Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Acquiring Network Address


  • Please log in to reply
43 replies to this topic

#1 mikegru

mikegru

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 08 October 2007 - 05:59 PM

I am working with Blender and Dave on 2 other issues with desktop machines in my office - this issue has to do with my personal laptop - I have had a string of incredible bad luck recently with computers.

My laptop recognizes wireless networks in the area, and tries to connect, however it only goes as far as "acquiring network address", and does not actually connect to the internet. I also have a wired high-speed connection that doesn't detect the internet either. The internet was working Friday Oct 5, but did not work on Saturday the 6th. I tried using System Restore to reset the settings to Friday or before, but there were no restore points stored. I checked to make sure system restore was on, and it was turned on. I've also run AVG, Adaware, Spybot s&D, Vundofix, and Smitfraud. I've tried assigning a static IP address, and the PC states it's connected, but it's not - no browsing or email. I've also tried to start DHCP, but received the following: error 1068:The dependancy service or group failed to start.

After reading the bleepingcomputer warning about Smitfraud, I'm afraid that AVG may have deleted part of the LSP chain, causing the internet to be lost. Also, after running Smitfraud in Safe Mode, my main screen appears to be a lighter color of blue. Since I can't connect to the internet with the PC in question, I've been using a jump drive to download and transfer programs and reports back & forth. Is there any way you can check to see what's happening with the laptop?

Thanks
Mike

Moderator Edit~ This topic was moves as per HjT member's request.

Edited by Pandy, 11 October 2007 - 01:08 PM.


BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:39 AM

Posted 08 October 2007 - 11:06 PM

Hey Mike,

What makes you think AVG deleted LSP items? It show in AVG log?
Have a file name it deleted? Path?
SmitFraudFix find something?

What OS is this laptop please?
If XP what service pack does it have? 1 or 2 or none?

Don't post no logs here... let me know what you found and I'll get the thread moved to HJT if necessary.

Running SmitFraudFix on a non infected computer will reset the background settings like that blue...
To fix:
Right click desktop> properties> desktop> change pic in there.
Apply settings.
Need to log off/on again to make it work usually.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 09 October 2007 - 08:35 AM

I'm running XP SP2. I did change the screen back to dark blue, thanks. The AVG log shows a scan on Oct 6 (the day the internet connectivity stopped) with a virus called "Trojan Horse BHO.BLD" with the status "infected. Later that same day, I ran another scan which resulted in another find "C:\Documents and Settings\Mike Gruendel\Local Settings\Temp\sch16.dll" (which \is also listed as a Trojan Horse BHO.BLD) which shows a status of "deleted". I think I read an article on bleepingcomputer which said that if a Hijackthis log listed the exact same file name in the 02 and 20 categories, there was likely an LSP infection - the file creduim.dll is listed in both the 02 and 20 categories in the HJT log for the laptop. Another article said that if you an antivirus program ran and recognized and deleted a part of the LSP chain, internet connectivity would be lost. I just guessed that AVG had found part of that chain, had deleted it and that's why I lost internet connectivity. I've tried everything listed in my earlier post, but no luck. My logic may be off, but that's what a little information in the hands of a novice can do!

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:39 AM

Posted 11 October 2007 - 02:55 AM

Hi there,

Sorry for delay.
I got involved in a bunch of work stuff....

Mmmm k..
Good bunch of info btw :thumbsup:
I think we better see a hijack log but I will get this thread moved over to Hijackthis logs forum first.
I can't do it... need to find me a Mod. :blink:

I wanna see some logs before we play with LSP settings.... otherwise you will be re-installing windows.

yes. You are right...
If AVG did delete a rogue LSP dll improperly it would upset the LSP chain resulting in broken internet.
It can be fixed but I need to see what else is happening first.

Sometimes moving a thread will "break" topic reply notices so if I don't reply in reasonable time after it has been moved.... PM me please.

Thanks :wacko:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:39 AM

Posted 11 October 2007 - 03:39 PM

Hi Mike,

Ok... I got the topic moved.
Can you post your Hijackthis log please for this computer?

Also the AVG log if you still have it.

Thanks!
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#6 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 11 October 2007 - 04:17 PM

Here is the HJT log - I don't know how to get the AVG log file - if you can tell me how to get it, I will send. AVG found the following in 2 scans 10/6/07: Object - c:\documents and settings\mike gruendel\local settings\temp\sch16.dll; Result - Trohan Horse BHO.BLD; status - Infected. Later that same day, here is the result of the scan: Object - c:\documents and settings\mike gruendel\local settings\temp\sch16.dll; Result - is blank; Status - Deleted.

Interesting - I just tried to send this message to you, and it errored, saying I was using an old version of HJT. I downloaded this copy 10/08/07 - it's listed as HiJackThis_v2.exe, with a size of 1,278 KB.

Well, here is the HJT log using the version bleepingcomputer likes:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:28 PM, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\Hijackthis\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [AS00_WPN511] C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe -hide
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ccApp] -
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Worldspan Filter Agent.lnk = C:\wspan\swgw\FilterAgent.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: http://*.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - https://gopublic.wspan.com/secure/DLLs/WSSy...Information.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go10f.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - https://go11f.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - http://gopublic.wspan.com/scripts/us//DLLs/WSFileIO.cab
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O20 - AppInit_DLLs:
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8155 bytes

#7 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:39 AM

Posted 11 October 2007 - 08:07 PM

Hi,

You have a couple yukky infections.

I don't understand this...
No chance you ran some keygens or something eh?
no... you're not gunna get in trouble... I'm just trying to figure out why you have now 3 possibly 4 computers infected.

Did you have this laptop at work recently?

----------------------

couple logs I need.

1.) Download FindAWF from here and save it to the desktop:

http://noahdfear.geekstogo.com/FindAWF.exe

Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Post the contents of log here please.

2.) Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Open the extracted SDFix folder and double click RunThis.bat to start the script.

You will see several choices. (1,2,3,A,B,C,D,U,E)
We just want a log.

Type A & hit enter.
It will take a few minutes to complete the scan. Wait till the log pops up.

Post the C:\SystemReport.txt

3.) Double click RunThis.bat again from the SDFix folder.

You will see several choices. (1,2,3,A,B,C,D,U,E)

Type B & hit enter.
It will take a few minutes to complete the scan. Wait till the log pops up.

Post the Service_Driver.txt

Likely take 2 posts to get all 3 logs in.

Thanks
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#8 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 12 October 2007 - 08:31 AM

Good morning - I just looked up "keygen" (had no idea what it was) and yes, I recognize the word. A while back, I lost some data on my laptop HDD and called a friend I knew in the computer business to see if he could help me recover some of the data. He installed a program called "Recover My Files" and another program called "keygen.exe". He actually copied the programs onto one of my jump drives, then loaded it into my laptop and ran the program. I used that jump drive to transfer some data to my desktop as well. Now the keygen.exe is on my desktop. I'll run the apps you requested and send the results directly.
Thanks
Mike

#9 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 12 October 2007 - 09:03 AM

Hi - Here are the Find AWF and SDFix logs.


Find AWF report by noahdfear ę2006
Version 1.40

The current date is: Fri 10/12/2007
The current time is: 9:42:36.07


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DAP\BAK

10/26/2004 02:23 PM 1,491,968 DAP.EXE
1 File(s) 1,491,968 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

12/18/2004 01:20 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

05/04/2003 02:47 AM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

10/30/2003 04:33 AM 118,784 hkcmd.exe
01/30/2003 07:55 PM 311,296 hphmon03.exe
05/22/2003 10:55 PM 483,328 hphmon05.exe
10/30/2003 04:46 AM 155,648 igfxtray.exe
4 File(s) 1,069,056 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

09/14/2004 09:02 PM 70,776 ccApp.exe
1 File(s) 70,776 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

08/13/2006 09:35 AM 369,664 avgcc.exe
1 File(s) 369,664 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

02/16/2005 11:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HEWLET~1\{45B61~1\BAK

05/22/2003 11:03 PM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HPQ\DEFAUL~1\BAK

04/30/2004 01:32 PM 208,958 cpqset.exe
1 File(s) 208,958 bytes

Directory of C:\PROGRA~1\HPQ\QUICKL~1\BAK

07/30/2004 11:33 AM 286,720 EabServr.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

05/26/2004 01:15 PM 536,576 SynTPEnh.exe
05/26/2004 01:15 PM 98,304 SynTPLpr.exe
2 File(s) 634,880 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/18/2004 09:48 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 04:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\10720~1.364\BAK

