Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus/trojan loads 320+ processes


  • This topic is locked This topic is locked
2 replies to this topic

#1 griever

griever

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 11 May 2010 - 04:52 AM

Hi All,

Hoping you can take a look at this log and see if you can work out what I have here. I purchased a usb item off of ebay to test for my work and on it it contained an autorun which has installed something onto my pc, whatever this is runs 320+ processes when I reboot.

the install.exe description is h5q8yl

within the auto run is:

[AutoRun]
open=install.exe
shell\open=Open(&O)
shell\open\Command=install.exe
shell\open\Default=1
shell\explore=Manage(&X)
shell\explore\Command=install.exe


and there is a ycfhbscv.bat file as well with the following

@echo off
:uczjugly4wiffei738m
attrib -a -r -s -h "G:\\install.exe"
del "G:\\install.exe"
if exist "G:\\install.exe" goto uczjugly4wiffei738m
del %0

I have done a malwarebytes full scan found nothing
spybot search and destroy found nothing
AVG 8.5 network edition found nothing

I haven't seen anything quite like this before as these processes don't seem to be doing much, and after finding the master dll and ending it I was able to kill off all the processes (if i leave the dllhost.exe running it just starts up new processes.

I'm hoping a system restore is going to fix the problem (besides manually finding every single one of the exe's its made and deleting them) and i'll do that after posting but if someone could take a look at my hijack log that would be cool

