Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan-Spy.Win32.Agent.beaf and bdzz


  • This topic is locked This topic is locked
15 replies to this topic

#1 mossyangel

mossyangel

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Jones, OK
  • Local time:03:31 PM

Posted 21 March 2010 - 12:49 AM

My system had been all but stopping when browsing, it had never been so slow. Updated my virus software, PC Security Shield 2008 and ran a full computer scan...it found 8 instances of the beaf "strain" and 1 instance of the bdzz (they all ended with a file name of a0054568.exe thru a0054576.exe, as you can see they were consecutive and all were 16 KB in size). Also found along with the Trojans was an adware no-a-virus called Adware.Win32.WebHancer.x...it was found in same spot as others and named cosecutively as well......file ended in a0054577.dll and it was 28 KB in size. My Shield tried to neutralize them but said it couldn't and the action would be postponed. I attempted to delete the files thru the Shield but of course that didn't work. Ran a full system scan again and there they were....all of them again. I have noticed that when i check the properties for C: drive....total RAM was 512....now it shows 447 of total RAM usage, thought that was odd. Trust me, i don't know and found long ago is never good to speculate or assume anything with computers!! I really will appreciate anything you can do for me, need more info....i am at your service....lol. Here are the files....thanks again.....Cheryl


DDS (Ver_10-03-17.01) - NTFSx86
Run by Compaq_Administrator at 21:04:35.82 on Sat 03/20/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.177 [GMT -5:00]

AV: The Shield Deluxe 2008 *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uDefault_Page_URL = hxxp://www.msn.com
mDefault_Page_URL = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEHlprObj Class: {8ca5ed52-f3fb-4414-a105-2e3491156990} - c:\program files\iwin games\iWinGamesHookIE.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\webhelper.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
mRun: [AVP] "c:\program files\pcsecurityshield\the shield deluxe 2008\avp.exe"
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\pcsecurityshield\the shield deluxe 2008\scieplugin.dll
Trusted Zone: hppcdl.com\links
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1261026896328
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258322328312
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-3-3 110360]
R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [2009-12-1 140200]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-1-27 175888]
R2 AVP;The Shield Deluxe 2008;c:\program files\pcsecurityshield\the shield deluxe 2008\avp.exe [2007-8-23 200768]
S2 Ca536av;Che-ez! VU2 Video Camera Device;c:\windows\system32\drivers\ca536av.sys --> c:\windows\system32\drivers\Ca536av.sys [?]
S3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\drivers\cccp106.sys [2010-3-13 227200]
S3 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-9 14336]
S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-1-10 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-1-10 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-1-10 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-1-10 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-1-10 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-1-10 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-1-10 115752]
S4 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-11-24 78104]

=============== Created Last 30 ================

2010-03-21 02:00:31 0 ----a-w- c:\documents and settings\compaq_administrator\defogger_reenable
2010-03-20 12:54:09 0 d-----w- c:\program files\Runtime Software
2010-03-16 12:00:18 0 d-----w- c:\docume~1\alluse~1\applic~1\agi
2010-03-14 00:57:18 321 ----a-r- c:\windows\DC2110a.ini
2010-03-14 00:57:18 192512 ----a-r- c:\windows\select2.exe
2010-03-14 00:57:18 15542 ----a-r- c:\windows\cccp106.ini
2010-03-14 00:57:18 13023 ----a-r- c:\windows\cccp106.src
2010-03-14 00:57:17 227200 ----a-r- c:\windows\system32\drivers\cccp106.sys
2010-03-12 18:39:06 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-12 08:27:57 0 d-----w- c:\windows\SxsCaPendDel
2010-03-12 08:19:00 0 d-----w- c:\program files\common files\Adobe(2)
2010-03-11 22:51:40 97 ----a-w- c:\windows\system32\mhncache.dat
2010-03-10 06:13:27 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 14:17:02 917504 ----a-w- c:\windows\system32\FLASH.OCX
2010-03-07 05:42:28 436988 ----a-w- c:\windows\SIGVERIF.rtf

