Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware Search Engine Redirect Problem


  • Please log in to reply
15 replies to this topic

#1 rationalegoist

rationalegoist

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 26 February 2009 - 03:07 PM

I've spent 30+ hours trying everything I know to resolve my malware problem. In Firefox or IE, whenever I use a search engine (google or yahoo, haven't tried others) I get the right results, but when I click the links, I am usually redirected elsewhere to ad heavy sites like lowpriceshopper.com, toseeka.com, pricepower.com, couponmountain.com, shopica.com, etc. Here's a list of what I've tried:

uninstalled Firefox, run CCleaner, run ATF Cleaner, McAfee online scan, Norton online scan, Malware Bytes, AdAware, Spybot Search and Destroy, Super-Anti Spyware, Avast, Antivir, Smitfraud and probably a few others I can't remember. I've ran these both in XP and in safe mode, and they found a couple of minor things, but that's all.

None of them have fixed the problem. My computer also won't run certain executables like regedit, cmd, combofix, dds, SDfix and others. It's like whatever is wrong has killed all these processes. I have uninstalled and/or removed enough software and processes with HijackThis that I've barely got anything running anymore, yet the problem persists. I can't figure out which of the remaining running files could possibly be causing a problem! They all look essential to me. I've even used Msconfig to disable as many processes as possible to, but the search redirecter is still there. Help! Any assistance is GREATLY appreciated!

Below is my most recent Hijack This log. This is with several of the services and near all of the startup files halted by MsConfig. Should I post a Hijack This log with all those processes running?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:03:45, on 2/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 1619 bytes

Edited by rationalegoist, 27 February 2009 - 01:21 AM.


BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 04 March 2009 - 02:49 PM

rationaleqoist

Please re-enable everything you disabled in msconfig, rerun Hijackthis and post a fresh Hijackthis log. It will help with the diagnosis.
Posted Image
Microsoft MVP - Windows Security

#3 rationalegoist

rationalegoist
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 04 March 2009 - 09:48 PM

Thanks for the response, bamajim. Here's a HijackThis log with everything enabled.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:45:14, on 3/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-2052111302-2077806209-682003330-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - S-1-5-21-2052111302-2077806209-682003330-1003 Startup: Registration Heroes of Might & Magic 5.LNK = C:\Program Files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe (User '?')
O4 - Startup: Registration Heroes of Might & Magic 5.LNK = C:\Program Files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 4825 bytes

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 05 March 2009 - 05:11 PM

rationalegoist

Did you say regedit was disabled?

If so what happens when you type run >> regedit ->> O.k.?
Posted Image
Microsoft MVP - Windows Security

#5 rationalegoist

rationalegoist
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 06 March 2009 - 12:00 AM

bamajim -

Yes, regedit, and the other programs I listed above won't start even from the Run button and typing the name in. Whenever I try any of those programs, apparently Explorer crashes, as all my icons and taskbar disappear. Sometimes it recovers and says the program itself has crashed, other times I have to reboot and it informs me at that time that Explorer is not responding.

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 06 March 2009 - 10:03 AM

rationalegoist

That makes it difficult. Let's see if this will run for us

Go HERE and Download System Repair Engineer by smallfrogs
Select local downloadSave it to your Desktop
Rt Click sreng2.zip->>Extract all->>Extract it to your desktop
Open the sreng folder
Double click SREngPS.exe->>Click Run
At the main Window, in the left Pane,Select Smart Scan
At the next window make sure all of the boxes are checked and Select Scan
When the scan is complete Select Save reports
Save it to your desktop and Close the tool
Double Click SREngLog.txt copy and paste that log as a reply to this thread
Do not run any other options with this tool unless instructed to do so.
Posted Image
Microsoft MVP - Windows Security

#7 rationalegoist

rationalegoist
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 06 March 2009 - 04:51 PM

Ok, bamajim, here's the SREngLog:

2009-03-06,15:46:41

System Repair Engineer 2.7.0.1210
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 3 (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been selected:
	All Boot Items (Including Registry, Startup Folders, Services and so on)
	Browser Add-ons
	Running Processes (Including process model information)
	File Associations
	Winsock Provider
	Autorun.Inf
	HOSTS File
	Process Privileges Scan
	Scheduled Tasks
	API HOOK
	Hidden Process