Thanks in advance
Robin

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:41:04 PM, on 11/05/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\ASUS\AASP\1.00.78\aaCenter.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\EXPERTool ATI\TBPANEL.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\Ai Suite\CPU Level UpEx\CpuLevelUp.exe
C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
C:\Program Files (x86)\AVG\AVG8\avgtray.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\AVG\AVG8\avgui.exe
C:\Program Files (x86)\ASUS\PC Probe II\Probe2.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\Ai Suite\QFan3\QFanHelp.exe"
O4 - HKLM\..\Run: [Cpu Level Up] "C:\Program Files\ASUS\Ai Suite\CPU Level UPEx\CpuLevelUp.exe" -r
O4 - HKLM\..\Run: [DeathAdder] "C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [hnpqpe] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\hnpqpe.exe"
O4 - HKLM\..\Run: [eqSetup] "C:\Program Files (x86)\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\eqSetup.exe"
O4 - HKLM\..\Run: [nxmbamgui] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\nxmbamgui.exe"
O4 - HKLM\..\Run: [sfmsvs] "C:\Program Files (x86)\Windows Live\Messenger\sfmsvs.exe"
O4 - HKLM\..\Run: [uhFLOPPYME.EXE] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\RESCUEME\DOSYSTEM\uhFLOPPYME.EXE"
O4 - HKLM\..\Run: [uhFLOPPYME] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\RESCUEME\DOSYSTEM\uhFLOPPYME.exe"
O4 - HKLM\..\Run: [vsMSTORE.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\vsMSTORE.EXE"
O4 - HKLM\..\Run: [vsMSTORE] "C:\Program Files (x86)\Microsoft Office\Office12\vsMSTORE.exe"
O4 - HKLM\..\Run: [wjmsnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\wjmsnmsgr.exe"
O4 - HKLM\..\Run: [dwEQNEDT32.EXE] "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\dwEQNEDT32.EXE"
O4 - HKLM\..\Run: [dwEQNEDT32] "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\dwEQNEDT32.exe"
O4 - HKLM\..\Run: [sisetup] "C:\Program Files (x86)\InstallShield Installation Information\{BEE64C14-BEF1-4610-8A68-A16EAA47B882}\sisetup.exe"
O4 - HKLM\..\Run: [ameserv] "C:\Program Files (x86)\Java\jre6\bin\ameserv.exe"
O4 - HKLM\..\Run: [ocesscoordinationserver] "C:\Program Files (x86)\Common Files\Adobe\dynamiclink\ocesscoordinationserver.exe"
O4 - HKLM\..\Run: [vuuTorrent] "C:\Program Files (x86)\uTorrent\vuuTorrent.exe"
O4 - HKLM\..\Run: [fzkinit] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\jre\bin\fzkinit.exe"
O4 - HKLM\..\Run: [LClient] "C:\Program Files (x86)\Microsoft Games for Windows - LIVE\Client\LClient.exe"
O4 - HKLM\..\Run: [indowsServer2003-KB898715-ia64-enu] "C:\Program Files (x86)\Adobe\Adobe Media Encoder CS4\PCI\AMEImporters\redist\indowsServer2003-KB898715-ia64-enu.exe"
O4 - HKLM\..\Run: [otNetInstaller] "C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\otNetInstaller.exe"
O4 - HKLM\..\Run: [zbBridge] "C:\Program Files (x86)\Adobe\Adobe Bridge CS4\zbBridge.exe"
O4 - HKLM\..\Run: [rgPQLAUNCH.EXE] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\rgPQLAUNCH.EXE"
O4 - HKLM\..\Run: [rgPQLAUNCH] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\rgPQLAUNCH.exe"
O4 - HKLM\..\Run: [NetInstaller] "C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\NetInstaller.exe"
O4 - HKLM\..\Run: [pporbd] "C:\Program Files (x86)\Java\jre6\bin\pporbd.exe"
O4 - HKLM\..\Run: [ndowsServer2003-KB898715-x86-enu] "C:\Program Files (x86)\Adobe\Adobe Media Encoder CS4\PCI\AMEImporters\redist\ndowsServer2003-KB898715-x86-enu.exe"
O4 - HKLM\..\Run: [brRemStart] "C:\Program Files (x86)\Symantec\pcAnywhere\brRemStart.exe"
O4 - HKLM\..\Run: [bmsetup] "C:\Program Files (x86)\InstallShield Installation Information\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}\bmsetup.exe"