==================== Find3M ====================

2010-03-21 02:04:40 60539168 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-21 02:02:04 1417504 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-03-19 12:48:58 133292 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-03-19 12:48:57 809564 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-06 04:54:29 141135 ----a-w- c:\windows\hpoins14.dat
2010-01-26 08:35:46 23088 ----a-w- c:\windows\hpqins15.dat
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-29 05:56:48 26072720 ----a-w- c:\program files\shielddeluxe2008setup.exe
2009-12-26 15:18:12 110644 ------w- c:\windows\fonts\tallpaul.ttf
2009-12-26 15:18:11 76676 ------w- c:\windows\fonts\Neurochr.ttf
2009-12-26 15:18:11 75364 ------w- c:\windows\fonts\Quigleyw.ttf
2009-12-26 15:18:11 67704 ------w- c:\windows\fonts\flx_girl.ttf
2009-12-26 15:18:11 67016 ------w- c:\windows\fonts\Occident.ttf
2009-12-26 15:18:11 39064 ------w- c:\windows\fonts\Manzanit.ttf
2009-12-26 15:18:11 37048 ------w- c:\windows\fonts\Outright.ttf
2009-12-26 15:18:11 35504 ------w- c:\windows\fonts\Resegrg_.ttf
2009-12-26 15:18:11 122736 ------w- c:\windows\fonts\Orlando.ttf
2009-12-26 15:18:11 120804 ------w- c:\windows\fonts\Oldgatel.ttf
2009-12-26 15:18:03 151668 ------w- c:\windows\fonts\batik.ttf
2009-12-26 15:18:03 148688 ------w- c:\windows\fonts\Austrise.ttf
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2008-09-22 06:51:06 774144 ----a-w- c:\program files\RngInterstitial.dll
2006-11-20 15:01:08 163840 ----a-w- c:\program files\common files\AMCap.exe
2007-02-03 18:28:54 22 -csha-w- c:\windows\sminst\HPCD.SYS

============= FINISH: 21:05:26.55 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:31 PM

Posted 22 March 2010 - 04:41 PM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif

***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#3 mossyangel

mossyangel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Jones, OK
  • Local time:03:31 PM

Posted 23 March 2010 - 02:37 AM

Hi Blade, so nice to hear from you. I do apologize for not responding sooner, it seems i ended my comptuer time right before you response yesterday. If that is a good time for you then i will make sure i am available at the time later today and please forgive these late night/early morning hours i am responding, i tend to get that way when not working. I hope i include all the info you need, it is very important to me to get this PC back in prime form at least as much as possible, i have alot of research to do. So i thank you for your time now. I was unsure about how to add the second of the two reports generated by the DDS.scr program. In the instructions when beginning this "journey" i copied and pasted the DDS.txt report into the body of my reply but was instructed to attach the Attach.txt file. I am not seeing a place on this reply to attach anything and it did instruct me to zip the Attach report before attaching....that was a little confusing since i am aware of Zip programs to unzip but never zipped a file, not even sure i have a zip program on here....sorry. I am including the DDS report here and will await your instructions on what to do about the other report.

#1 DDS.txt

DDS (Ver_10-03-17.01) - NTFSx86
Run by Compaq_Administrator at 2:12:22.77 on Tue 03/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.145 [GMT -5:00]

AV: The Shield Deluxe 2008 *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
svchost.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uDefault_Page_URL = hxxp://www.msn.com
mDefault_Page_URL = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEHlprObj Class: {8ca5ed52-f3fb-4414-a105-2e3491156990} - c:\program files\iwin games\iWinGamesHookIE.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\webhelper.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
mRun: [AVP] "c:\program files\pcsecurityshield\the shield deluxe 2008\avp.exe"
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\pcsecurityshield\the shield deluxe 2008\scieplugin.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1261026896328
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258322328312
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-3-3 110360]
R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [2009-12-1 140200]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-1-27 175888]
R2 AVP;The Shield Deluxe 2008;c:\program files\pcsecurityshield\the shield deluxe 2008\avp.exe [2007-8-23 200768]
S2 Ca536av;Che-ez! VU2 Video Camera Device;c:\windows\system32\drivers\ca536av.sys --> c:\windows\system32\drivers\Ca536av.sys [?]
S3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\drivers\cccp106.sys [2010-3-13 227200]
S3 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-9 14336]
S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-1-10 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-1-10 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-1-10 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-1-10 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-1-10 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-1-10 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-1-10 115752]
S4 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-11-24 78104]