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
	<SpybotSD TeaTimer><C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe>  [(Verified)Safer Networking Ltd.]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
	<load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
	<Ad-Watch><C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe>  [(Verified)Lavasoft AB]
	<TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  [File is missing]
	<ShStatEXE><"C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE>  [Network Associates, Inc.]
	<PCTVOICE><pctspk.exe>  []
	<Network Associates Error Reporting Service><"C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe">  [Network Associates, Inc.]
	<NeroFilterCheck><C:\WINDOWS\system32\NeroCheck.exe>  [Nero AG]
	<McAfeeUpdaterUI><"C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey>  [Network Associates, Inc.]
	<KernelFaultCheck><%systemroot%\system32\dumprep 0 -k>  [File is missing]
	<ISUSScheduler><"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start>  [InstallShield Software Corporation]
	<ISUSPM Startup><C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup>  [InstallShield Software Corporation]
	<ATICCC><"C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe">  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
	<shell><Explorer.exe>  [(Verified)Microsoft Windows Component Publisher]
	<Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
	<AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
	<UIHost><logonui.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
	<{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
	<PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
	<CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
	<WebCheck><C:\WINDOWS\system32\webcheck.dll>  [(Verified)Microsoft Windows Component Publisher]
	<SysTray><C:\WINDOWS\System32\stobject.dll>  [(Verified)Microsoft Windows Component Publisher]
	<WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
	<WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
	<WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
	<WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
	<WinlogonNotify: dimsntfy><%SystemRoot%\System32\dimsntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
	<WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
	<WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
	<WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
	<WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
	<WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
	<WinlogonNotify: WgaLogon><WgaLogon.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
	<WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
	<{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\System32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
	<{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\System32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
	<IE7 Uninstall Stub><C:\WINDOWS\system32\ieudinit.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
	<Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
	<Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
	<Browser Customizations><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
	<Browser Customizations><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
	<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
	<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
	<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
	<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
	<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
	<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
	<Address Book 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
	<Windows Desktop Update><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
	<Internet Explorer><C:\WINDOWS\system32\ie4uinit.exe -BaseSettings>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
	<N/A><c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install>  [(Verified)Microsoft Corporation]
[HKEY_CURRENT_USER\Control Panel\Desktop]
	<SCRNSAVE.EXE><C:\WINDOWS\System32\scrnsave.scr>  [(Verified)Microsoft Windows Component Publisher]

==================================
Startup Folders
[Adobe Reader Speed Launch]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk --> C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [File is missing]><N>
[Microsoft Office]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk --> C:\PROGRA~1\MICROS~2\Office\OSA9.EXE [Microsoft Corporation]><N>
[Registration Heroes of Might & Magic 5]
  <C:\Documents and Settings\Chris\Start Menu\Programs\Startup\Registration Heroes of Might & Magic 5.LNK --> C:\PROGRA~1\Ubisoft\HEROES~1\REGIST~1\REGIST~1.EXE []><N>

==================================
Services
[Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
  <C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[ATI Smart / ATI Smart][Stopped/Auto Start]
  <C:\WINDOWS\system32\ati2sgag.exe><>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
  <"C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe"><Macrovision Corporation>
[Lavasoft Ad-Aware Service / Lavasoft Ad-Aware Service][Running/Auto Start]
  <"C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"><Lavasoft>
[McAfee Framework Service / McAfeeFramework][Running/Auto Start]
  <C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart><Network Associates, Inc.>
[Network Associates McShield / McShield][Running/Auto Start]
  <"C:\Program Files\Network Associates\VirusScan\Mcshield.exe"><Network Associates, Inc.>
[Network Associates Task Manager / McTaskManager][Running/Auto Start]
  <"C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"><Network Associates, Inc.>
[WMP54Gv4SVC / WMP54Gv4SVC][Running/Auto Start]
  <"C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe"><GEMTEKS>