O4 - HKLM\..\Run: [ccavgsrmaa] "C:\Program Files (x86)\AVG\AVG8\ccavgsrmaa.exe"
O4 - HKLM\..\Run: [gleUpdaterRestartManager] "C:\Program Files (x86)\Google\Google Updater\2.4.1698.5652\gleUpdaterRestartManager.exe"
O4 - HKLM\..\Run: [zuMSOHTMED.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\zuMSOHTMED.EXE"
O4 - HKLM\..\Run: [zuMSOHTMED] "C:\Program Files (x86)\Microsoft Office\Office12\zuMSOHTMED.exe"
O4 - HKLM\..\Run: [raHELPER.EXE] "C:\Program Files (x86)\Creative\Product Registration\English\raHELPER.EXE"
O4 - HKLM\..\Run: [raHELPER] "C:\Program Files (x86)\Creative\Product Registration\English\raHELPER.exe"
O4 - HKLM\..\Run: [zopxinsi64] "C:\Program Files (x86)\Common Files\PX Storage Engine\zopxinsi64.exe"
O4 - HKLM\..\Run: [jasqladhlp] "C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\jasqladhlp.exe"
O4 - HKLM\..\Run: [myrazerhid] "C:\Program Files (x86)\Razer\DeathAdder\myrazerhid.exe"
O4 - HKLM\..\Run: [inst-InnerSpace] "C:\Program Files (x86)\InnerSpace\inst-InnerSpace.exe"
O4 - HKLM\..\Run: [rkSETLANG.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\rkSETLANG.EXE"
O4 - HKLM\..\Run: [rkSETLANG] "C:\Program Files (x86)\Microsoft Office\Office12\rkSETLANG.exe"
O4 - HKLM\..\Run: [SchedulerSvc] "C:\Program Files (x86)\Symantec\LiveUpdate\SchedulerSvc.exe"
O4 - HKLM\..\Run: [jlwlcomm] "C:\Program Files (x86)\Windows Live\Contacts\jlwlcomm.exe"
O4 - HKLM\..\Run: [be AIR Application Installer] "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\be AIR Application Installer.exe"
O4 - HKLM\..\Run: [lwINFOPATH.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\lwINFOPATH.EXE"
O4 - HKLM\..\Run: [lwINFOPATH] "C:\Program Files (x86)\Microsoft Office\Office12\lwINFOPATH.exe"
O4 - HKLM\..\Run: [_Video Viewer Setup_24354] "C:\Program Files (x86)\VideoViewer\_Video Viewer Setup_24354.exe"
O4 - HKLM\..\Run: [xaIraLrShl] "C:\Program Files (x86)\Common Files\Symantec Shared\LiveReg\xaIraLrShl.exe"
O4 - HKLM\..\Run: [DwFileHelper] "C:\Program Files (x86)\Nero\Nero 9\Nero Burning ROM\DwFileHelper.exe"
O4 - HKLM\..\Run: [cyMSTORE.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\cyMSTORE.EXE"
O4 - HKLM\..\Run: [cyMSTORE] "C:\Program Files (x86)\Microsoft Office\Office12\cyMSTORE.exe"
O4 - HKLM\..\Run: [uujava] "C:\Program Files (x86)\Java\jre6\bin\uujava.exe"
O4 - HKLM\..\Run: [bbwmplayer] "C:\Program Files (x86)\Windows Media Player\bbwmplayer.exe"
O4 - HKLM\..\Run: [ndowsXP-KB898715-x64-enu] "C:\Program Files (x86)\Adobe\Adobe Media Encoder CS4\PCI\AMEImporters\redist\ndowsXP-KB898715-x64-enu.exe"
O4 - HKLM\..\Run: [kkDSSM.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\kkDSSM.EXE"
O4 - HKLM\..\Run: [kkDSSM] "C:\Program Files (x86)\Microsoft Office\Office12\kkDSSM.exe"
O4 - HKLM\..\Run: [NOTIFY.EXE] "C:\Program Files (x86)\Symantec\LiveUpdate\NOTIFY.EXE"
O4 - HKLM\..\Run: [NOTIFY] "C:\Program Files (x86)\Java\jre6\bin\notify.exe"
O4 - HKLM\..\Run: [mjPqboot32] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\mjPqboot32.exe"
O4 - HKLM\..\Run: [k64Launcher] "C:\Program Files (x86)\Symantec\pcAnywhere\k64Launcher.exe"
O4 - HKLM\..\Run: [zjkeytool] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\jre\bin\zjkeytool.exe"
O4 - HKLM\..\Run: [qssetup] "C:\Program Files (x86)\AVG\AVG8\qssetup.exe"
O4 - HKLM\..\Run: [roSetup] "C:\Program Files (x86)\Sony Setup\Vegas 7.0\mediamgr\roSetup.exe"
O4 - HKLM\..\Run: [iffer_gpu] "C:\Program Files (x86)\Adobe\Adobe Utilities\Pixel Bender Toolkit\iffer_gpu.exe"
O4 - HKLM\..\Run: [epDFUICOM.EXE] "C:\Program Files (x86)\Common Files\microsoft shared\Web Components\11\epDFUICOM.EXE"