09/16/2006 12:45 AM 155,896 GoogleToolbarNotifier.exe
1 File(s) 155,896 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~2.2_0\BIN\BAK

06/03/2004 11:05 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\NETGEAR\WPN511\UTILITY\BAK

02/02/2005 10:29 AM 483,328 WPN511.exe
1 File(s) 483,328 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

01/30/2003 07:55 PM 196,608 hpztsb04.exe
1 File(s) 196,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1491968 Oct 26 2004 "C:\Program Files\DAP\bak\DAP.EXE"
278528 Dec 18 2004 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Dec 18 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
98304 May 4 2003 "C:\Program Files\QuickTime\bak\qttask.exe"
118784 Oct 30 2003 "C:\swsetup\video\hkcmd.exe"
118784 Oct 30 2003 "C:\swsetup\video\Win2000\hkcmd.exe"
118784 Oct 30 2003 "C:\WINDOWS\system32\bak\hkcmd.exe"
311296 Jan 30 2003 "C:\WINDOWS\system32\bak\hphmon03.exe"
311296 Jan 30 2003 "C:\temp\photosmart\enu\drivers\win2k_xp\HPHmon03.exe"
311296 Jan 30 2003 "C:\Program Files\hp photosmart\hphinstall\enu\drivers\win2k_xp\HPHmon03.exe"
483328 May 22 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\deu\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\enu\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\esm\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\fra\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\grk\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\ita\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\nld\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\ptb\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\rus\HPHmon05.exe"
155648 Oct 30 2003 "C:\swsetup\video\igfxtray.exe"
155648 Oct 30 2003 "C:\swsetup\video\Win2000\igfxtray.exe"
155648 Oct 30 2003 "C:\WINDOWS\system32\bak\igfxtray.exe"
70776 Sep 14 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
421888 Sep 13 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
369664 Aug 13 2006 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
416256 Apr 20 2007 "C:\UBCD4Win\BartPE\PROGRAMS\AVG75\avgcc.exe"
416256 Apr 20 2007 "C:\UBCD4Win\plugin\AntiVirus\AVG_75\src\avgcc.exe"
49152 Feb 16 2005 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
49152 May 22 2003 "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
49152 May 22 2003 "C:\hp\tmp\src\psptr\Patch\Uninst\HPHupd05.exe"
208958 Apr 30 2004 "C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
286720 Jul 30 2004 "C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
536576 May 26 2004 "C:\swsetup\Touchpad\SynTPEnh.exe"
536576 May 26 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
98304 May 26 2004 "C:\swsetup\Touchpad\SynTPLpr.exe"
98304 May 26 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
180269 Oct 18 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
163576 Oct 17 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe"
155896 Sep 16 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\bak\GoogleToolbarNotifier.exe"
32881 May 4 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
32881 Jun 3 2004 "C:\Program Files\Java\j2re1.4.2_05\bin\bak\jusched.exe"
483328 Feb 2 2005 "C:\Program Files\NETGEAR\WPN511\Utility\bak\WPN511.exe"
196608 Jan 30 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb04.exe"


end of report

----------------------


System Report
*************

Run on Fri 10/12/2007 at 09:52 AM

Microsoft Windows XP [Version 5.1.2600]

Current user is an administrator

Running Processes:

\SystemRoot\System32\smss.exe [348]
\??\C:\WINDOWS\system32\csrss.exe [396]
\??\C:\WINDOWS\system32\winlogon.exe [420]
C:\WINDOWS\system32\services.exe [464]
C:\WINDOWS\system32\lsass.exe [476]
C:\WINDOWS\system32\svchost.exe [620]
C:\WINDOWS\system32\svchost.exe [680]
C:\WINDOWS\System32\svchost.exe [720]
C:\WINDOWS\system32\svchost.exe [760]
C:\WINDOWS\system32\svchost.exe [852]
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [980]
C:\WINDOWS\system32\spoolsv.exe [1044]
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [1144]
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [1156]
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [1188]
C:\Program Files\ewido\security suite\ewidoctrl.exe [1240]
C:\Program Files\Norton AntiVirus\navapsvc.exe [1260]
C:\WINDOWS\system32\HPZipm12.exe [1296]
C:\WINDOWS\system32\svchost.exe [1428]
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe [1516]
C:\WINDOWS\System32\alg.exe [1876]
C:\WINDOWS\Explorer.EXE [1580]
C:\Program Files\iTunes\iTunesHelper.exe [1988]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [1996]
C:\Program Files\Messenger\msmsgs.exe [2004]
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2020]
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [124]
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [152]
C:\wspan\swgw\FilterAgent.exe [192]
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe [1404]
C:\WINDOWS\system32\DllHost.exe [284]
C:\Program Files\iPod\bin\iPodService.exe [748]
C:\WINDOWS\system32\wscntfy.exe [528]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe [2088]
C:\Documents and Settings\Mike Gruendel\Application Data\U3\0000060432075492\LaunchPad.exe [1328]


Files Created/Modified - 60 Days :


C:\

Oct 8 2007 8:28:10p 211 A.SHR "C:\boot.ini"
Oct 10 2007 8:33:04a 7,545 A.... "C:\ComboFix.txt"
Oct 9 2007 10:32:10p 9,120 A.... "C:\ComboFix2.txt"
Oct 12 2007 9:05:16a 501,731,328 A.SH. "C:\hiberfil.sys"
Oct 12 2007 9:08:14a 500,000 A.... "C:\logfile.log"
Oct 12 2007 9:05:14a 754,974,720 A.SH. "C:\pagefile.sys"
Oct 8 2007 6:34:36p 1,333 A.... "C:\rapport.txt"
Oct 8 2007 6:24:50p 340 A.... "C:\VundoFix.txt"


C:\WINDOWS\

Oct 12 2007 9:06:18a 0 A.... "C:\WINDOWS\0.log"
Oct 12 2007 9:05:16a 2,048 A.S.. "C:\WINDOWS\bootstat.dat"
Sep 28 2007 9:06:10a 135,168 A.... "C:\WINDOWS\catchme.exe"
Aug 16 2007 2:49:06p 211 A.... "C:\WINDOWS\cdplayer.ini"
Oct 1 2007 10:11:26p 17,054 A.... "C:\WINDOWS\KB893803v2.log"
Oct 8 2007 6:32:52p 230,638 A.... "C:\WINDOWS\ntbtlog.txt"
Oct 8 2007 12:05:36p 6,667 A.... "C:\WINDOWS\resetlog.txt"
Oct 11 2007 5:19:22p 31,862 A.... "C:\WINDOWS\SchedLgU.Txt"
Oct 8 2007 6:36:54p 120 A.... "C:\WINDOWS\setupact.log"
Oct 9 2007 4:00:50p 93,870 A.... "C:\WINDOWS\setupapi.log"
Oct 1 2007 9:51:54p 0 A.... "C:\WINDOWS\setuperr.log"
Oct 8 2007 8:28:10p 227 A.... "C:\WINDOWS\system.ini"
Oct 12 2007 9:05:24a 159 A.... "C:\WINDOWS\wiadebug.log"
Oct 12 2007 9:05:24a 50 A.... "C:\WINDOWS\wiaservc.log"
Oct 8 2007 8:28:10p 717 A.... "C:\WINDOWS\win.ini"
Oct 12 2007 9:05:26a 1,736,282 A.... "C:\WINDOWS\WindowsUpdate.log"
Oct 4 2007 5:13:56p 1,612 A.... "C:\WINDOWS\wmsetup.log"
Sep 26 2007 11:43:58a 804 A.... "C:\WINDOWS\WSFileIOLog.txt"


C:\WINDOWS\system\



C:\WINDOWS\system32\



C:\WINDOWS\system32\drivers\

Sep 21 2007 9:48:36a 821,728 A.... "C:\WINDOWS\system32\drivers\avg7core.sys"