==================================
Drivers
[AEGIS Protocol (IEEE 802.1x) v3.4.0.1 / AegisP][Running/Auto Start]
  <system32\DRIVERS\AegisP.sys><Meetinghouse Data Communications>
[ati2mtag / ati2mtag][Running/Manual Start]
  <System32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[ENTECH / ENTECH][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys><EnTech Taiwan>
[VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver / FETNDIS][Stopped/Manual Start]
  <System32\DRIVERS\fetnd5.sys><VIA Technologies, Inc.>
[VIA Rhine Family Fast Ethernet Adapter Driver Service / FETNDISB][Running/Manual Start]
  <System32\DRIVERS\fetnd5b.sys><VIA Technologies, Inc.>
[Lbd / Lbd][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\Lbd.sys><Lavasoft AB>
[NaiAvFilter1 / NaiAvFilter1][Running/Manual Start]
  <system32\drivers\naiavf5x.sys><Network Associates, Inc.>
[NaiAvTdi1 / NaiAvTdi1][Running/System Start]
  <system32\drivers\mvstdi5x.sys><Network Associates, Inc.>
[NTSIM / NTSIM][Stopped/Manual Start]
  <\??\C:\WINDOWS\System32\ntsim.sys><VIA Networking Technologies, Inc.>
[VSO Software pcouffin / pcouffin][Running/Manual Start]
  <System32\Drivers\pcouffin.sys><VSO Software>
[Creative WebCam Instant / PD0620VID][Stopped/Manual Start]
  <system32\DRIVERS\P0620Vid.sys><Creative Technology Ltd.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[W2K Pctel Serial Device Driver / Ptserial][Running/Manual Start]
  <System32\DRIVERS\ptserial.sys><PCTEL, INC.>
[PxHelp20 / PxHelp20][Running/Boot Start]
  <\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[Linksys Wireless-G PCI Adapter Driver / RT2500][Running/Manual Start]
  <system32\DRIVERS\RT2500.sys><Ralink Technology Inc.>
[Secdrv / Secdrv][Running/Auto Start]
  <System32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[tmcomm / tmcomm][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\tmcomm.sys><Trend Micro Inc.>
[VIA AGP Filter / viaagp1][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\viaagp1.sys><VIA Technologies, Inc.>
[ViaIde / ViaIde][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\viaidexp.sys><VIA Technologies, Inc.>
[Vinyl AC'97 Audio Controller (WDM) / VIAudio][Running/Manual Start]
  <system32\drivers\viaudios.sys><VIA Technologies, Inc.>
[W2K Vmodem / Vmodem][Running/Manual Start]
  <System32\DRIVERS\vmodem.sys><PCTEL, INC.>
[W2K Vpctcom / Vpctcom][Running/Manual Start]
  <System32\DRIVERS\vpctcom.sys><PCtel, Inc.>
[W2K Vvoice / Vvoice][Running/Manual Start]
  <System32\DRIVERS\vvoice.sys><PCtel, Inc.>
[EntDrv51 / EntDrv51][Running/Manual Start]
  <\??\C:\WINDOWS\system32\drivers\EntDrv51.sys><Network Associates, Inc>
[GTNDIS5 NDIS Protocol Driver / GTNDIS5][Running/Manual Start]
  <\??\C:\WINDOWS\system32\GTNDIS5.SYS><Printing Communications Assoc., Inc. (PCAUSA)>

==================================
Browser Add-ons
[]
  {e2e2dd38-d088-4134-82b7-f2ba38496583} <%windir%\Network Diagnostic\xpnetdiag.exe, (Signed) N/A>
[]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <, >
[]
  {00000000-0000-0000-0000-000000000000} <, >
[]
  {02478D38-C3F9-4EFB-9B51-7695ECA05670} <, >
[]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <, >
[]
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <, >
[Windows Media Player]
  {22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, (Signed) Microsoft Corporation>