=============== Created Last 30 ================

2010-03-21 23:11:32 83216 ------w- c:\windows\system32\KmRemove.exe
2010-03-21 23:11:24 0 d-----w- c:\program files\HP USB Multimedia Keyboard
2010-03-21 02:00:31 0 ----a-w- c:\documents and settings\compaq_administrator\defogger_reenable
2010-03-20 12:54:09 0 d-----w- c:\program files\Runtime Software
2010-03-16 12:00:18 0 d-----w- c:\docume~1\alluse~1\applic~1\agi
2010-03-14 00:57:18 321 ----a-r- c:\windows\DC2110a.ini
2010-03-14 00:57:18 192512 ----a-r- c:\windows\select2.exe
2010-03-14 00:57:18 15542 ----a-r- c:\windows\cccp106.ini
2010-03-14 00:57:18 13023 ----a-r- c:\windows\cccp106.src
2010-03-14 00:57:17 227200 ----a-r- c:\windows\system32\drivers\cccp106.sys
2010-03-12 18:39:06 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-12 08:27:57 0 d-----w- c:\windows\SxsCaPendDel
2010-03-12 08:19:00 0 d-----w- c:\program files\common files\Adobe(2)
2010-03-11 22:51:40 97 ----a-w- c:\windows\system32\mhncache.dat
2010-03-10 06:13:27 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 14:17:02 917504 ----a-w- c:\windows\system32\FLASH.OCX
2010-03-07 05:42:28 436988 ----a-w- c:\windows\SIGVERIF.rtf

==================== Find3M ====================

2010-03-23 07:12:09 60616224 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-23 07:06:50 1421856 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-03-21 06:22:03 812156 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-03-21 06:22:03 134036 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-06 04:54:29 141135 ----a-w- c:\windows\hpoins14.dat
2010-01-26 08:35:46 23088 ----a-w- c:\windows\hpqins15.dat
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-29 05:56:48 26072720 ----a-w- c:\program files\shielddeluxe2008setup.exe
2009-12-26 15:18:12 110644 ------w- c:\windows\fonts\tallpaul.ttf
2009-12-26 15:18:11 76676 ------w- c:\windows\fonts\Neurochr.ttf
2009-12-26 15:18:11 75364 ------w- c:\windows\fonts\Quigleyw.ttf
2009-12-26 15:18:11 67704 ------w- c:\windows\fonts\flx_girl.ttf
2009-12-26 15:18:11 67016 ------w- c:\windows\fonts\Occident.ttf
2009-12-26 15:18:11 39064 ------w- c:\windows\fonts\Manzanit.ttf
2009-12-26 15:18:11 37048 ------w- c:\windows\fonts\Outright.ttf
2009-12-26 15:18:11 35504 ------w- c:\windows\fonts\Resegrg_.ttf
2009-12-26 15:18:11 122736 ------w- c:\windows\fonts\Orlando.ttf
2009-12-26 15:18:11 120804 ------w- c:\windows\fonts\Oldgatel.ttf
2009-12-26 15:18:03 151668 ------w- c:\windows\fonts\batik.ttf
2009-12-26 15:18:03 148688 ------w- c:\windows\fonts\Austrise.ttf
2008-09-22 06:51:06 774144 ----a-w- c:\program files\RngInterstitial.dll
2006-11-20 15:01:08 163840 ----a-w- c:\program files\common files\AMCap.exe
2007-02-03 18:28:54 22 -csha-w- c:\windows\sminst\HPCD.SYS

============= FINISH: 2:12:34.04 ===============


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:31 PM

Posted 23 March 2010 - 07:37 AM

Hello

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

IMPORTANT!!! - when you save the file, rename it to something random, such as bubbles.exe This must be done before beginning the download!

