-virus) up-to-date and run them regularly.
If you do not update regularly they will not be able to catch any of the new variants that may come out.

c. I recommend you to read Tony Klein's excellent article: So how did I get infected in the first place?

d. If you want to fight back the Malware Writers, please take a look here!

Glad I was able to help and if there are any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BleepingComputer Forums, we also help people with other computer problems! Do not forget to tell your friends about us!

Good luck! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users