O4 - HKLM\..\Run: [epDFUICOM] "C:\Program Files (x86)\Common Files\microsoft shared\Web Components\11\epDFUICOM.exe"
O4 - HKLM\..\Run: [yhmbamgui] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\yhmbamgui.exe"
O4 - HKLM\..\Run: [jpOSE.EXE] "C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\jpOSE.EXE"
O4 - HKLM\..\Run: [jpOSE] "C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\jpOSE.exe"
O4 - HKLM\..\Run: [croRd32Info] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\croRd32Info.exe"
O4 - HKLM\..\Run: [rrSetup] "C:\Program Files (x86)\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\rrSetup.exe"
O4 - HKLM\..\Run: [4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\4ServiceManager.exe"
O4 - HKLM\..\Run: [dowsServer2003-KB898715-ia64-enu] "C:\Program Files (x86)\Adobe\Adobe Media Encoder CS4\PCI\AMEImporters\redist\dowsServer2003-KB898715-ia64-enu.exe"
O4 - HKLM\..\Run: [dowsXP-KB898715-x64-enu] "C:\Program Files (x86)\Adobe\Adobe Media Encoder CS4\PCI\AMEExporters\redist\dowsXP-KB898715-x64-enu.exe"
O4 - HKLM\..\Run: [jqDXStress] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Graphics-Full-Existing\jqDXStress.exe"
O4 - HKLM\..\Run: [X Converter] "C:\Program Files (x86)\DivX\DivX Converter\X Converter.exe"
O4 - HKLM\..\Run: [mpSetupX] "C:\Program Files (x86)\Common Files\Nero\Nero ProductInstaller 4\mpSetupX.exe"
O4 - HKLM\..\Run: [kvCTEPImpu] "C:\Program Files (x86)\Creative\MediaSource5\kvCTEPImpu.exe"
O4 - HKLM\..\Run: [puorbd] "C:\Program Files (x86)\Java\jre6\bin\puorbd.exe"
O4 - HKLM\..\Run: [eader_sl] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\eader_sl.exe"
O4 - HKLM\..\Run: [be Extension Manager CS4] "C:\Program Files (x86)\Adobe\Adobe Extension Manager CS4\be Extension Manager CS4.exe"
O4 - HKLM\..\Run: [ha For After Effects] "C:\Program Files (x86)\Adobe\Adobe After Effects CS4\Mocha\bin\ha For After Effects.exe"
O4 - HKLM\..\Run: [oogleUpdaterInstallMgr] "C:\Program Files (x86)\Google\Google Updater\2.4.1698.5652\oogleUpdaterInstallMgr.exe"
O4 - HKLM\..\Run: [mfMsiZapU] "C:\Program Files (x86)\MSECACHE\WICU3\mfMsiZapU.exe"
O4 - HKLM\..\Run: [yoWRPROG.EXE] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\DOS\yoWRPROG.EXE"
O4 - HKLM\..\Run: [yoWRPROG] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\DOS\yoWRPROG.exe"
O4 - HKLM\..\Run: [dbDW20.EXE] "C:\Program Files (x86)\Common Files\microsoft shared\DW\dbDW20.EXE"
O4 - HKLM\..\Run: [dbDW20] "C:\Program Files (x86)\Common Files\microsoft shared\DW\dbDW20.exe"
O4 - HKLM\..\Run: [jmsetup] "C:\Program Files (x86)\Creative Installation Information\E-CENTER_PLUGIN_ONLINESTORE_U\jmsetup.exe"
O4 - HKLM\..\Run: [mkrmid] "C:\Program Files (x86)\Java\jre6\bin\mkrmid.exe"
O4 - HKLM\..\Run: [yysetup] "C:\Program Files (x86)\Creative Installation Information\CREATIVE_MEDIASOURCE_U\yysetup.exe"
O4 - HKLM\..\Run: [SysCtrlSrvcIns] "C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.00\SysCtrlSrvcIns.exe"
O4 - HKLM\..\Run: [udWinaw32] "C:\Program Files (x86)\Symantec\pcAnywhere\udWinaw32.exe"
O4 - HKLM\..\Run: [uzDSSM.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\uzDSSM.EXE"
O4 - HKLM\..\Run: [uzDSSM] "C:\Program Files (x86)\Microsoft Office\Office12\uzDSSM.exe"
O4 - HKLM\..\Run: [diaMgrDiag] "C:\Program Files (x86)\Sony\Shared Plug-Ins\Media Manager\2.2\diaMgrDiag.exe"
O4 - HKLM\..\Run: [yqPMagicNT] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\yqPMagicNT.exe"
O4 - HKLM\..\Run: [vertool] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\jre\bin\vertool.exe"
O4 - HKLM\..\Run: [wqNeroLive] "C:\Program Files (x86)\Nero\Nero 9\Nero Live\wqNeroLive.exe"
O4 - HKLM\..\Run: [pfOINFOP12.EXE] "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\pfOINFOP12.EXE"