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

~Blade


In your next reply, please include the following:
Malwarebytes Log

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#5 mossyangel

mossyangel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Jones, OK
  • Local time:03:31 PM

Posted 23 March 2010 - 11:58 AM

Hi again Blade....

i am sure i did exactly as you told me to do, even down to renaming the Anti-Malware program bubbles.exe before downloading it to my desktop. When i did run the setup program it did go and get updates, gave me the box telling me it was updated, i hit OK....went to Scan screen, did the Quick Scan and it came back with nothing found.....see below

Malwarebytes' Anti-Malware 1.44
Database version: 3905
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/23/2010 11:48:50 AM
mbam-log-2010-03-23 (11-48-50).txt

Scan type: Quick Scan
Objects scanned: 140127
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:31 PM

Posted 23 March 2010 - 03:09 PM

Hello

WARNING: The AV product PC Security Shield, while currently not yet formally defined as "rogue" by the security community, has been charged by many users with serious charges including phishing and the distribution of malware. While these charges have not been formally verified, the number of claims is enough to worry me. See here for more information http://www.mywot.com/en/scorecard/pcsecurityshield.com

I would recommend you immediately attempt to remove The Shield Deluxe 2008 from your machine using Add/Remove Programs. If you encounter difficulties removing the software (as has been reported to occur) you should stop and return here. I will assist you in taking care of it manually.

Once The Shield Deluxe 2008 has been removed I would recommend replacing it with one of the following products which are free for personal home use.

Avast! or Antivir

Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Let me know once this is done and we will run some more checks.

~Blade

Edited by Blade Zephon, 23 March 2010 - 03:09 PM.

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#7 mossyangel

mossyangel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Jones, OK
  • Local time:03:31 PM

Posted 23 March 2010 - 04:34 PM

Thank you Blade....i was wondering about that program. I was able to uninstall it completely....or so it says, something tells me though that i will be finding pieces of it from now on throughout my files. So were the infections it found false positives you think?

Cheryl

#8 mossyangel

mossyangel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Jones, OK
  • Local time:03:31 PM

Posted 23 March 2010 - 05:42 PM

Sorry forgot to ask a few things...i removed the Malwarebytes before downloading the Avast....and would you think it beneficial to purchase the Internet Security Upgraded Version of Avast or would that really be more of a waste of money? We do a lot of online shopping and since i am not working, i was going to be checking in to doing some selling on ebay. We do all our banking online, paying some bills.....lot of private, sensitive info being exchanged. I was wondering too if you could direct me to the right area to find out about Services running, if ASP.NET and that Framework stuff is really necessary for a home user and to find out if i have any other problems that could be fixed. It has always seemed like there were waaaaaaaay too many programs starting up on here when starting up....lol. I also noticed duel entries of most every file, is that normal? This stuff is so far over my head, i just need some "plain English" guidance and explanations. You were extremely helpful Blade and very fast and efficient in rescuing me, your instructions were very well explained....well enough even for a dangerous novice like me to understand. Any other suggestions or advice you might have....or think of, please feel free to let me know. It is so much nicer discussing these things with a real live human as opposed to trying to figure out some of the books out there....again, i thank you. Avast is now loaded, will run a full system scan to see what it might or might not come up with. If it comes up with anything it cannot get rid of....mind if i come back and pick your brain some more? Promise not to be a pest....lol Enjoy!!

Cheryl

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:31 PM

Posted 24 March 2010 - 09:49 AM

Hello Cheryl smile.gif

Glad you were able to get PC Security Shield uninstalled successfully.

Did you at one time have Kaspersky AV installed on this machine?

QUOTE
something tells me though that i will be finding pieces of it from now on throughout my files.

That's possible. . . but by the time we're done most of it should be gone. What's left should be harmless.

QUOTE
So were the infections it found false positives you think?

I wouldn't quite call them "false positives". More along the lines of "Completely made up in order to trick you into buying the full version".

QUOTE
would you think it beneficial to purchase the Internet Security Upgraded Version of Avast or would that really be more of a waste of money?

If you practice safe browsing habits, the free version of Avast! in conjunction with the Windows Firewall should be sufficient for any normal home user.

QUOTE
I was wondering too if you could direct me to the right area to find out about Services running, if ASP.NET and that Framework stuff is really necessary for a home user and to find out if i have any other problems that could be fixed.

I can try and answer your questions here, and if I don't know the answer I can then send you elsewhere on the boards for help. Which Services are you wondering about?

QUOTE
It has always seemed like there were waaaaaaaay too many programs starting up on here when starting up....lol

Which programs are running on startup?

QUOTE
I also noticed duel entries of most every file, is that normal?

I'm not sure I follow. Could you provide me with an example?

QUOTE
Avast is now loaded, will run a full system scan to see what it might or might not come up with.