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <C:\WINDOWS\system32\mshtml.dll, (Signed) Microsoft Corporation>
[XML DOM Document]
  {2933BF90-7B36-11D2-B20E-00C04F983E60} <%SystemRoot%\System32\msxml3.dll, (Signed) N/A>
[DHTML Edit Control Safe for Scripting for IE5]
  {2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, (Signed) Microsoft Corporation>
[]
  {4063BE15-3B08-470D-A0D5-B37161CFFD69} <, >
[XML Document]
  {48123BC4-99D9-11D1-A6B3-00C04FD91555} <%SystemRoot%\System32\msxml3.dll, (Signed) N/A>
[Microsoft Terminal Services Client Control (redist)]
  {4eb89ff4-7f78-4a0f-8b8d-2bf02e94e4b2} <%systemroot%\system32\mstscax.dll, (Signed) N/A>
[Microsoft Terminal Services Client Control (redist)]
  {4EDCB26C-D24C-4e72-AF07-B576699AC0DE} <%systemroot%\system32\mstscax.dll, (Signed) N/A>
[]
  {53707962-6F74-2D53-2644-206D7942484F} <, >
[]
  {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} <, >
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, (Signed) Microsoft Corporation>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[Active Desktop Mover]
  {72267F6A-A6F9-11D0-BC94-00C04FB67863} <%SystemRoot%\system32\SHELL32.dll, (Signed) N/A>
[Microsoft Terminal Services Client Control (redist)]
  {7390f3d8-0439-4c05-91e3-cf5cb290c3d0} <%systemroot%\system32\mstscax.dll, (Signed) N/A>
[Microsoft Terminal Services Client Control (redist)]
  {7584c670-2274-4efb-b00b-d6aaba6d3850} <%systemroot%\system32\mstscax.dll, (Signed) N/A>
[]
  {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <, >
[Microsoft Web Browser]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\ieframe.dll, (Signed) Microsoft Corporation>
[XML DOM Document 4.0]
  {88D969C0-F192-11D4-A65F-0040963251E5} <c:\WINDOWS\system32\msxml4.dll, (Signed) Microsoft Corporation>
[]
  {8AD9C840-044E-11D1-B3E9-00805F499D93} <, >
[Microsoft Terminal Services Client Control (redist)]
  {9059f30f-4eb1-4bd2-9fdc-36f43a218f4a} <%systemroot%\system32\mstscax.dll, (Signed) N/A>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\System32\shdocvw.dll, (Signed) N/A>
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, (Signed) Microsoft Corporation>
[AUDIO__MID Moniker Class]
  {CD3AFA74-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[AUDIO__MP3 Moniker Class]
  {CD3AFA76-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[]
  {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} <, >
[]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <, >
[OfficeObj Class]
  {D2BD7935-05FC-11D2-9059-00C04FD7A1BD} <, >
[]
  {DA4F543C-C8A9-4E88-9A79-548CBB46F18F} <, >
[]
  {DBC80044-A445-435B-BC74-9C25C1C588A9} <, >
[]
  {DE4AF3B0-F4D4-11D3-B41A-0050DA2E6C21} <, >
[]
  {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} <, >
[]
  {E2E2DD38-D088-4134-82B7-F2BA38496583} <, >
[XML HTTP Request]
  {ED8C108E-4349-11D2-91A4-00C04F7969E8} <%SystemRoot%\System32\msxml3.dll, (Signed) N/A>
[]
  {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} <, >
[]
  {EF99BD32-C1FB-11D2-892F-0090271D4F88} <, >
[XML DOM Document 3.0]
  {F5078F32-C551-11D3-89B9-0000F81FE221} <%SystemRoot%\System32\msxml3.dll, (Signed) N/A>
[XML DOM Document]
  {F6D90F11-9C73-11D3-B32E-00C04F990BB4} <%SystemRoot%\System32\msxml3.dll, (Signed) N/A>
[XML HTTP]
  {F6D90F16-9C73-11D3-B32E-00C04F990BB4} <%SystemRoot%\System32\msxml3.dll, (Signed) N/A>
[]
  {FB5F1910-F110-11D2-BB9E-00C04F795683} <, >
[]
  {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} <, >