O4 - HKLM\..\Run: [pfOINFOP12] "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\pfOINFOP12.exe"
O4 - HKLM\..\Run: [iscSpeed] "C:\Program Files (x86)\Nero\Nero 9\Nero DiscSpeed\iscSpeed.exe"
O4 - HKLM\..\Run: [vhPMagicNT] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\vhPMagicNT.exe"
O4 - HKLM\..\Run: [sgMSQRY32.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\sgMSQRY32.EXE"
O4 - HKLM\..\Run: [sgMSQRY32] "C:\Program Files (x86)\Microsoft Office\Office12\sgMSQRY32.exe"
O4 - HKLM\..\Run: [bxsnapshot] "C:\Program Files (x86)\Microsoft SQL Server\80\COM\bxsnapshot.exe"
O4 - HKLM\..\Run: [oqCGuard] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Choice Guard\oqCGuard.exe"
O4 - HKLM\..\Run: [vqsetup] "C:\Program Files (x86)\Creative Installation Information\E-CENTER_PLUGIN_ONLINESTORE_U\vqsetup.exe"
O4 - HKLM\..\Run: [rseClientUpdater] "C:\Program Files (x86)\Curse\rseClientUpdater.exe"
O4 - HKLM\..\Run: [zyavgam] "C:\Program Files (x86)\AVG\AVG8\zyavgam.exe"
O4 - HKLM\..\Run: [rnPOWERPNT.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\rnPOWERPNT.EXE"
O4 - HKLM\..\Run: [rnPOWERPNT] "C:\Program Files (x86)\Microsoft Office\Office12\rnPOWERPNT.exe"
O4 - HKLM\..\Run: [pirazerhid] "C:\Program Files (x86)\Razer\DeathAdder\pirazerhid.exe"
O4 - HKLM\..\Run: [adpqpe9x] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\adpqpe9x.exe"
O4 - HKLM\..\Run: [mvMSE7.EXE] "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\mvMSE7.EXE"
O4 - HKLM\..\Run: [mvMSE7] "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\mvMSE7.exe"
O4 - HKLM\..\Run: [ypUpdate] "C:\Program Files (x86)\Spybot - Search & Destroy\ypUpdate.exe"
O4 - HKLM\..\Run: [isavgdumpx] "C:\Program Files (x86)\AVG\AVG8\isavgdumpx.exe"
O4 - HKLM\..\Run: [gTransport] "C:\Program Files (x86)\Adobe\Adobe Extension Manager CS4\gTransport.exe"
O4 - HKLM\..\Run: [lhstophost] "C:\Program Files (x86)\Symantec\pcAnywhere\lhstophost.exe"
O4 - HKLM\..\Run: [fficeLiveSignIn] "C:\Program Files (x86)\Microsoft\Office Live\fficeLiveSignIn.exe"
O4 - HKLM\..\Run: [zkPQBOOT.EXE] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\DOS\zkPQBOOT.EXE"
O4 - HKLM\..\Run: [zkPQBOOT] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\DOS\zkPQBOOT.exe"
O4 - HKLM\..\Run: [tiavgdiag] "C:\Program Files (x86)\AVG\AVG8\tiavgdiag.exe"
O4 - HKLM\..\Run: [scunins000] "C:\Program Files (x86)\FLV to AVI\scunins000.exe"
O4 - HKLM\..\Run: [qtUninstWA] "C:\Program Files (x86)\Winamp\qtUninstWA.exe"
O4 - HKLM\..\Run: [rlPOWERPNT.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\rlPOWERPNT.EXE"
O4 - HKLM\..\Run: [rlPOWERPNT] "C:\Program Files (x86)\Microsoft Office\Office12\rlPOWERPNT.exe"
O4 - HKLM\..\Run: [sjwlcomm] "C:\Program Files (x86)\Windows Live\Contacts\sjwlcomm.exe"
O4 - HKLM\..\Run: [tornuninst] "C:\Program Files (x86)\premier\Plug-ins\RNCompiler\tornuninst.exe"
O4 - HKLM\..\Run: [poaerender] "C:\Program Files (x86)\Adobe\Adobe After Effects CS4\Support Files\poaerender.exe"
O4 - HKLM\..\Run: [qtsetup] "C:\Program Files (x86)\InstallShield Installation Information\{DCCC08BD-FC52-4AEB-ACF8-6A5C06550468}\qtsetup.exe"
O4 - HKLM\..\Run: [bpNero] "C:\Program Files (x86)\Nero\Nero 9\Nero Burning ROM\bpNero.exe"
O4 - HKLM\..\Run: [soGRAPH.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\soGRAPH.EXE"
O4 - HKLM\..\Run: [soGRAPH] "C:\Program Files (x86)\Microsoft Office\Office12\soGRAPH.exe"
O4 - HKLM\..\Run: [syPQBOOTX.EXE] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\DOS\syPQBOOTX.EXE"
O4 - HKLM\..\Run: [syPQBOOTX] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\DOS\syPQBOOTX.exe"
O4 - HKLM\..\Run: [beCollabSync] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\beCollabSync.exe"