If it finds anything please post the scan log for my review.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#10 mossyangel

mossyangel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Jones, OK
  • Local time:03:31 PM

Posted 26 March 2010 - 02:25 PM

Hi Blade....thanks for your reply and sorry about mine being so delayed.

Yes it seems that all of the PC Security Shield is gone but this was not the free version of the program, my husband purchased it about a yr and a half ago, this was a full version of it. And no, to my knowledge we have never had Kapersky AV on here but i had noticed some of those files and honestly thought they had to do with the Security Shield program. I do not know that each time i would check task manager to see what was running, because system would get so bogged down, there were always 2 instances of the Shield running. One generated by the current user and one by, i think it said Network Service or something like that. One of them was always hogging up cpu usage.....page file was always huge....and i could never end either process, told me access was denied. And i was logged on as system administrator.

As far as the Avast scan, i am not sure if things are set right, have run the scan 3 times now and just got a list of all the files that it skipped due to scanner settings. I have now gone in and created a new scan, read the help files and when i am done here, will scan computer thoroughly again. It never found anything on the other 3 scans but not really sure what it was looking for....lol. Will send you a copy of report if anything is found after this new scan.

The questions i have about Services might be a lil extensive and would just have to show you somehow, just seems there are an awful lot of them that i don't believe this system needs, but what do i know....lol. Will save that maybe for another reply if you don't mind. I do however would like to know if it is really necessary to have those ASP.NET files on here and those damn Framework files, aren't those for IT specialist and developers? I have no use for such things and would rather they not be on here if don't need them....have enough trouble with what we do need!!

The startup programs running seem to be so many, i was looking in Sys Info thru the start menu, check the running tasks, startup programs, services...all the info i could find to determine what was bogging system down. Of course in that file, it gives everything, all files running at startup so it a huge file but for every file or at least 99% of them it showed 2 entries for each....one for .DEFAULT something and the other for this computer (computer name listed). I could maybe send you a portion of one of those files to let you see what i mean if you like.

There i think i covered all topics....will run that scan now and get back with you soon.....thanks again!!

Cheryl

#11 mossyangel

mossyangel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Jones, OK
  • Local time:03:31 PM

Posted 30 March 2010 - 11:04 AM

Hi Blade....

I ran the scan and it found nothing, i even created my own scan that was very deep and thorough, took almost 4 hrs to run....i feel confident it would have found something if it was here. Hopefully the Trojan problem is fixed or gone. i do have those other issues i mentioned in my reply before this one, i would still really appreciate any help you might can give....thanks.

Cheryl

#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:31 PM

Posted 30 March 2010 - 11:37 AM

Hello Cheryl

Glad to hear the trojan problem seems to be gone.

In regard to your other questions:

1.) The .NET framework and ASP.NET are used to run programs designed using Microsoft's Visual Developer. While not required for most programs, it's harmless and shouldn't cause performance problems. Plus, it tends to be a pain in the neck to re-download (my computer didn't come standard with it and I've needed it for some applications in the past so I speak from experience here). I'd leave it just in case you ever come across an application which requires it.

2.) regarding the startup issues. . . let's take a look at what's starting up.

Please download and install HijackThis

Run HijackThis.
Click on Open the Misc Tools Section.
Then press Generate StartupList log, making sure that both boxes next to it are checked.
Select Yes at the prompt.
A Notepad file will open, and will automatically be saved in your HijackThis folder.
Paste this log in your next reply.
More information with a screenshot, can be found here.

~Blade


In your next reply, please include the following:
HijackThis startup log

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#13 mossyangel

mossyangel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Jones, OK
  • Local time:03:31 PM

Posted 04 April 2010 - 11:01 PM

Hey Blade...
Again, sorry for my delay in responding....was there a full moon recently?....lol

Here is the log file you requested (and yes i did disable anything to do with ASP.net or Framework, thought they might be bogging system down) but then i noticed i didn't have much space left on this 200 GB hard drive and discovered why, at one point in some directions from Microsoft i had to do a full system backup and it being so big i had nowhere to put it but back on computer....it was over 70 GB. i deleted it, hope i don't need it....lol...but system does run a lil better now.