==================================
Running Processes
[PID: 636 / SYSTEM][\SystemRoot\System32\smss.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 708 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 736 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2113)]
	[C:\WINDOWS\system32\Ati2evxx.dll]  [ATI Technologies Inc., 6.14.10.4149]
[PID: 780 / SYSTEM][C:\WINDOWS\system32\services.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
	[C:\WINDOWS\system32\EntApi.dll]  [Network Associates, Inc, 8.0.0.240]
[PID: 792 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2113)]
	[C:\WINDOWS\system32\EntApi.dll]  [Network Associates, Inc, 8.0.0.240]
[PID: 956 / SYSTEM][C:\WINDOWS\system32\Ati2evxx.exe]  [ATI Technologies Inc., 6.14.10.4149]
	[C:\WINDOWS\system32\Ati2edxx.dll]  [ATI Technologies, Inc., 6, 14, 10, 2508]
	[C:\WINDOWS\system32\atipdlxx.dll]  [ATI Technologies, Inc., 6, 14, 10, 2513]
[PID: 968 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
	[C:\WINDOWS\system32\EntApi.dll]  [Network Associates, Inc, 8.0.0.240]
[PID: 1072 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
	[C:\WINDOWS\system32\EntApi.dll]  [Network Associates, Inc, 8.0.0.240]
[PID: 1232 / NETWORK SERVICE][C:\WINDOWS\System32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
	[C:\WINDOWS\system32\EntApi.dll]  [Network Associates, Inc, 8.0.0.240]
[PID: 1396 / LOCAL SERVICE][C:\WINDOWS\System32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
	[C:\WINDOWS\system32\EntApi.dll]  [Network Associates, Inc, 8.0.0.240]
[PID: 1436 / SYSTEM][C:\WINDOWS\system32\Ati2evxx.exe]  [ATI Technologies Inc., 6.14.10.4149]
	[C:\WINDOWS\system32\Ati2edxx.dll]  [ATI Technologies, Inc., 6, 14, 10, 2508]
	[C:\WINDOWS\system32\atipdlxx.dll]  [ATI Technologies, Inc., 6, 14, 10, 2513]
	[C:\WINDOWS\system32\ati2evxx.dll]  [ATI Technologies Inc., 6.14.10.4149]
[PID: 1848 / Chris][C:\WINDOWS\Explorer.EXE]  [(Verified) Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
	[C:\Program Files\FileZilla Client\fzshellext.dll]  [, 3, 0, 4, 1]
	[C:\WINDOWS\system32\EntApi.dll]  [Network Associates, Inc, 8.0.0.240]
	[C:\Program Files\dBpowerAMP\dBShell.dll]  [, 6, 4, 0, 1]
	[C:\Program Files\BreakPoint Software\Hex Workshop 4.2\hwext.dll]  [BreakPoint Software, Inc., 4.23]
	[C:\Program Files\Network Associates\VirusScan\shext.dll]  [Network Associates, Inc., 8.0.0.912]
	[C:\Program Files\Network Associates\VirusScan\RES09\ShExtRes.dll]  [Network Associates, Inc., 8.0.0.912]
	[C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll]  [, 1.0.0.1]
[PID: 1948 / SYSTEM][C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe]  [Lavasoft, 8, 0, 0, 0]
	[C:\Program Files\Lavasoft\Ad-Aware\RPAPI.dll]  [N/A, ]
	[C:\Program Files\Lavasoft\Ad-Aware\Resources.dll]  [N/A, ]
	[C:\Program Files\Lavasoft\Ad-Aware\lavalicense.dll]  [Lavasoft, 7,1,0,12]
	[C:\Program Files\Lavasoft\Ad-Aware\lavamessage.dll]  [Lavasoft, 8.0]
	[C:\Program Files\Lavasoft\Ad-Aware\ceapi.dll]  [Lavasoft, 8, 0, 0, 0]
	[C:\Program Files\Lavasoft\Ad-Aware\unrar.dll]  [N/A, ]
[PID: 160 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-0852)]
[PID: 356 / SYSTEM][C:\Program Files\Network Associates\Common Framework\FrameworkService.exe]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\Common Framework\nailog.dll]  [Network Associates, Inc., 3.5.0.474]
	[C:\Program Files\Network Associates\Common Framework\naXML.dll]  [Network Associates, Inc., 3.5.0.474]
	[C:\Program Files\Network Associates\Common Framework\naCmnLib.dll]  [Network Associates, Inc., 3.5.0.474]
	[C:\Program Files\Network Associates\Common Framework\applib.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\Common Framework\0409\AgentRes.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\Common Framework\Logging.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\Common Framework\InternetManager.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\Common Framework\naInet.dll]  [Network Associates, Inc., 3.5.0.474]
	[C:\Program Files\Network Associates\Common Framework\UserSpace.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\Common Framework\SecureFrameworkFactory.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\Common Framework\Management.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\Common Framework\cmalib.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\Common Framework\naPolicyManager.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\Common Framework\PsApi.dll]  [Microsoft Corporation, 4.00]