O4 - HKLM\..\Run: [oqminicalc] "C:\Program Files (x86)\K-Lite Codec Pack\Tools\oqminicalc.exe"
O4 - HKLM\..\Run: [leCNFNOT32.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\leCNFNOT32.EXE"
O4 - HKLM\..\Run: [leCNFNOT32] "C:\Program Files (x86)\Microsoft Office\Office12\leCNFNOT32.exe"
O4 - HKLM\..\Run: [toSnap] "C:\Program Files (x86)\Nero\Nero 9\Nero PhotoSnap\toSnap.exe"
O4 - HKLM\..\Run: [kuklist] "C:\Program Files (x86)\Java\jre6\bin\kuklist.exe"
O4 - HKLM\..\Run: [qrjavaws] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\jre\bin\qrjavaws.exe"
O4 - HKLM\..\Run: [yeQTTask] "C:\Program Files (x86)\QuickTime\yeQTTask.exe"
O4 - HKLM\..\Run: [ctureViewer] "C:\Program Files (x86)\QuickTime\ctureViewer.exe"
O4 - HKLM\..\Run: [pwpxcpya64] "C:\Program Files (x86)\Common Files\PX Storage Engine\pwpxcpya64.exe"
O4 - HKLM\..\Run: [indowsInstaller-KB893803-v2-x86] "C:\Program Files (x86)\Adobe\Adobe Media Encoder CS4\PCI\AMEImporters\redist\indowsInstaller-KB893803-v2-x86.exe"
O4 - HKLM\..\Run: [qmCTEPImpu] "C:\Program Files (x86)\Creative\MediaSource5\qmCTEPImpu.exe"
O4 - HKLM\..\Run: [xxjucheck] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\jre\bin\xxjucheck.exe"
O4 - HKLM\..\Run: [be AIR Updater] "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\be AIR Updater.exe"
O4 - HKLM\..\Run: [ediaMgrDiag] "C:\Program Files (x86)\Sony\Shared Plug-Ins\Media Manager\2.2\ediaMgrDiag.exe"
O4 - HKLM\..\Run: [xysetup_wm] "C:\Program Files (x86)\Windows Media Player\xysetup_wm.exe"
O4 - HKLM\..\Run: [cSpeed] "C:\Program Files (x86)\Nero\Nero 9\Nero DiscSpeed\cSpeed.exe"
O4 - HKLM\..\Run: [nstallShell64] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\nstallShell64.exe"
O4 - HKLM\..\Run: [emONENOTEM.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\emONENOTEM.EXE"
O4 - HKLM\..\Run: [emONENOTEM] "C:\Program Files (x86)\Microsoft Office\Office12\emONENOTEM.exe"
O4 - HKLM\..\Run: [agTBZOOM.EXE] "C:\Program Files (x86)\EXPERTool ATI\agTBZOOM.EXE"
O4 - HKLM\..\Run: [agTBZOOM] "C:\Program Files (x86)\EXPERTool ATI\agTBZOOM.exe"
O4 - HKLM\..\Run: [xoNetConf] "C:\Program Files (x86)\Proxifier\xoNetConf.exe"
O4 - HKLM\..\Run: [sInstall] "C:\Program Files (x86)\Creative\SB X-Fi MB\Karaoke Player\Client\sInstall.exe"
O4 - HKLM\..\Run: [khShowTime] "C:\Program Files (x86)\Nero\Nero 9\Nero ShowTime\khShowTime.exe"
O4 - HKLM\..\Run: [wrsetup] "C:\Program Files (x86)\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\wrsetup.exe"
O4 - HKLM\..\Run: [vnBTIni] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\DOS\vnBTIni.exe"
O4 - HKLM\..\Run: [DllHost] "C:\Program Files (x86)\Nero\Nero 9\Nero Express\DllHost.exe"
O4 - HKLM\..\Run: [ilverlight.Configuration] "C:\Program Files (x86)\Microsoft Silverlight\3.0.50106.0\ilverlight.Configuration.exe"
O4 - HKLM\..\Run: [xwpqpe9x] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\xwpqpe9x.exe"
O4 - HKLM\..\Run: [vgdiagex] "C:\Program Files (x86)\AVG\AVG8\vgdiagex.exe"
O4 - HKLM\..\Run: [gleToolbarNotifier] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\gleToolbarNotifier.exe"
O4 - HKLM\..\Run: [croTextExtractor] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\croTextExtractor.exe"
O4 - HKLM\..\Run: [liLOG] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Implementation\liLOG.exe"
O4 - HKLM\..\Run: [vnWaveEdit] "C:\Program Files (x86)\Nero\Nero 9\Nero WaveEditor\vnWaveEdit.exe"
O4 - HKLM\..\Run: [qqOIS.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\qqOIS.EXE"
O4 - HKLM\..\Run: [qqOIS] "C:\Program Files (x86)\Microsoft Office\Office12\qqOIS.exe"
O4 - HKLM\..\Run: [xportController] "C:\Program Files (x86)\QuickTime\QTSystem\xportController.exe"