C:\WINDOWS\system32\dllcache\



C:\Program Files\

Aug 16 2007 9:12:54a 278,016 A.... "C:\Program Files\Grisoft\AVG7\avgamint.dll"
Sep 13 2007 3:42:08p 421,888 A.... "C:\Program Files\Grisoft\AVG7\avgcc.exe"
Aug 16 2007 9:12:58a 526,336 A.... "C:\Program Files\Grisoft\AVG7\avgcckrn.dll"
Aug 16 2007 9:12:58a 507,904 A.... "C:\Program Files\Grisoft\AVG7\avgcfg.dll"
Sep 21 2007 9:48:42a 615,936 A.... "C:\Program Files\Grisoft\AVG7\avgcore.dll"
Aug 16 2007 9:12:58a 353,280 A.... "C:\Program Files\Grisoft\AVG7\avgemc.exe"
Aug 16 2007 9:12:58a 363,520 A.... "C:\Program Files\Grisoft\AVG7\avgemsui.dll"
Aug 16 2007 9:13:00a 138,752 A.... "C:\Program Files\Grisoft\AVG7\avgeud32.dll"
Sep 13 2007 3:42:08p 438,272 A.... "C:\Program Files\Grisoft\AVG7\avginet.exe"
Aug 16 2007 9:12:58a 58,368 A.... "C:\Program Files\Grisoft\AVG7\avglng.dll"
Oct 6 2007 3:58:32p 303,104 A.... "C:\Program Files\Grisoft\AVG7\avgresf.dll"
Aug 16 2007 9:12:58a 343,552 A.... "C:\Program Files\Grisoft\AVG7\avgscan.dll"
Aug 16 2007 9:12:56a 402,432 A.... "C:\Program Files\Grisoft\AVG7\avgset.dll"
Sep 13 2007 3:41:36p 658,432 A.... "C:\Program Files\Grisoft\AVG7\avgupd.dll"
Sep 13 2007 3:42:08p 273,920 A.... "C:\Program Files\Grisoft\AVG7\avgwb.dat"
Sep 13 2007 3:42:08p 676,083 A.... "C:\Program Files\Grisoft\AVG7\setup.dat"
Aug 16 2007 9:13:00a 1,334,272 A.... "C:\Program Files\Grisoft\AVG7\setup.exe"
Oct 5 2007 3:37:20p 72 A.... "C:\Program Files\Symantec\LiveUpdate\ludirloc.dat"
Oct 5 2007 11:14:20a 2,072 A.... "C:\Program Files\Common Files\Symantec Shared\VirusDefs\20041214.009\vscanmsx.dat"


Program Folders:

C:\Program Files\

Adobe
Avery Dennison
CCleaner
Common Files
ComPlus Applications
CONEXANT
DAP
DAP(2)
DivX
Easy Internet signup
Easy Video Joiner
EphPod
ewido
FileJoiner
Fly Fishing with Cortland
GetData
Google
Grisoft
GSpot
Hewlett-Packard
HP
hp deskjet 930c series
hp photosmart
HPQ
InstallShield Installation Information
InterActual
Internet Explorer
InterVideo
iPod
iPod2PC
iTunes
Java
Lavasoft
Messenger
Microsoft ActiveSync
microsoft frontpage
Microsoft IntelliPoint 4.12
Microsoft Money
Microsoft Office
Microsoft Works
Microsoft.NET
Movie Maker
MSN
MSN Encarta Plus
MSN Gaming Zone
MsnMusic
NETGEAR
NetMeeting
Norton AntiVirus
Online Services
Outlook Express
Quicken
QuickTime
Real
RecordNow!
SkyMap Pro 8 Demo
Snapshot Viewer
Sonic
Sony Corporation
Spybot - Search & Destroy
SpywareBlaster
Symantec
Synaptics
TARGUS
TaxCut03
TaxCut04
TaxCut05
Uninstall Information
VIA
Video Joiner
VideoLAN
Viewpoint
Windows Media Connect 2
Windows Media Player
Windows NT
WindowsUpdate
WinRAR
WinUnRAR
xerox
Yahoo!
Zone.com
Zone.com Deluxe Games

C:\Program Files\Common Files\

Adobe
DESIGNER
Hewlett-Packard
InstallShield
Intuit
Java
Microsoft Shared
MSSoap
muvee Technologies
Nullsoft
ODBC
Palo Alto Software
Real
Services
Sonic
SpeechEngines
SureThing Shared
SWF Studio
Symantec Shared
System
xing shared


Add/Remove Programs:

Ad-Aware SE Personal
AVG 7.5
AVI MPEG WMV Joiner
CCleaner (remove only)
SoftV92 Data Fax Modem with SmartCP
Conexant AC-Link Audio
Download Accelerator Plus
Easy Video Joiner 5.21
ewido security suite
v1
Fly Fishing with Cortland
GO! Res
HijackThis 2.0.2
hp photosmart printer series (Remove only)
iTunes
Quicken 2004
Easy Internet Sign-up
DesignPro 5.0 Limited Edition
InterActual Player
iPod2PC 3.2.0.6
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Security Update for Windows XP (KB883939)
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Security Update for Windows XP (KB890046)
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Security Update for Windows XP (KB893756)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Update for Windows XP (KB894391)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Update for Windows XP (KB896727)
Security Update for Step By Step Interactive Training (KB898458)
Update for Windows XP (KB898461)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Update for Windows XP (KB910437)
Hotfix for Windows XP (KB926239)
KONICA MINOLTA magicolor2300W
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 1.1
Microsoft Compression Client Pack 1.0 for Windows XP
MSN Music Assistant
Panda ActiveScan
QuickTime
RealPlayer
Recover My Files
Adobe Flash Player 9 ActiveX
SkyMap Pro 8
Spybot - Search & Destroy 1.3
SpywareBlaster v3.4
Norton AntiVirus 2004 (Symantec Corporation)
TaxCut 2002
TaxCut 2003
TaxCut 2004
TaxCut Premium 2005
UBCD4Win 3.06
VideoLAN VLC media player 0.8.5
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
Windows Media Format 11 runtime
Windows Media Player 11
Worldspan API
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Office 2000 Professional
Microsoft Office 2000 Disc 2
Sonic Update Manager
Adobe Photoshop Album 2.0 Starter Edition
Norton WMI Update
HP Software Update
AutoUpdate
Microsoft Money 2004
Picture Package
Google Toolbar for Internet Explorer
PA095 / PA075 USB2.0 DOCK
HP PSC & OfficeJet 6.1.A
Enterprise
iTunes
Photosmart 140,240,7200,7600,7700,7900 Series
Macromedia Flash Player
Quicken 2004
Sony USB Driver
Windows Genuine Advantage v1.3.0254.0
AiO_Scan
Zone Deluxe Games
NETGEAR RangeMax™ Wireless PC Card WPN511
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Microsoft Works 7.0
DivX Codec
PSShortcutsP
Easy Internet Sign-up
QFolder
Intel® Extreme Graphics 2 Driver
DivX Player
Microsoft Money 2004 System Pack
HP PSC & Officejet 4.7 Corporate Edition
Microsoft Office Standard Edition 2003
RecordNow!
DesignPro 5.0 Limited Edition
InterVideo WinDVD
HP Help and Support
Adobe Acrobat 6.0 Standard
Adobe Reader 6.0.1
DivX Converter
Scan
Norton AntiVirus 2004
AiO_Scan_CDA
Microsoft .NET Framework 1.1
Quick Launch Buttons 5.00 B3
Symantec Script Blocking Installer
CC_ccStart
HpSdpAppCoreApp
ccCommon
SymNet
Norton AntiVirus Parent MSI
HP Deskjet Preloaded Printer Drivers
MSRedist


Run Values:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"DownloadAccelerator"="C:\\PROGRA~1\\DAP\\DAP.EXE /STARTUP"
"AS00_WPN511"="C:\\Program Files\\NETGEAR\\WPN511\\Utility\\WPN511.exe -hide"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"ccApp"="-"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"


Bot Check:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess]
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"WaitToKillServiceTimeout"="20000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCDisable"=dword:00000000
"Shell"="Explorer.exe"
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"


ShellExecuteHooks:


HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks
{AEB6717E-7E19-11d0-97EE-00C04FD91972} REG_SZ
{54D9498B-CF93-414F-8984-8CE7FDE0D391} REG_SZ ewido shell guard


Environment:


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\environment
ComSpec REG_EXPAND_SZ %SystemRoot%\system32\cmd.exe
Path REG_EXPAND_SZ %systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;c:\wspan\swgw
windir REG_EXPAND_SZ %SystemRoot%
OS REG_SZ Windows_NT
PATHEXT REG_SZ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
TEMP REG_EXPAND_SZ %SystemRoot%\TEMP
TMP REG_EXPAND_SZ %SystemRoot%\TEMP
VERSION REG_EXPAND_SZ 3.0.5.001
SESSIONID REG_EXPAND_SZ 1129500904816htx60601bc6271:106fb800a41:-7bf4
COLLECTIONID REG_EXPAND_SZ COL8143
ITEMID REG_EXPAND_SZ dj-22741-15
UPDATEDIR REG_EXPAND_SZ C:\DOCUME~1\MIKEGR~1\LOCALS~1\Temp\radBF102.tmp
TOOLPATH REG_EXPAND_SZ /C:\Program%20Files\Hewlett-Packard\HP%20Software%20Update\install.htm
HMSERVER REG_EXPAND_SZ https://wwss1proa.cce.hp.com/wuss/servlet/WUSSServlet
SWUTVER REG_EXPAND_SZ 1.0.3.1
OSVER REG_EXPAND_SZ winXPH
LANG REG_EXPAND_SZ 1033
TIMEOUT REG_EXPAND_SZ 0