StartupList report, 4/4/2010, 10:37:25 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v8.00 (8.00.6001.18702)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

avast5 = C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[BtcMaestro]
ModelName = 5309U
Version = 1.2
Make = 1896321462
Language =
KeyboardID =
MouseID =
KeyboardSID =
MouseSID =
RxSecret =
RMenuSel =
AddMouse = 
JumpPickLevel =
KeyboardBat =
MouseBat =
KeyboardCh =
MouseCh =
FilterLMouse =
FilterRMouse =

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[>{f31449ef-6eb3-4660-a2fd-b55710da5882}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[KB910393] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\EasyCDBlock.inf,PerUserInstall

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{407408d4-94ed-4d86-ab69-a7f649d112ee}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser

[{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath = rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\iWin Games\iWinGamesHookIE.dll - {8CA5ED52-F3FB-4414-A105-2E3491156990}
(no name) - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll - {d2ce3e00-f94a-4740-988e-03dc2f38c34f}
(no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}
JQSIEStartDetectorImpl - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll - {E7E6F031-17CE-4C07-BC86-EABFE594F69C}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/download/C/0...heckControl.cab

[Windows Live Safety Center Base Module]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\wlscBase.dll
CODEBASE = http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\Program Files\Bonjour\mdnsNSP.dll
NameSpace #2: C:\WINDOWS\System32\nwprovau.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\System32\winrnr.dll
NameSpace #5: C:\WINDOWS\System32\mswsock.dll
NameSpace #6: C:\WINDOWS\system32\pnrpnsp.dll
NameSpace #7: C:\WINDOWS\system32\pnrpnsp.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll
Protocol #23: C:\WINDOWS\system32\mswsock.dll
Protocol #24: C:\WINDOWS\system32\mswsock.dll
Protocol #25: C:\WINDOWS\system32\mswsock.dll
Protocol #26: C:\WINDOWS\system32\mswsock.dll
Protocol #27: C:\WINDOWS\system32\mswsock.dll
Protocol #28: C:\WINDOWS\system32\mswsock.dll
Protocol #29: C:\WINDOWS\system32\mswsock.dll
Protocol #30: C:\WINDOWS\system32\mswsock.dll
Protocol #31: C:\WINDOWS\system32\mswsock.dll
Protocol #32: C:\WINDOWS\system32\mswsock.dll
Protocol #33: C:\WINDOWS\system32\mswsock.dll
Protocol #34: C:\WINDOWS\system32\mswsock.dll
Protocol #35: C:\WINDOWS\system32\mswsock.dll
Protocol #36: C:\WINDOWS\system32\mswsock.dll
Protocol #37: C:\WINDOWS\system32\mswsock.dll
Protocol #38: C:\WINDOWS\system32\mswsock.dll
Protocol #39: C:\WINDOWS\system32\mswsock.dll
Protocol #40: C:\WINDOWS\system32\mswsock.dll
Protocol #41: C:\WINDOWS\system32\mswsock.dll
Protocol #42: C:\WINDOWS\system32\mswsock.dll
Protocol #43: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