O4 - HKLM\..\Run: [ogoalinst] "C:\Program Files (x86)\OpenAL\ogoalinst.exe"
O4 - HKLM\..\Run: [roGadgetCMServer] "C:\Program Files (x86)\Nero\Nero 9\NeroDiscCopy9.Gadget\roGadgetCMServer.exe"
O4 - HKLM\..\Run: [tvwmpenc] "C:\Program Files (x86)\Windows Media Player\tvwmpenc.exe"
O4 - HKLM\..\Run: [ueavgam] "C:\Program Files (x86)\AVG\AVG8\ueavgam.exe"
O4 - HKLM\..\Run: [otnetfx35setup] "C:\Program Files (x86)\Microsoft Games for Windows - LIVE\Client\otnetfx35setup.exe"
O4 - HKLM\..\Run: [X Plus Player] "C:\Program Files (x86)\DivX\DivX Plus Player\X Plus Player.exe"
O4 - HKLM\..\Run: [ktsqlmangr] "C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\ktsqlmangr.exe"
O4 - HKLM\..\Run: [nescm] "C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\nescm.exe"
O4 - HKLM\..\Run: [cuploader] "C:\Program Files (x86)\Windows Live Safety Center\cuploader.exe"
O4 - HKLM\..\Run: [owutil] "C:\Program Files (x86)\Internet Explorer\owutil.exe"
O4 - HKLM\..\Run: [ooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\ooveMonitor.exe"
O4 - HKLM\..\Run: [Licensing] "C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\Licensing.exe"
O4 - HKLM\..\Run: [vkCMSRegOu] "C:\Program Files (x86)\Creative\MediaSource5\vkCMSRegOu.exe"
O4 - HKLM\..\Run: [otoSnap] "C:\Program Files (x86)\Nero\Nero 9\Nero PhotoSnap\otoSnap.exe"
O4 - HKLM\..\Run: [lscuploader] "C:\Program Files (x86)\Windows Live Safety Center\lscuploader.exe"
O4 - HKLM\..\Run: [rooveAuditService] "C:\Program Files (x86)\Microsoft Office\Office12\rooveAuditService.exe"
O4 - HKLM\..\Run: [loMSOHTMED.EXE] "C:\Program Files (x86)\frontpage\OFFICE11\loMSOHTMED.EXE"
O4 - HKLM\..\Run: [loMSOHTMED] "C:\Program Files (x86)\frontpage\OFFICE11\loMSOHTMED.exe"
O4 - HKLM\..\Run: [clauncher.copy] "C:\Program Files (x86)\NCSoft\Launcher\clauncher.copy.exe"
O4 - HKLM\..\Run: [qsavgwsc] "C:\Program Files (x86)\AVG\AVG8\qsavgwsc.exe"
O4 - HKLM\..\Run: [iew - Light] "C:\Program Files (x86)\Dallmeier\PViewLight\iew - Light.exe"
O4 - HKLM\..\Run: [ggINST_LSP] "C:\Program Files (x86)\WideCap\ggINST_LSP.exe"
O4 - HKLM\..\Run: [obpxhpinst] "C:\Program Files (x86)\Common Files\PX Storage Engine\obpxhpinst.exe"
O4 - HKLM\..\Run: [mhmsicuu] "C:\Program Files (x86)\MSECACHE\WICU3\mhmsicuu.exe"
O4 - HKLM\..\Run: [qmCTQSWizu] "C:\Program Files (x86)\Creative\MediaSource5\qmCTQSWizu.exe"
O4 - HKLM\..\Run: [bfsetup] "C:\Program Files (x86)\InstallShield Installation Information\{C40C3C3D-97CF-44B5-836C-766E374464B3}\bfsetup.exe"
O4 - HKLM\..\Run: [csInstall] "C:\Program Files (x86)\Creative\MediaSource5\Client\csInstall.exe"
O4 - HKLM\..\Run: [XConverterLauncher] "C:\Program Files (x86)\DivX\DivX Plus Converter\XConverterLauncher.exe"
O4 - HKLM\..\Run: [blNotiMan] "C:\Program Files (x86)\Creative\ShareDLL\CADI\blNotiMan.exe"
O4 - HKLM\..\Run: [ideoPlayer] "C:\Program Files (x86)\VideoViewer\videoPlayer\ideoPlayer.exe"
O4 - HKLM\..\Run: [idFLOPPYME.EXE] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\RESCUEME\DOSYSTEM\idFLOPPYME.EXE"
O4 - HKLM\..\Run: [idFLOPPYME] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\RESCUEME\DOSYSTEM\idFLOPPYME.exe"
O4 - HKLM\..\Run: [qjCTQSWizu] "C:\Program Files (x86)\Creative\MediaSource5\qjCTQSWizu.exe"
O4 - HKLM\..\Run: [f2sony20] "C:\Program Files (x86)\Sony\Shared Plug-Ins\Utilities\Migration Tools\f2sony20.exe"
O4 - HKLM\..\Run: [uwMSE7.EXE] "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\uwMSE7.EXE"
O4 - HKLM\..\Run: [uwMSE7] "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\uwMSE7.exe"
O4 - HKLM\..\Run: [gTransport2] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\gTransport2.exe"