IFEO Debugger values:


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\your image file name here without a path
Debugger REG_SZ ntsd -d
GlobalFlag REG_SZ 0x000010F0


SecurityProviders:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Authentication Packages:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0


Non-Default Installed Components Values:


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{73fa19d0-2d75-11d2-995d-00c04f98bbc9}
Version REG_SZ 10,0,0,1
<NO NAME> REG_SZ Web Folders
StubPath REG_SZ


Non-Default Safeboot Minimal:


File Associations:


[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\cmdfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\comfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\htafile\shell\open\command]
@="C:\\WINDOWS\\system32\\mshta.exe \"%1\" %*"

[HKEY_CLASSES_ROOT\http\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" -nohome"

[HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" -nohome"

[HKEY_CLASSES_ROOT\regedit\shell\open\command]
@="regedit.exe %1"

[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="regedit.exe \"%1\""

[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
@="\"%1\" /S"

[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"


Finished!

-------------------


Service/Driver List:
*******************

Run on Fri 10/12/2007 at 09:54 AM

Microsoft Windows XP [Version 5.1.2600]

START TYPE: 0 = Boot, 1 = System, 2 = Automatic, 3 = Manual, 4 = Disabled

Drivers:

SERVICE_NAME: ACPI
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\ACPI.sys
DISPLAY_NAME : Microsoft ACPI Driver

SERVICE_NAME: ACPIEC
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\ACPIEC.sys
DISPLAY_NAME : Microsoft Embedded Controller Driver

SERVICE_NAME: aec
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\drivers\aec.sys
DISPLAY_NAME : Microsoft Kernel Acoustic Echo Canceller

SERVICE_NAME: AFD
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : \SystemRoot\System32\drivers\afd.sys
DISPLAY_NAME : AFD

SERVICE_NAME: agp440
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\agp440.sys
DISPLAY_NAME : Intel AGP Bus Filter

SERVICE_NAME: AliIde
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\aliide.sys
DISPLAY_NAME : AliIde

SERVICE_NAME: Arp1394
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\arp1394.sys
DISPLAY_NAME : 1394 ARP Client Protocol

SERVICE_NAME: AsyncMac
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\asyncmac.sys
DISPLAY_NAME : RAS Asynchronous Media Driver

SERVICE_NAME: atapi
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\atapi.sys
DISPLAY_NAME : Standard IDE/ESDI Hard Disk Controller

SERVICE_NAME: Atmarpc
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\atmarpc.sys
DISPLAY_NAME : ATM ARP Client Protocol

SERVICE_NAME: audstub
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\audstub.sys
DISPLAY_NAME : Audio Stub Driver

SERVICE_NAME: Avg7Core
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : \SystemRoot\System32\Drivers\avg7core.sys
DISPLAY_NAME : AVG7 Kernel

SERVICE_NAME: Avg7RsW
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : \SystemRoot\System32\Drivers\avg7rsw.sys
DISPLAY_NAME : AVG7 Wrap Driver

SERVICE_NAME: Avg7RsXP
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : \SystemRoot\System32\Drivers\avg7rsxp.sys
DISPLAY_NAME : AVG7 Resident Driver XP

SERVICE_NAME: AvgClean
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : \SystemRoot\System32\Drivers\avgclean.sys
DISPLAY_NAME : AVG7 Clean Driver

SERVICE_NAME: AvgTdi
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : \SystemRoot\System32\Drivers\avgtdi.sys
DISPLAY_NAME : AVG Network Redirector

SERVICE_NAME: AWINDIS5
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : \??\C:\WINDOWS\system32\AWINDIS5.SYS
DISPLAY_NAME : AWINDIS5 Protocol Driver



SERVICE_NAME: BCM43XX
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\bcmwl5.sys
DISPLAY_NAME : BCM 802.11b Network Adapter Driver

SERVICE_NAME: CAMCAUD
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\drivers\camcaud.sys
DISPLAY_NAME : Conexant AMC 3D Environmental Audio

SERVICE_NAME: CAMCHALA
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\drivers\camchal.sys
DISPLAY_NAME : CAMCHALA

SERVICE_NAME: catchme
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : \??\C:\DOCUME~1\MIKEGR~1\LOCALS~1\Temp\catchme.sys
DISPLAY_NAME : catchme

SERVICE_NAME: Cdrom
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\cdrom.sys
DISPLAY_NAME : CD-ROM Driver

SERVICE_NAME: CmBatt
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\CmBatt.sys
DISPLAY_NAME : Microsoft ACPI Control Method Battery Driver

SERVICE_NAME: Compbatt
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\compbatt.sys
DISPLAY_NAME : Microsoft Composite Battery Driver

SERVICE_NAME: Disk
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\disk.sys
DISPLAY_NAME : Disk Driver

SERVICE_NAME: dmboot
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : System32\drivers\dmboot.sys
DISPLAY_NAME : dmboot

SERVICE_NAME: dmio
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : System32\drivers\dmio.sys
DISPLAY_NAME : dmio

SERVICE_NAME: dmload
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : System32\drivers\dmload.sys
DISPLAY_NAME : dmload

SERVICE_NAME: DMusic
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\drivers\DMusic.sys
DISPLAY_NAME : Microsoft Kernel DLS Syntheiszer

SERVICE_NAME: Dot4 HPH09
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\hphid409.sys
DISPLAY_NAME : Dot4 HPH09

SERVICE_NAME: Dot4Print HPH09
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\hphipr09.sys
DISPLAY_NAME : Print Class Driver for IEEE-1284.4 HPH09

SERVICE_NAME: Dot4Storage HPH09
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : System32\Drivers\hphs2k09.sys
DISPLAY_NAME : Storage Class Driver for IEEE-1284.4 (HPH09)

SERVICE_NAME: Dot4Usb HPH09
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : System32\drivers\hphius09.sys
DISPLAY_NAME : Dot4Usb HPH09

SERVICE_NAME: drmkaud
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\drivers\drmkaud.sys
DISPLAY_NAME : Microsoft Kernel DRM Audio Descrambler

SERVICE_NAME: eabfiltr
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : \??\C:\WINDOWS\system32\drivers\EABFiltr.sys
DISPLAY_NAME : EABFiltr

SERVICE_NAME: eabusb
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : \??\C:\WINDOWS\system32\drivers\eabusb.sys
DISPLAY_NAME : eabusb

SERVICE_NAME: ewido security suite driver
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : \??\C:\Program Files\ewido\security suite\guard.sys
DISPLAY_NAME : ewido security suite driver

SERVICE_NAME: Fdc
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\fdc.sys
DISPLAY_NAME : Floppy Disk Controller Driver

SERVICE_NAME: Flpydisk
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\flpydisk.sys
DISPLAY_NAME : Floppy Disk Driver

SERVICE_NAME: FltMgr
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\fltMgr.sys
DISPLAY_NAME : FltMgr

SERVICE_NAME: Ftdisk
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\ftdisk.sys
DISPLAY_NAME : Volume Manager Driver

SERVICE_NAME: GEARAspiWDM
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : SYSTEM32\DRIVERS\GEARAspiWDM.sys
DISPLAY_NAME : GEAR CDRom Filter

SERVICE_NAME: Gpc
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\msgpc.sys
DISPLAY_NAME : Generic Packet Classifier

SERVICE_NAME: HidUsb
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\hidusb.sys
DISPLAY_NAME : Microsoft HID Class Driver

SERVICE_NAME: HPZid412
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\HPZid412.sys
DISPLAY_NAME : IEEE-1284.4 Driver HPZid412

SERVICE_NAME: HPZipr12
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\HPZipr12.sys
DISPLAY_NAME : Print Class Driver for IEEE-1284.4 HPZipr12

SERVICE_NAME: HPZius12
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\HPZius12.sys
DISPLAY_NAME : USB to IEEE-1284.4 Translation Driver HPZius12

SERVICE_NAME: HSFHWICH
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\HSFHWICH.sys
DISPLAY_NAME : HSFHWICH