	[C:\Program Files\Network Associates\Common Framework\ScriptSubSys.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\Common Framework\UpdateSubSys.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\Common Framework\Scheduler.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\Common Framework\TCSubSys.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\WINDOWS\system32\EntApi.dll]  [Network Associates, Inc, 8.0.0.240]
[PID: 512 / SYSTEM][C:\Program Files\Network Associates\VirusScan\Mcshield.exe]  [Network Associates, Inc., 8.0.0.251]
	[C:\Program Files\Network Associates\VirusScan\Res09\McShield.DLL]  [Network Associates, Inc., 8.0.0.251]
	[C:\Program Files\Network Associates\VirusScan\FTL.Dll]  [Network Associates, Inc., 8.0.0.133]
	[C:\Program Files\Network Associates\VirusScan\naiann.dll]  [Network Associates, Inc., 8.0.0.251]
	[C:\Program Files\Network Associates\VirusScan\mytilus.dll]  [Network Associates, Inc., 8.0.0.251]
	[C:\Program Files\Network Associates\Common Framework\GenEvtInf.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\VirusScan\NaEventU.DLL]  [Network Associates, Inc., 8.0.0.342]
	[C:\Program Files\Network Associates\VirusScan\Res09\naEvtRes.dll]  [Network Associates, Inc., 8.0.0.342]
	[C:\Program Files\Network Associates\VirusScan\VSIDSvr.dll]  [Network Associates, Inc., 8.0.0.251]
	[C:\Program Files\Common Files\Network Associates\Engine\MCSCAN32.DLL]  [McAfee, Inc., 5.3.00]
	[C:\Program Files\Network Associates\Common Framework\SecureFrameworkFactory.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\VirusScan\EntSrv.Dll]  [Network Associates, Inc, 8.0.0.240]
[PID: 536 / SYSTEM][C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe]  [Network Associates, Inc., 8.0.0.912]
	[C:\Program Files\Network Associates\VirusScan\SHUTIL.dll]  [Network Associates, Inc., 8.0.0.912]
	[C:\Program Files\Network Associates\VirusScan\naiwmain.dll]  [Network Associates, Inc., 8.0.0.912]
	[C:\Program Files\Network Associates\VirusScan\naicondl.dll]  [Network Associates, Inc., 8.0.0.912]
	[C:\Program Files\Network Associates\VirusScan\RES09\VsTskMgr.dll]  [Network Associates, Inc., 8.0.0.912]
	[C:\Program Files\Network Associates\VirusScan\MIDUtil.Dll]  [Network Associates, Inc., 8.0.0.145]
[PID: 416 / SYSTEM][C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe]  [Network Associates, Inc., 3.5.0.412]
	[C:\PROGRA~1\NETWOR~1\COMMON~1\nailog.dll]  [Network Associates, Inc., 3.5.0.474]
	[C:\PROGRA~1\NETWOR~1\COMMON~1\naCmnLib.dll]  [Network Associates, Inc., 3.5.0.474]
	[C:\PROGRA~1\NETWOR~1\COMMON~1\naXML.dll]  [Network Associates, Inc., 3.5.0.474]
	[C:\PROGRA~1\NETWOR~1\COMMON~1\0409\AgentRes.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\VirusScan\VsPlugin.dll]  [Network Associates, Inc., 8.0.0.912]
	[C:\WINDOWS\system32\EntApi.dll]  [Network Associates, Inc, 8.0.0.240]
[PID: 1000 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
	[C:\WINDOWS\system32\EntApi.dll]  [Network Associates, Inc, 8.0.0.240]
[PID: 1248 / SYSTEM][C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe]  [GEMTEKS, 1, 0, 0, 4]
[PID: 1340 / SYSTEM][C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe]  [Linksys, 1.0.0.14]
	[C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\Security.dll]  [, 1, 0, 2, 3]
	[C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\ProcNICs.dll]  [GemTek, 1, 0, 0, 7]
	[C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\resWMP54Gv4_US.dll]  [Linksys, 1.0.0.1]
	[C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\aviWMP54Gv4.dll]  [Linksys, 1.0.0.0]
	[C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\GEMWEP.DLL]  [, 1, 0, 0, 1]
	[C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\Ralinktek.DLL]  [GemTK, 1, 0, 0, 9]
	[C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\RM_DEV_CODE.dll]  [GEMTEKS, 1, 0, 1, 2]
	[C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\SES.dll]  [Linksys, 2, 2, 0, 2]
	[C:\WINDOWS\system32\GTW32N50.dll]  [, 1.0.0.1]
	[C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\ez54g.dll]  [, 1, 0, 0, 1]
	[C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\ses_cl.dll]  [N/A, ]
	[C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\0004\AegisE5.dll]  [Meetinghouse Data Communications, 3, 2, 5, 0]
[PID: 1856 / Chris][C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe]  [Lavasoft, 8, 0, 0, 0]
	[C:\Program Files\Lavasoft\Ad-Aware\Resources.dll]  [N/A, ]
[PID: 1876 / Chris][C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE]  [Network Associates, Inc., 8.0.0.912]