IPv6 Helper Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Sony Ericsson Device A016 driver (WDM): system32\DRIVERS\a016bus.sys (manual start)
Sony Ericsson Device A016 USB WMC Modeme Filter: system32\DRIVERS\a016mdfl.sys (manual start)
Sony Ericsson Device A016 USB WMC Modem Driver: system32\DRIVERS\a016mdm.sys (manual start)
Sony Ericsson Device A016 USB WMC Device Management Drivers (WDM): system32\DRIVERS\a016mgmt.sys (manual start)
Sony Ericsson Device A016 USB WMC OBEX Interface: system32\DRIVERS\a016obex.sys (manual start)
Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD Processor Driver: system32\DRIVERS\AmdK8.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
aracpi: system32\DRIVERS\aracpi.sys (manual start)
MS Ar HID Filter Driver: system32\DRIVERS\arhidfltr.sys (manual start)
Microsoft PS2 Keyboard Filter: system32\DRIVERS\arkbcfltr.sys (manual start)
Microsoft PS2 Mouse Filter: system32\DRIVERS\armoucfltr.sys (manual start)
1394 ARP Client Protocol: system32\DRIVERS\arp1394.sys (manual start)
ARPolicy: system32\DRIVERS\arpolicy.sys (manual start)
ARSVC: C:\WINDOWS\arservice.exe (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (disabled)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" (autostart)
avast! Mail Scanner: "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" (manual start)
avast! Web Scanner: "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" (manual start)
Belarc SMBios Access: \SystemRoot\System32\Drivers\BANTExt.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Bonjour Service: "C:\Program Files\Bonjour\mDNSResponder.exe" (disabled)
MAC Bridge: system32\DRIVERS\bridge.sys (manual start)
MAC Bridge Miniport: system32\DRIVERS\bridge.sys (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Che-ez! VU2 Video Camera Device: System32\Drivers\Ca536av.sys (autostart)
ICatch (VI) PC Camera: System32\Drivers\SPCA561.SYS (manual start)
CbFs: \??\C:\WINDOWS\system32\drivers\cbfs.sys (system)
CIF USB Camera (2110A): system32\DRIVERS\cccp106.sys (manual start)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (disabled)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (disabled)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Wired AutoConfig: %SystemRoot%\System32\svchost.exe -k dot3svc (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Extensible Authentication Protocol Service: %SystemRoot%\System32\svchost.exe -k eapsvcs (manual start)
Media Center Receiver Service: C:\WINDOWS\eHome\ehRecvr.exe (manual start)
Media Center Scheduler Service: C:\WINDOWS\eHome\ehSched.exe (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Windows Presentation Foundation Font Cache 3.0.0.0: c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (disabled)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
ftsata2: system32\DRIVERS\ftsata2.sys (system)
GameConsoleService: "C:\Program Files\WildTangent\Apps\HP Game Console\GameConsoleService.exe" (disabled)
GEAR ASPI Filter Driver: system32\DRIVERS\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Microsoft UAA Bus Driver for High Definition Audio: system32\DRIVERS\HDAudBus.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
Health Key and Certificate Management Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
hpqcxs08: %SystemRoot%\system32\svchost.exe -k hpdevmgmt (manual start)
HP CUE DeviceDiscovery Service: %SystemRoot%\system32\svchost.exe -k hpdevmgmt (manual start)
IEEE-1284.4 Driver HPZid412: system32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: system32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: system32\DRIVERS\HPZius12.sys (manual start)
HSXHWBS2: system32\DRIVERS\HSXHWBS2.sys (manual start)
HSX_DP: system32\DRIVERS\HSX_DP.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (autostart)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
Intel RAID Controller: system32\DRIVERS\iaStor.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe" (disabled)
Windows CardSpace: "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
Service for Realtek HD Audio (WDM): system32\drivers\RtkHDAud.sys (manual start)
IntelIde: system32\DRIVERS\intelide.sys (system)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (disabled)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
RIP Listener: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
iWinTrusted: C:\Program Files\iWin Games\iWinTrusted.exe (disabled)
Java Quick Starter: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" (manual start)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
LightScribeService Direct Disc Labeling Service: "C:\Program Files\Common Files\LightScribe\LSSrvc.exe" (disabled)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Media Center Extender Service: C:\WINDOWS\ehome\mcrdsvc.exe (manual start)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (manual start)
mdmxsdk: system32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
MHN: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
MHN driver: system32\DRIVERS\mhndrv.sys (manual start)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (disabled)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Network Access Protection Agent: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
Net Driver HPZ12: %SystemRoot%\System32\svchost.exe -k HPZ12 (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Net.Tcp Port Sharing Service: "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" (disabled)
1394 Net Driver: system32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Network Monitor Driver: system32\DRIVERS\NMnt.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA nForce Networking Controller Driver: system32\DRIVERS\NVENETFD.sys (manual start)
NVIDIA Network Bus Enumerator: system32\DRIVERS\nvnetbus.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: system32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: system32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: system32\DRIVERS\nwlnkspx.sys (autostart)
Microsoft Office Diagnostics Service: "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" (manual start)
OHCI Compliant IEEE 1394 Host Controller: system32\DRIVERS\ohci1394.sys (system)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Peer Networking Group Authentication: %SystemRoot%\system32\svchost.exe -k p2psvc (manual start)
Peer Networking Identity Manager: %SystemRoot%\system32\svchost.exe -k p2psvc (manual start)
Peer Networking: %SystemRoot%\system32\svchost.exe -k p2psvc (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: %SystemRoot%\System32\svchost.exe -k HPZ12 (manual start)
Peer Name Resolution Protocol: %SystemRoot%\system32\svchost.exe -k p2psvc (manual start)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Processor Driver: system32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Linksys Wireless-G PCI Adapter Driver(RT61): system32\DRIVERS\RT61.sys (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: system32\DRIVERS\RTL8139.SYS (manual start)
Sony Ericsson Device 0016 driver (WDM): system32\DRIVERS\s0016bus.sys (manual start)
Sony Ericsson Device 0016 USB WMC Modem Filter: system32\DRIVERS\s0016mdfl.sys (manual start)
Sony Ericsson Device 0016 USB WMC Modem Driver: system32\DRIVERS\s0016mdm.sys (manual start)
Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM): system32\DRIVERS\s0016mgmt.sys (manual start)
Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS): system32\DRIVERS\s0016nd5.sys (manual start)
Sony Ericsson Device 0016 USB WMC OBEX Interface: system32\DRIVERS\s0016obex.sys (manual start)
Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM): system32\DRIVERS\s0016unic.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Simple TCP/IP Services: %SystemRoot%\system32\tcpsvcs.exe (manual start)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (manual start)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{8DA84759-6C62-4695-9DB6-4789D64FAF43} (autostart)
SYMIDSCO: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20050901.036\symidsco.sys (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Microsoft IPv6 Protocol Driver: system32\DRIVERS\tcpip6.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microsoft Tun Miniport Adapter Driver: system32\DRIVERS\tunmp.sys (manual start)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Apple Mobile USB Driver: System32\Drivers\usbaapl.sys (manual start)
Che-ez! VU2 Still Camera Device: System32\Drivers\Bulk536.sys (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
DSC Composite USB Device: system32\DRIVERS\usbhub.sys (autostart)
Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
ViaIde: system32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
winachsx: system32\DRIVERS\HSX_CNXT.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (manual start)
WpdUsb: system32\DRIVERS\wpdusb.sys (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\COMPAQ~1\LOCALS~1\TEMPOR~1\Content.IE5\index.dat||C:\DOCUME~1\COMPAQ~1\Cookies\index.dat||C:\DOCUME~1\COMPAQ~1\LOCALS~1\History\History.IE5\index.dat||C:\DOCUME~1\COMPAQ~1\LOCALS~1\History\History.IE5\MSHIST~1\index.dat|||\