SERVICE_NAME: HSF_DP
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\HSF_DP.sys
DISPLAY_NAME : HSF_DP

SERVICE_NAME: HTTP
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : System32\Drivers\HTTP.sys
DISPLAY_NAME : HTTP

SERVICE_NAME: i8042prt
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\i8042prt.sys
DISPLAY_NAME : i8042 Keyboard and PS/2 Mouse Port Driver

SERVICE_NAME: ialm
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\ialmnt5.sys
DISPLAY_NAME : ialm

SERVICE_NAME: Imapi
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\imapi.sys
DISPLAY_NAME : CD-Burning Filter Driver

SERVICE_NAME: IntelIde
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\intelide.sys
DISPLAY_NAME : IntelIde

SERVICE_NAME: intelppm
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\intelppm.sys
DISPLAY_NAME : Intel Processor Driver

SERVICE_NAME: Ip6Fw
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\Ip6Fw.sys
DISPLAY_NAME : IPv6 Windows Firewall Driver

SERVICE_NAME: IpFilterDriver
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\ipfltdrv.sys
DISPLAY_NAME : IP Traffic Filter Driver

SERVICE_NAME: IpInIp
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\ipinip.sys
DISPLAY_NAME : IP in IP Tunnel Driver

SERVICE_NAME: IpNat
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\ipnat.sys
DISPLAY_NAME : IP Network Address Translator

SERVICE_NAME: IPSec
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\ipsec.sys
DISPLAY_NAME : IPSEC driver

SERVICE_NAME: IRENUM
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\irenum.sys
DISPLAY_NAME : IR Enumerator Service

SERVICE_NAME: isapnp
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\isapnp.sys
DISPLAY_NAME : PnP ISA/EISA Bus Driver

SERVICE_NAME: Kbdclass
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\kbdclass.sys
DISPLAY_NAME : Keyboard Class Driver

SERVICE_NAME: kbdhid
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\kbdhid.sys
DISPLAY_NAME : Keyboard HID Driver

SERVICE_NAME: kmixer
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\drivers\kmixer.sys
DISPLAY_NAME : Microsoft Kernel Wave Audio Mixer

SERVICE_NAME: MDC8021X
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : system32\DRIVERS\mdc8021x.sys
DISPLAY_NAME : AEGIS Protocol (IEEE 802.1x) v2.3.1.9

SERVICE_NAME: mdmxsdk
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : system32\DRIVERS\mdmxsdk.sys
DISPLAY_NAME : mdmxsdk

SERVICE_NAME: MLPTDR_P
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : \??\C:\WINDOWS\system32\MLPTDR_P.sys
DISPLAY_NAME : MLPTDR_P
: +Parallel arbitrator

SERVICE_NAME: Mouclass
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\mouclass.sys
DISPLAY_NAME : Mouse Class Driver

SERVICE_NAME: mouhid
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\mouhid.sys
DISPLAY_NAME : Mouse HID Driver

SERVICE_NAME: MRxDAV
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\mrxdav.sys
DISPLAY_NAME : WebDav Client Redirector

SERVICE_NAME: MRxSmb
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\mrxsmb.sys
DISPLAY_NAME : MRXSMB

SERVICE_NAME: MSKSSRV
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\drivers\MSKSSRV.sys
DISPLAY_NAME : Microsoft Streaming Service Proxy

SERVICE_NAME: MSPCLOCK
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\drivers\MSPCLOCK.sys
DISPLAY_NAME : Microsoft Streaming Clock Proxy

SERVICE_NAME: MSPQM
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\drivers\MSPQM.sys
DISPLAY_NAME : Microsoft Streaming Quality Manager Proxy

SERVICE_NAME: mssmbios
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\mssmbios.sys
DISPLAY_NAME : Microsoft System Management BIOS Driver

SERVICE_NAME: NAVENG
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20041214.009\NAVENG.Sys
DISPLAY_NAME : NAVENG

SERVICE_NAME: NAVEX15
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20041214.009\NavEx15.Sys
DISPLAY_NAME : NAVEX15

SERVICE_NAME: NdisTapi
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\ndistapi.sys
DISPLAY_NAME : Remote Access NDIS TAPI Driver

SERVICE_NAME: Ndisuio
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\ndisuio.sys
DISPLAY_NAME : NDIS Usermode I/O Protocol

SERVICE_NAME: NdisWan
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\ndiswan.sys
DISPLAY_NAME : Remote Access NDIS WAN Driver

SERVICE_NAME: NetBIOS
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\netbios.sys
DISPLAY_NAME : NetBIOS Interface

SERVICE_NAME: NetBT
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\netbt.sys
DISPLAY_NAME : NetBT
: SYMTDI

SERVICE_NAME: NETGEAR_WPN511_SERVICE
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\wpn511.sys
DISPLAY_NAME : NETGEAR WPN511 Wireless Adapter Service

SERVICE_NAME: NIC1394
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\nic1394.sys
DISPLAY_NAME : 1394 Net Driver

SERVICE_NAME: NwlnkFlt
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\nwlnkflt.sys
DISPLAY_NAME : IPX Traffic Filter Driver

SERVICE_NAME: NwlnkFwd
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\nwlnkfwd.sys
DISPLAY_NAME : IPX Traffic Forwarder Driver

SERVICE_NAME: ohci1394
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\ohci1394.sys
DISPLAY_NAME : VIA OHCI Compliant IEEE 1394 Host Controller

SERVICE_NAME: Parport
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\parport.sys
DISPLAY_NAME : Parallel port driver

SERVICE_NAME: PCI
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\pci.sys
DISPLAY_NAME : PCI Bus Driver

SERVICE_NAME: PCIIde
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\pciide.sys
DISPLAY_NAME : PCIIde

SERVICE_NAME: pciinfo
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : \??\C:\DOCUME~1\MIKEGR~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys
DISPLAY_NAME : HP Pci Information

SERVICE_NAME: Pcmcia
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\pcmcia.sys
DISPLAY_NAME : Pcmcia

SERVICE_NAME: PptpMiniport
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\raspptp.sys
DISPLAY_NAME : WAN Miniport (PPTP)

SERVICE_NAME: PSched
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\psched.sys
DISPLAY_NAME : QoS Packet Scheduler

SERVICE_NAME: Ptilink
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\ptilink.sys
DISPLAY_NAME : Direct Parallel Link Driver

SERVICE_NAME: PxHelp20
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\PxHelp20.sys
DISPLAY_NAME : PxHelp20

SERVICE_NAME: RasAcd
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\rasacd.sys
DISPLAY_NAME : Remote Access Auto Connection Driver

SERVICE_NAME: Rasirda
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\rasirda.sys
DISPLAY_NAME : WAN Miniport (IrDA)

SERVICE_NAME: Rasl2tp
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\rasl2tp.sys
DISPLAY_NAME : WAN Miniport (L2TP)

SERVICE_NAME: RasPppoe
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\raspppoe.sys
DISPLAY_NAME : Remote Access PPPOE Driver

SERVICE_NAME: Raspti
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\raspti.sys
DISPLAY_NAME : Direct Parallel

SERVICE_NAME: Rdbss
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\rdbss.sys
DISPLAY_NAME : Rdbss

SERVICE_NAME: RDPCDD
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : System32\DRIVERS\RDPCDD.sys
DISPLAY_NAME : RDPCDD

SERVICE_NAME: redbook
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\redbook.sys
DISPLAY_NAME : Digital CD Audio Playback Filter Driver

SERVICE_NAME: RTL8023
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\Rtlnic51.sys
DISPLAY_NAME : Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver

SERVICE_NAME: SAVRTPEL
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS
DISPLAY_NAME : SAVRTPEL

SERVICE_NAME: sbp2port
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\sbp2port.sys
DISPLAY_NAME : SBP-2 Transport/Protocol Bus Driver

SERVICE_NAME: Secdrv
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\secdrv.sys
DISPLAY_NAME : Secdrv

SERVICE_NAME: serenum
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\serenum.sys
DISPLAY_NAME : OEM USB Serenum Filter Driver

SERVICE_NAME: Serial
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\serial.sys
DISPLAY_NAME : Serial port driver

SERVICE_NAME: Sfloppy
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\sfloppy.sys
DISPLAY_NAME : High-Capacity Floppy Disk Drive

SERVICE_NAME: SMCIRDA
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\smcirda.sys
DISPLAY_NAME : SMC IrCC Miniport Device Driver