	[C:\Program Files\Network Associates\VirusScan\SHUTIL.dll]  [Network Associates, Inc., 8.0.0.912]
	[C:\Program Files\Network Associates\VirusScan\naiwmain.dll]  [Network Associates, Inc., 8.0.0.912]
	[C:\Program Files\Network Associates\VirusScan\RES09\shstat.dll]  [Network Associates, Inc., 8.0.0.912]
	[C:\Program Files\Network Associates\VirusScan\RES09\Product.dll]  [Network Associates, Inc., 8.0.0.912]
	[C:\Program Files\Network Associates\VirusScan\RES09\McShield.dll]  [Network Associates, Inc., 8.0.0.251]
	[C:\Program Files\Network Associates\VirusScan\RES09\Shutilrc.dll]  [Network Associates, Inc., 8.0.0.912]
	[C:\Program Files\Network Associates\VirusScan\Graphics.dll]  [Network Associates, Inc., 8.0.0.912]
[PID: 1908 / Chris][C:\WINDOWS\system32\pctspk.exe]  [, 12, 300, 18, 0]
[PID: 1920 / Chris][C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe]  [Network Associates, Inc., 2.0.275.0]
[PID: 2008 / Chris][C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\Common Framework\nailog.dll]  [Network Associates, Inc., 3.5.0.474]
	[C:\Program Files\Network Associates\Common Framework\naCmnLib.dll]  [Network Associates, Inc., 3.5.0.474]
	[C:\Program Files\Network Associates\Common Framework\naXML.dll]  [Network Associates, Inc., 3.5.0.474]
	[C:\Program Files\Network Associates\Common Framework\0409\UpdRes.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\Common Framework\0409\AgentRes.dll]  [Network Associates, Inc., 3.5.0.412]
	[C:\Program Files\Network Associates\Common Framework\SecureFrameworkFactory.dll]  [Network Associates, Inc., 3.5.0.412]
[PID: 2056 / Chris][C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe]  [InstallShield Software Corporation, 3, 10, 100, 1146]
[PID: 2280 / Chris][C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe]  [Safer Networking Limited, 1, 6, 4, 26]
	[C:\Program Files\Spybot - Search & Destroy\advcheck.dll]  [Safer Networking Limited, 1, 6, 2, 15]
[PID: 2504 / Chris][C:\WINDOWS\system32\wscntfy.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2108)]
[PID: 3084 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-0852)]
[PID: 448 / Chris][C:\WINDOWS\system32\wuauclt.exe]  [(Verified) Microsoft Corporation, 7.2.6001.788 (winmain_oob/wu_wsuswlc(wmbla).081016-1330)]
	[C:\WINDOWS\system32\EntApi.dll]  [Network Associates, Inc, 8.0.0.240]
[PID: 3788 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
	[C:\WINDOWS\system32\EntApi.dll]  [Network Associates, Inc, 8.0.0.240]
[PID: 3480 / Chris][C:\Program Files\Mozilla Firefox\firefox.exe]  [Mozilla Corporation, 1.9.0.7]
	[C:\Program Files\Mozilla Firefox\xul.dll]  [Mozilla Foundation, 1.9.0.7]
	[C:\Program Files\Mozilla Firefox\sqlite3.dll]  [sqlite.org, 3.5.9]
	[C:\Program Files\Mozilla Firefox\MOZCRT19.dll]  [Mozilla Foundation, 8.00.0000]
	[C:\Program Files\Mozilla Firefox\js3250.dll]  [Netscape Communications Corporation, 4.0]
	[C:\Program Files\Mozilla Firefox\nspr4.dll]  [Mozilla Foundation, 4.7.3]
	[C:\Program Files\Mozilla Firefox\smime3.dll]  [Mozilla Foundation, 3.12.2.0 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nss3.dll]  [Mozilla Foundation, 3.12.2.0 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nssutil3.dll]  [Mozilla Foundation, 3.12.2.0 Basic ECC]
	[C:\Program Files\Mozilla Firefox\plc4.dll]  [Mozilla Foundation, 4.7.3]
	[C:\Program Files\Mozilla Firefox\plds4.dll]  [Mozilla Foundation, 4.7.3]
	[C:\Program Files\Mozilla Firefox\ssl3.dll]  [Mozilla Foundation, 3.12.2.0 Basic ECC]
	[C:\Program Files\Mozilla Firefox\xpcom.dll]  [Mozilla Foundation, 1.9.0.7]
	[C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll]  [Mozilla Foundation, 1.9.0.7]
	[C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll]  [Mozilla Foundation, 1.9.0.7]
	[C:\Program Files\Mozilla Firefox\softokn3.dll]  [Mozilla Foundation, 3.12.2.0 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nssdbm3.dll]  [Mozilla Foundation, 3.12.2.0 Basic ECC]
	[C:\Program Files\Mozilla Firefox\freebl3.dll]  [Mozilla Foundation, 3.12.2.0 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nssckbi.dll]  [Mozilla Foundation, 1.73]
[PID: 3416 / Chris][C:\Documents and Settings\Chris\Desktop\sreng2\SREngLdr.EXE]  [Smallfrogs Studio, 2.7.0.1210]
[PID: 3468 / Chris][C:\Documents and Settings\Chris\Desktop\sreng2\SREd103ed8b.EXE]  [Smallfrogs Studio, 2.7.0.1210]
	[C:\Documents and Settings\Chris\Desktop\sreng2\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1	   localhost