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 40,198 bytes
Report generated in 0.672 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Will try to give a quicker response in the future....thanks again!

Cheryl

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:31 PM

Posted 07 April 2010 - 11:44 AM

Hello Cheryl

After reading through the log multiple times, I really don't see anything that should be disabled to improve startup time. Slow booting is a problem that many computers begin to experience as they age. Sometimes the best fix for this is a format and reinstallation of the OS, or a restore back to factory settings. Note that doing this will erase everything from your machine (or in the case of a factory restore will remove everything that was not on the machine "out-of-the-box"). Therefore, you will need to back up files you don't wish to lose before undergoing this process. If you're interested, I can give you some more information on this.

Otherwise you look good to go to me.

Your machine appears to be clean!


If you disabled emulation drivers earlier, you can re-enable them now if you wish:

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

***************************************************

I highly recommend that you read through the below set of very helpful suggestions and implement them; they will help protect you from reinfection

Disable and Enable System Restore. - You should disable and enable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to disable and enable system restore here: Windows XP System Restore Guide or Windows Vista System Restore Guide

Re-enable system restore with instructions from tutorial above.

Next, please hide your System Files. To do this, please refer to the following guide and reverse its steps: "How To See Hidden Files in Windows."


This should give you a good start into malware free pc usage. However I suggest you visit the following additional information listed below:I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache!
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programs in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostsMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  1. Double-click the Downloaded installer and install the tool to a location of your choice
  2. Via the Startmenu, navigate to HostsMan and run the program.
    1. Click "Hosts" in the menu
    2. Click "Manage Updates" in the submenu
    3. Out of the three, select at least one of them (I have MVPS Host as my main one)
    4. Click "Add Update." After that you will only need to click on the following button to retrieve updates:
  3. Click the X to exit the program.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#15 mossyangel

mossyangel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Jones, OK
  • Local time:03:31 PM

Posted 08 April 2010 - 08:09 PM

Thank you so much Blade, you have been an awesome help! Will definitely refer anyone having troubles to you guys...will always keep you in mind for help.

Cheryl




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users