SERVICE_NAME: SONYPVU1
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\SONYPVU1.SYS
DISPLAY_NAME : Sony USB Filter Driver (SONYPVU1)

SERVICE_NAME: splitter
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\drivers\splitter.sys
DISPLAY_NAME : Microsoft Kernel Audio Splitter

SERVICE_NAME: sr
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\sr.sys
DISPLAY_NAME : System Restore Filter Driver

SERVICE_NAME: Srv
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\srv.sys
DISPLAY_NAME : Srv

SERVICE_NAME: swenum
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\swenum.sys
DISPLAY_NAME : Software Bus Driver

SERVICE_NAME: swmidi
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\drivers\swmidi.sys
DISPLAY_NAME : Microsoft Kernel GS Wavetable Synthesizer

SERVICE_NAME: SymEvent
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : \??\C:\Program Files\Symantec\SYMEVENT.SYS
DISPLAY_NAME : SymEvent

SERVICE_NAME: SYMREDRV
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : \??\C:\WINDOWS\system32\Drivers\SYMREDRV.SYS
DISPLAY_NAME : SYMREDRV

SERVICE_NAME: sysaudio
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\drivers\sysaudio.sys
DISPLAY_NAME : Microsoft Kernel System Audio Device

SERVICE_NAME: Tcpip
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\tcpip.sys
DISPLAY_NAME : TCP/IP Protocol Driver

SERVICE_NAME: TermDD
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\termdd.sys
DISPLAY_NAME : Terminal Device Driver

SERVICE_NAME: U2SP
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\u2s2kxp.sys
DISPLAY_NAME : OEM USB to Serial Converter Driver(Philips)

SERVICE_NAME: Update
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\update.sys
DISPLAY_NAME : Microcode Update Driver

SERVICE_NAME: usbccgp
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\usbccgp.sys
DISPLAY_NAME : Microsoft USB Generic Parent Driver

SERVICE_NAME: usbehci
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\usbehci.sys
DISPLAY_NAME : Microsoft USB 2.0 Enhanced Host Controller Miniport Driver

SERVICE_NAME: usbhub
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\usbhub.sys
DISPLAY_NAME : Microsoft USB Standard Hub Driver

SERVICE_NAME: usbprint
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\usbprint.sys
DISPLAY_NAME : Microsoft USB PRINTER Class

SERVICE_NAME: usbscan
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\usbscan.sys
DISPLAY_NAME : USB Scanner Driver

SERVICE_NAME: USBSTOR
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\USBSTOR.SYS
DISPLAY_NAME : USB Mass Storage Driver

SERVICE_NAME: usbuhci
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\usbuhci.sys
DISPLAY_NAME : Microsoft USB Universal Host Controller Miniport Driver

SERVICE_NAME: VgaSave
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : \SystemRoot\System32\drivers\vga.sys
DISPLAY_NAME : VgaSave

SERVICE_NAME: ViaIde
START_TYPE : 0 BOOT_START
BINARY_PATH_NAME : \SystemRoot\system32\DRIVERS\viaide.sys
DISPLAY_NAME : ViaIde

SERVICE_NAME: w22n51
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\w22n51.sys
DISPLAY_NAME : Intel® PRO/Wireless 2200 Adapter Driver

SERVICE_NAME: Wanarp
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\wanarp.sys
DISPLAY_NAME : Remote Access IP ARP Driver

SERVICE_NAME: wdmaud
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\drivers\wdmaud.sys
DISPLAY_NAME : Microsoft WINMM WDM Audio Compatibility Driver

SERVICE_NAME: winachsf
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\HSF_CNXT.sys
DISPLAY_NAME : winachsf

SERVICE_NAME: WmiAcpi
START_TYPE : 1 SYSTEM_START
BINARY_PATH_NAME : system32\DRIVERS\wmiacpi.sys
DISPLAY_NAME : Microsoft Windows Management Interface for ACPI

SERVICE_NAME: WudfPf
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\WudfPf.sys
DISPLAY_NAME : Windows Driver Foundation - User-mode Driver Framework Platform Driver

SERVICE_NAME: WudfRd
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\DRIVERS\wudfrd.sys
DISPLAY_NAME : Windows Driver Foundation - User-mode Driver Framework Reflector

SERVICE_NAME: {6080A529-897E-4629-A488-ABA0C29B635E}
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\drivers\ialmsbw.sys
DISPLAY_NAME : Intel® Graphics Platform (SoftBIOS) Driver

SERVICE_NAME: {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\drivers\ialmkchw.sys
DISPLAY_NAME : Intel® Graphics Chipset (KCH) Driver

SERVICE_NAME: {E2B953A6-195A-44F9-9BA3-3D5F4E32BB55}
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : system32\drivers\wA301a.sys
DISPLAY_NAME : AIM 3.0 Part 01 Codec Driver CH-7009-A/CH-7011


Services:


SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
DISPLAY_NAME : Alerter

SERVICE_NAME: ALG
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
DISPLAY_NAME : Application Layer Gateway Service

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Application Management

SERVICE_NAME: aspnet_state
Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
DISPLAY_NAME : ASP.NET State Service

SERVICE_NAME: AudioSrv
Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Windows Audio

SERVICE_NAME: Avg7Alrt
(null)
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
DISPLAY_NAME : AVG7 Alert Manager Server

SERVICE_NAME: Avg7UpdSvc
(null)
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
DISPLAY_NAME : AVG7 Update Service

SERVICE_NAME: AVGEMS
(null)
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
DISPLAY_NAME : AVG E-mail Scanner

SERVICE_NAME: BITS
Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Background Intelligent Transfer Service

SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Computer Browser

SERVICE_NAME: ccEvtMgr
Symantec Event Manager
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : -
DISPLAY_NAME : Symantec Event Manager

SERVICE_NAME: ccPwdSvc
Symantec Password Validation Service
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"
DISPLAY_NAME : Symantec Password Validation

SERVICE_NAME: ccSetMgr
Symantec Settings Manager
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
DISPLAY_NAME : Symantec Settings Manager

SERVICE_NAME: CiSvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\cisvc.exe
DISPLAY_NAME : Indexing Service

SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe
DISPLAY_NAME : ClipBook

SERVICE_NAME: COMSysApp
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
DISPLAY_NAME : COM+ System Application

SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Cryptographic Services

SERVICE_NAME: DcomLaunch
Provides launch functionality for DCOM services.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch
DISPLAY_NAME : DCOM Server Process Launcher

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : DHCP Client

SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\dmadmin.exe /com
DISPLAY_NAME : Logical Disk Manager Administrative Service

SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Logical Disk Manager

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k NetworkService
DISPLAY_NAME : DNS Client

SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Error Reporting Service

SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
DISPLAY_NAME : Event Log

SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : COM+ Event System

SERVICE_NAME: ewido security suite control
(null)
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\Program Files\ewido\security suite\ewidoctrl.exe
DISPLAY_NAME : ewido security suite control

SERVICE_NAME: ewido security suite guard
(null)
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\Program Files\ewido\security suite\ewidoguard.exe
DISPLAY_NAME : ewido security suite guard

SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Fast User Switching Compatibility

SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Help and Support

SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Human Interface Device Access

SERVICE_NAME: hpqwmi
(null)
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\Program Files\HPQ\SHARED\HPQWMI.exe
DISPLAY_NAME : HP WMI Interface

SERVICE_NAME: HTTPFilter
This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k HTTPFilter
DISPLAY_NAME : HTTP SSL

SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\imapi.exe
DISPLAY_NAME : IMAPI CD-Burning COM Service

SERVICE_NAME: iPodService
iPod hardware management services
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : "C:\Program Files\iPod\bin\iPodService.exe"
DISPLAY_NAME : iPod Service

SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Server

SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Workstation

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
DISPLAY_NAME : TCP/IP NetBIOS Helper

SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Messenger

SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\mnmsrvc.exe
DISPLAY_NAME : NetMeeting Remote Desktop Sharing

SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\msdtc.exe
DISPLAY_NAME : Distributed Transaction Coordinator

SERVICE_NAME: MSIServer
Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\msiexec.exe /V
DISPLAY_NAME : Windows Installer

SERVICE_NAME: navapsvc
Handles Norton AntiVirus Auto-Protect events.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : "C:\Program Files\Norton AntiVirus\navapsvc.exe"
DISPLAY_NAME : Norton AntiVirus Auto Protect Service

SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
DISPLAY_NAME : Network DDE

SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
DISPLAY_NAME : Network DDE DSDM