==================================
Process Privileges Scan
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1340, C:\PROGRAM FILES\LINKSYS WIRELESS-G PCI WIRELESS NETWORK MONITOR\WMP54GV4.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1876, C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\SHSTAT.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1908, C:\WINDOWS\SYSTEM32\PCTSPK.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1920, C:\PROGRAM FILES\COMMON FILES\NETWORK ASSOCIATES\TALKBACK\TBMON.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 2008, C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\UPDATERUI.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 2056, C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\ISSCH.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 3416, C:\DOCUMENTS AND SETTINGS\CHRIS\DESKTOP\SRENG2\SRENGLDR.EXE]

==================================
Scheduled Tasks
[Enabled] User_Feed_Synchronization-{4759B32F-081D-4A4F-8D20-448B21776925}.job
		C:\WINDOWS\system32\msfeedssync.exe 
[Enabled] Ad-Aware Update (Weekly).job
		C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe 

==================================
API HOOK
Entrypoint Error: CreateProcessW (Dangerous Level: High,  Hooked by Module: 0x100031FD)

==================================
Hidden Process
N/A

==================================


#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 09 March 2009 - 09:05 AM

rationalegoist

Rerun SRE2In the Left pane Select System Repair
In the Right Pane Under the Windows Shell / IE tab
Place checks in the boxes beside the the following

Enable Start/Run dialog
Enable Using Windows Registry Editor (Regedit.exe)
Enable using Task Manager in Windows 2000/XP/Server 2003
Enable saving settings when log off
Enable using DOS programs
Enable using wallpapaer
Enable using Control Panel
Show File menu in Windows Explorer
Show icons on desktop
Enable using Folder Options
Show Search Button
Enable right clicking in Windows Explorer and System Tray


Then Select the Repair button.
Close SRE2 ->> Reboot your PC.

And in youe reply tell me if you are able to access Regedit, Taskmanager, and the Cmd window
Posted Image
Microsoft MVP - Windows Security

#9 rationalegoist

rationalegoist
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 09 March 2009 - 10:09 AM

Ok, I tried that, but regedit, cmd, etc. still didn't work. However, when I tried running regedit for the first time, (and only that first time) I saw some suspicious program open for a second over the start button and quickly disappear. If I'd been staring at that spot, I might have seen what program ran to block it. Should I run SRE2 again and try and see what blocked it?

Also, I can run Task Manager. I've been able to run it all along.

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 09 March 2009 - 10:14 AM

rationalegoist

Let's do this.

Have you tried running Combofix in Safe mode?
Posted Image
Microsoft MVP - Windows Security

#11 rationalegoist

rationalegoist
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 09 March 2009 - 10:16 AM

Yes, but it fails to run in the same manner.

#12 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 10 March 2009 - 08:28 AM

rationalegoist

Go HERE and Download Gmer and Save it to your Desltop

Boot into Safe mode.

Turn off the protection devices you have running on the PC

McAfee, LavaSoft, and Spybot S&D.

Doubleclick Gmer.exe to run it.

Make sure all of the boxes are checked EXCEPT the show all box
Select Scan
Once the scan is Complete, Select the Save button.
Save the log to your Desktop where you can easily find it
Post that log in your reply
Posted Image
Microsoft MVP - Windows Security

#13 rationalegoist

rationalegoist
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 10 March 2009 - 09:39 AM

bamajim, when I run the program I get an error: "GMER device error \\.\adbenhuy The system can't find the file specified." The program still ran after that, but it only let me check services, registry, files and c:\. The rest were grayed out.

Anyway, here's the log:

GMER 1.0.15.14878 - http://www.gmer.net
Rootkit scan 2009-03-10 09:21:32
Windows 5.1.2600 Service Pack 3


---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C8EDA349-F511-E316-6826-E4D0EC7CFBC3}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C8EDA349-F511-E316-6826-E4D0EC7CFBC3}@eafeaagcaf 0x66 0x61 0x6C 0x67 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C8EDA349-F511-E316-6826-E4D0EC7CFBC3}@daieplmi 0x64 0x62 0x6A 0x67 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C8EDA349-F511-E316-6826-E4D0EC7CFBC3}@ianfhodejdlgpfkoln 0x6A 0x61 0x62 0x6C ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C8EDA349-F511-E316-6826-E4D0EC7CFBC3}@hadgfnplblmfooie 0x6A 0x61 0x62 0x6C ...

---- EOF - GMER 1.0.15 ----

#14 rationalegoist

rationalegoist
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 10 March 2009 - 10:29 AM

Wait a minute. Using msconfig I disabled a few extra McAfee processes, and the problem is gone, I'm not getting redirected on search engines and regedit, cmd, etc. all work. I'm in the process of narrowing down out of six processes which one it is.

Well, I enabled all of them and everything still works. I don't understand what fixed it, (perhaps GMER?) But it looks like this issue is fixed. I'll post if anything else comes up.

Thanks for your time and diligence, bamajim. I thought I was going to have to reformat!

Edited by rationalegoist, 10 March 2009 - 11:21 AM.


#15 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 11 March 2009 - 03:07 PM

rationalegoist

Glad to hear it. I would suggest you reload McAfee.
Is there anything else we can help you with?
Posted Image
Microsoft MVP - Windows Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users