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
DISPLAY_NAME : Net Logon

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Network Connections

SERVICE_NAME: Nla
Collects and stores network configuration and location information, and notifies applications when this information changes.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Network Location Awareness (NLA)

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
DISPLAY_NAME : NT LM Security Support Provider

SERVICE_NAME: NtmsSvc
(null)
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Removable Storage

SERVICE_NAME: ose
Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
DISPLAY_NAME : Office Source Engine

SERVICE_NAME: otpjmzzb
Helper for Realtek RTL8139/810x/8169/8110 all in one NDIS NT
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Realtek RTL8139/810x/8169/8110 all in one NDIS NT Helper

SERVICE_NAME: PlugPlay
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
DISPLAY_NAME : Plug and Play

SERVICE_NAME: Pml Driver
(null)
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\HPHipm09.exe
DISPLAY_NAME : Pml Driver

SERVICE_NAME: Pml Driver HPZ12
(null)
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\HPZipm12.exe
DISPLAY_NAME : Pml Driver HPZ12

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
DISPLAY_NAME : IPSEC Services

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
DISPLAY_NAME : Protected Storage

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Remote Access Auto Connection Manager

SERVICE_NAME: RasMan
Creates a network connection.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Remote Access Connection Manager

SERVICE_NAME: RDSessMgr
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe
DISPLAY_NAME : Remote Desktop Help Session Manager

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Routing and Remote Access

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\locator.exe
DISPLAY_NAME : Remote Procedure Call (RPC) Locator

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss
DISPLAY_NAME : Remote Procedure Call (RPC)

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\rsvp.exe
DISPLAY_NAME : QoS RSVP

SERVICE_NAME: SamSs
Stores security information for local user accounts.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
DISPLAY_NAME : Security Accounts Manager

SERVICE_NAME: SAVScan
Handles Norton AntiVirus Auto-Protect Archive Scanning
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : "C:\Program Files\Norton AntiVirus\SAVScan.exe"
DISPLAY_NAME : SAVScan

SERVICE_NAME: SBService
(null)
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
DISPLAY_NAME : ScriptBlocking Service

SERVICE_NAME: SCardSvr
Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
DISPLAY_NAME : Smart Card

SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Task Scheduler

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Secondary Logon

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : System Event Notification

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Windows Firewall/Internet Connection Sharing (ICS)

SERVICE_NAME: ShellHWDetection
Provides notifications for AutoPlay hardware events.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Shell Hardware Detection

SERVICE_NAME: Spooler
Loads files to memory for later printing.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe
DISPLAY_NAME : Print Spooler

SERVICE_NAME: srservice
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : System Restore Service

SERVICE_NAME: SSDPSRV
Enables discovery of UPnP devices on your home network.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
DISPLAY_NAME : SSDP Discovery Service

SERVICE_NAME: stisvc
Provides image acquisition services for scanners and cameras.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k imgsvc
DISPLAY_NAME : Windows Image Acquisition (WIA)

SERVICE_NAME: SwPrv
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\dllhost.exe /Processid:{F85987C8-6E82-4B45-917E-1EE0276A0DD3}
DISPLAY_NAME : MS Software Shadow Copy Provider

SERVICE_NAME: SymWSC
Symantec WMI Service
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : "c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"
DISPLAY_NAME : SymWMI Service

SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe
DISPLAY_NAME : Performance Logs and Alerts

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Telephony

SERVICE_NAME: TermService
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost -k DComLaunch
DISPLAY_NAME : Terminal Services

SERVICE_NAME: Themes
Provides user experience theme management.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Themes

SERVICE_NAME: TrkWks
Maintains links between NTFS files within a computer or across computers in a network domain.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Distributed Link Tracking Client

SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
DISPLAY_NAME : Universal Plug and Play Device Host

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe
DISPLAY_NAME : Uninterruptible Power Supply

SERVICE_NAME: VSS
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe
DISPLAY_NAME : Volume Shadow Copy

SERVICE_NAME: W32Time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Windows Time

SERVICE_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
DISPLAY_NAME : WebClient

SERVICE_NAME: winmgmt
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Windows Management Instrumentation

SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Portable Media Serial Number Service

SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\wbem\wmiapsrv.exe
DISPLAY_NAME : WMI Performance Adapter

SERVICE_NAME: WMPNetworkSvc
Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : "C:\Program Files\Windows Media Player\WMPNetwk.exe"
DISPLAY_NAME : Windows Media Player Network Sharing Service

SERVICE_NAME: wscsvc
Monitors system security settings and configurations.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Security Center

SERVICE_NAME: wuauserv
Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Automatic Updates

SERVICE_NAME: WudfSvc
Manages user-mode driver host processes
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
DISPLAY_NAME : Windows Driver Foundation - User-mode Driver Framework

SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Wireless Zero Configuration

SERVICE_NAME: xmlprov
Manages XML configuration files on a domain basis for automatic network provisioning.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Network Provisioning Service


Finished!

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:39 AM

Posted 14 October 2007 - 03:55 AM

Hey,

Sorry for delayed reply.

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

"C:\Program Files\DAP\bak\DAP.EXE"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\hphmon03.exe"
"C:\WINDOWS\system32\bak\hphmon05.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
"C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
"C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
"C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Java\j2re1.4.2_05\bin\bak\jusched.exe"
"C:\Program Files\NETGEAR\WPN511\Utility\bak\WPN511.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb04.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply along with new Hijackthis.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 14 October 2007 - 08:29 PM

Hi - Here are the logs - hope you had a nice weekend.


Find AWF report by noahdfear ę2006
Version 1.40
Option 2 run successfully

The current date is: Sun 10/14/2007
The current time is: 21:00:46.06


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DAP\BAK

10/26/2004 02:23 PM 1,491,968 DAP.EXE
1 File(s) 1,491,968 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

12/18/2004 01:20 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

05/04/2003 02:47 AM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

10/30/2003 04:33 AM 118,784 hkcmd.exe
01/30/2003 07:55 PM 311,296 hphmon03.exe
05/22/2003 10:55 PM 483,328 hphmon05.exe
10/30/2003 04:46 AM 155,648 igfxtray.exe
4 File(s) 1,069,056 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

09/14/2004 09:02 PM 70,776 ccApp.exe
1 File(s) 70,776 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

08/13/2006 09:35 AM 369,664 avgcc.exe
1 File(s) 369,664 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

02/16/2005 11:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HEWLET~1\{45B61~1\BAK

05/22/2003 11:03 PM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HPQ\DEFAUL~1\BAK

04/30/2004 01:32 PM 208,958 cpqset.exe
1 File(s) 208,958 bytes

Directory of C:\PROGRA~1\HPQ\QUICKL~1\BAK

07/30/2004 11:33 AM 286,720 EabServr.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

05/26/2004 01:15 PM 536,576 SynTPEnh.exe
05/26/2004 01:15 PM 98,304 SynTPLpr.exe
2 File(s) 634,880 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/18/2004 09:48 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 04:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\10720~1.364\BAK

09/16/2006 12:45 AM 155,896 GoogleToolbarNotifier.exe
1 File(s) 155,896 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~2.2_0\BIN\BAK

06/03/2004 11:05 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\NETGEAR\WPN511\UTILITY\BAK

02/02/2005 10:29 AM 483,328 WPN511.exe
1 File(s) 483,328 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

01/30/2003 07:55 PM 196,608 hpztsb04.exe
1 File(s) 196,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1491968 Oct 26 2004 "C:\Program Files\DAP\DAP.EXE"
1491968 Oct 26 2004 "C:\Program Files\DAP\bak\DAP.EXE"
278528 Dec 18 2004 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Dec 18 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
98304 May 4 2003 "C:\Program Files\QuickTime\qttask.exe"
98304 May 4 2003 "C:\Program Files\QuickTime\bak\qttask.exe"
118784 Oct 30 2003 "C:\swsetup\video\hkcmd.exe"
118784 Oct 30 2003 "C:\WINDOWS\system32\hkcmd.exe"
118784 Oct 30 2003 "C:\swsetup\video\Win2000\hkcmd.exe"
118784 Oct 30 2003 "C:\WINDOWS\system32\bak\hkcmd.exe"
311296 Jan 30 2003 "C:\WINDOWS\system32\hphmon03.exe"
311296 Jan 30 2003 "C:\WINDOWS\system32\bak\hphmon03.exe"
311296 Jan 30 2003 "C:\temp\photosmart\enu\drivers\win2k_xp\HPHmon03.exe"
311296 Jan 30 2003 "C:\Program Files\hp photosmart\hphinstall\enu\drivers\win2k_xp\HPHmon03.exe"
483328 May 22 2003 "C:\WINDOWS\system32\hphmon05.exe"
483328 May 22 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\deu\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\enu\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\esm\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\fra\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\grk\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\ita\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\nld\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\ptb\HPHmon05.exe"
483328 May 22 2003 "C:\hp\tmp\src\psptr\rus\HPHmon05.exe"
155648 Oct 30 2003 "C:\swsetup\video\igfxtray.exe"
155648 Oct 30 2003 "C:\WINDOWS\system32\igfxtray.exe"
155648 Oct 30 2003 "C:\swsetup\video\Win2000\igfxtray.exe"
155648 Oct 30 2003 "C:\WINDOWS\system32\bak\igfxtray.exe"
70776 Sep 14 2004 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
70776 Sep 14 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
369664 Aug 13 2006 "C:\Program Files\Grisoft\AVG Free\avgcc.exe"
421888 Sep 13 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
369664 Aug 13 2006 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
416256 Apr 20 2007 "C:\UBCD4Win\BartPE\PROGRAMS\AVG75\avgcc.exe"
416256 Apr 20 2007 "C:\UBCD4Win\plugin\AntiVirus\AVG_75\src\avgcc.exe"
49152 Feb 16 2005 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
49152 Feb 16 2005 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
49152 May 22 2003 "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
49152 May 22 2003 "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"
49152 May 22 2003 "C:\hp\tmp\src\psptr\Patch\Uninst\HPHupd05.exe"
208958 Apr 30 2004 "C:\Program Files\HPQ\Default Settings\cpqset.exe"
208958 Apr 30 2004 "C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
286720 Jul 30 2004 "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe"
286720 Jul 30 2004 "C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
536576 May 26 2004 "C:\swsetup\Touchpad\SynTPEnh.exe"
536576 May 26 2004 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
536576 May 26 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
98304 May 26 2004 "C:\swsetup\Touchpad\SynTPLpr.exe"
98304 May 26 2004 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
98304 May 26 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
180269 Oct 18 2004 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Oct 18 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
155896 Sep 16 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe"
163576 Oct 17 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe"
155896 Sep 16 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\bak\GoogleToolbarNotifier.exe"
32881 May 4 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
32881 Jun 3 2004 "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe"
32881 Jun 3 2004 "C:\Program Files\Java\j2re1.4.2_05\bin\bak\jusched.exe"
483328 Feb 2 2005 "C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe"
483328 Feb 2 2005 "C:\Program Files\NETGEAR\WPN511\Utility\bak\WPN511.exe"
196608 Jan 30 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe"
196608 Jan 30 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb04.exe"


end of report

-------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:08 PM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Hijackthis\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [AS00_WPN511] C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe -hide
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ccApp] -
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Worldspan Filter Agent.lnk = C:\wspan\swgw\FilterAgent.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: http://*.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - https://gopublic.wspan.com/secure/DLLs/WSSy...Information.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go10f.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - https://go11f.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - http://gopublic.wspan.com/scripts/us//DLLs/WSFileIO.cab
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O20 - AppInit_DLLs:
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8083 bytes

#12 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:39 AM

Posted 15 October 2007 - 03:45 AM

Hi,

You still can't get internet on this thing? Wired or wireless?

FindAWF moved the good files OK.

Start Hijackthis
Run system scan and check these entries:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [ccApp] -
O20 - AppInit_DLLs:


Close all other open windows and click "fix checked"
Say OK & exit Hijackthis.

Next, double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\DAP\bak
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Grisoft\AVG Free\bak
C:\Program Files\Hewlett-Packard\HP Software Update\bak
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak
C:\Program Files\HPQ\Default Settings\bak
C:\Program Files\HPQ\Quick Launch Buttons\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\bak
C:\Program Files\Java\j2re1.4.2_05\bin\bak
C:\Program Files\NETGEAR\WPN511\Utility\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak



Next, close and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Once log is posted....

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones

This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Reboot

You will need to re-enter your WorldSpan URLs in your trusted zone because Option 4 in FindAWF also removes those.
It resets the zones to default.

http://*.worldspan.com
http://*.wspan.com

-----------------------

Try internet again.

If still no go...

Post new Hijackthis log like this:

Start> run> type:

C:\Hijackthis\HiJackThis.exe /ihatewhitelists

hit enter.
Run system scan and post the results.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#13 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 15 October 2007 - 08:52 AM

Dang! Thought we had it this time, but still no connection either wired or wireless. The PC sees all the networks, just cannot hook up with any of them. Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:04 AM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [AS00_WPN511] C:\Program Files\NETGEAR\WPN511\Utility\WPN511.exe -hide
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Worldspan Filter Agent.lnk = C:\wspan\swgw\FilterAgent.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winrnr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rsvpsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rsvpsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - https://gopublic.wspan.com/secure/DLLs/WSSy...Information.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwa...are/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go10f.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - http://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - http://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - https://go11f.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - http://gopublic.wspan.com/scripts/us//DLLs/WSFileIO.cab
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\ITSS.DLL
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\ITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O18 - Filter: application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll
O18 - Filter: application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll
O18 - Filter: application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll
O18 - Filter: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\SHELL32.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Application Layer Gateway Service (ALG) - Microsoft Corporation - C:\WINDOWS\System32\alg.exe
O23 - Service: Application Management (AppMgmt) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Microsoft Corporation - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
O23 - Service: Windows Audio (AudioSrv) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Computer Browser (Browser) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (CiSvc) - Microsoft Corporation - C:\WINDOWS\system32\cisvc.exe
O23 - Service: COM+ System Application (COMSysApp) - Microsoft Corporation - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Cryptographic Services (CryptSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Client (Dhcp) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Logical Disk Manager (dmserver) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client (Dnscache) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Error Reporting Service (ERSvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Event Log (Eventlog) - Microsoft Corporation - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Help and Support (helpsvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: HTTP SSL (HTTPFilter) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Microsoft Corporation - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Server (lanmanserver) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Workstation (lanmanworkstation) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Microsoft Corporation - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Microsoft Corporation - C:\WINDOWS\system32\msdtc.exe
O23 - Service: Windows Installer (MSIServer) - Microsoft Corporation - C:\WINDOWS\system32\msiexec.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Logon (Netlogon) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Network Connections (Netman) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Office Source Engine (ose) - Microsoft Corporation - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
O23 - Service: Realtek RTL8139/810x/8169/8110 all in one NDIS NT Helper (otpjmzzb) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Plug and Play (PlugPlay) - Microsoft Corporation - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IPSEC Services (PolicyAgent) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Microsoft Corporation - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Microsoft Corporation - C:\WINDOWS\system32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: QoS RSVP (RSVP) - Microsoft Corporation - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Security Accounts Manager (SamSs) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Smart Card (SCardSvr) - Microsoft Corporation - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Task Scheduler (Schedule) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Secondary Logon (seclogon) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification (SENS) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Print Spooler (Spooler) - Microsoft Corporation - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service (srservice) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: SSDP Discovery Service (SSDPSRV) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Microsoft Corporation - C:\WINDOWS\system32\dllhost.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Microsoft Corporation - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony (TapiSrv) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Services (TermService) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Themes - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Microsoft Corporation - C:\WINDOWS\System32\ups.exe
O23 - Service: Volume Shadow Copy (VSS) - Microsoft Corporation - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Windows Time (W32Time) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: WebClient - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Management Instrumentation (winmgmt) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Microsoft Corporation - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Microsoft Corporation - C:\Program Files\Windows Media Player\WMPNetwk.exe
O23 - Service: Security Center (wscsvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic Updates (wuauserv) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Wireless Zero Configuration (WZCSVC) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Provisioning Service (xmlprov) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe

--
End of file - 24169 bytes

#14 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:39 AM

Posted 15 October 2007 - 11:52 AM

Mmmmk

I wanna look at your Hosts file.

Open Hijackthis
click "config"
Click "misc tools"
Click "open hosts file manager"
Click "open with notepad"

Save that file someplace handy. (keep HJT open for next log)

Check both options beside "generate startuplist log" and generate the log.
it will be in same folder as hijackthis.

Post both the startuplist log and the Hosts file log.

If Hosts file is 10 miles long you can upload it here:

http://www.bleepingcomputer.com/submit-mal....php?channel=19

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#15 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 15 October 2007 - 12:08 PM

Hi - Here are the logs. Thanks

Not much in hosts:
127.0.0.1 localhost


Startup is pretty long - I'll send it to the link you gave me.

Mike




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users