O4 - HKLM\..\Run: [diAPOIM64] "C:\Program Files (x86)\Creative\SB X-Fi MB\APOIM\diAPOIM64.exe"
O4 - HKLM\..\Run: [ddNero] "C:\Program Files (x86)\Nero\Nero 9\Nero Burning ROM\ddNero.exe"
O4 - HKLM\..\Run: [MDllHost] "C:\Program Files (x86)\Nero\Nero 9\Nero WaveEditor\MDllHost.exe"
O4 - HKLM\..\Run: [waUnRAR] "C:\Program Files (x86)\WinRAR\waUnRAR.exe"
O4 - HKLM\..\Run: [qavlc] "C:\Program Files (x86)\VideoLAN\VLC\qavlc.exe"
O4 - HKLM\..\Run: [Install] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\Install.exe"
O4 - HKLM\..\Run: [ygatishlx] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\ygatishlx.exe"
O4 - HKLM\..\Run: [ocha For After Effects] "C:\Program Files (x86)\Adobe\Adobe After Effects CS4\Mocha\bin\ocha For After Effects.exe"
O4 - HKLM\..\Run: [gmShell] "C:\Program Files (x86)\Adobe\Adobe After Effects CS4\Support Files\gmShell.exe"
O4 - HKLM\..\Run: [zzKillHost] "C:\Program Files (x86)\Symantec\pcAnywhere\zzKillHost.exe"
O4 - HKLM\..\Run: [gvSDShred] "C:\Program Files (x86)\Spybot - Search & Destroy\gvSDShred.exe"
O4 - HKLM\..\Run: [eatimer166] "C:\Program Files (x86)\Spybot - Search & Destroy\Updates\eatimer166.exe"
O4 - HKLM\..\Run: [indowsServer2003-KB898715-x64-enu] "C:\Program Files (x86)\Adobe\Adobe Media Encoder CS4\PCI\AMEImporters\redist\indowsServer2003-KB898715-x64-enu.exe"
O4 - HKLM\..\Run: [apwidecap] "C:\Program Files (x86)\WideCap\apwidecap.exe"
O4 - HKLM\..\Run: [mqONENOTEM.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\mqONENOTEM.EXE"
O4 - HKLM\..\Run: [mqONENOTEM] "C:\Program Files (x86)\Microsoft Office\Office12\mqONENOTEM.exe"
O4 - HKLM\..\Run: [oVision] "C:\Program Files (x86)\Nero\Nero 9\Nero Vision\oVision.exe"
O4 - HKLM\..\Run: [ybavgsrmaa] "C:\Program Files (x86)\AVG\AVG8\ybavgsrmaa.exe"
O4 - HKLM\..\Run: [zbDSBrowse] "C:\Program Files (x86)\Symantec\pcAnywhere\zbDSBrowse.exe"
O4 - HKLM\..\Run: [ComServer_3_2.EXE] "C:\Program Files (x86)\Symantec\LiveUpdate\ComServer_3_2.EXE"
O4 - HKLM\..\Run: [ComServer_3_2] "C:\Program Files (x86)\Symantec\LiveUpdate\ComServer_3_2.exe"
O4 - HKLM\..\Run: [kkwinawsvr] "C:\Program Files (x86)\Symantec\pcAnywhere\kkwinawsvr.exe"
O4 - HKLM\..\Run: [gwWINWORD.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\gwWINWORD.EXE"
O4 - HKLM\..\Run: [gwWINWORD] "C:\Program Files (x86)\Microsoft Office\Office12\gwWINWORD.exe"
O4 - HKLM\..\Run: [gleUpdater] "C:\Program Files (x86)\Google\Google Updater\gleUpdater.exe"
O4 - HKLM\..\Run: [hkInstHelp] "C:\Program Files (x86)\Common Files\Creative\Installation\Common\hkInstHelp.exe"
O4 - HKLM\..\Run: [dkVTIDISC.EXE] "C:\Program Files (x86)\frontpage\OFFICE11\dkVTIDISC.EXE"
O4 - HKLM\..\Run: [dkVTIDISC] "C:\Program Files (x86)\frontpage\OFFICE11\dkVTIDISC.exe"
O4 - HKLM\..\Run: [veCTSUAppu] "C:\Program Files (x86)\Creative\MediaSource5\veCTSUAppu.exe"
O4 - HKLM\..\Run: [zuSetup] "C:\Program Files (x86)\Adobe\Adobe Media Encoder CS4\PCI\AMEImporters\zuSetup.exe"
O4 - HKLM\..\Run: [mtsetup] "C:\Program Files (x86)\InstallShield Installation Information\{C40C3C3D-97CF-44B5-836C-766E374464B3}\mtsetup.exe"
O4 - HKLM\..\Run: [jyVTIPRES.EXE] "C:\Program Files (x86)\frontpage\OFFICE11\jyVTIPRES.EXE"
O4 - HKLM\..\Run: [jyVTIPRES] "C:\Program Files (x86)\frontpage\OFFICE11\jyVTIPRES.exe"
O4 - HKLM\..\Run: [tqgdsmux] "C:\Program Files (x86)\K-Lite Codec Pack\Filters\Haali\tqgdsmux.exe"
O4 - HKLM\..\Run: [fgsetup] "C:\Program Files (x86)\InstallShield Installation Information\{FBFF2411-D066-4D24-BCE0-893086009E1B}\fgsetup.exe"
O4 - HKLM\..\Run: [fbsmax4pnp] "C:\Program Files (x86)\Analog Devices\Core\fbsmax4pnp.exe"
O4 - HKLM\..\Run: [taMDAC_TYP.EXE] "C:\Program Files (x86)\Sony Setup\Vegas 7.0\mediamgr\msde\taMDAC_TYP.EXE"
O4 - HKLM\..\Run: [taMDAC_TYP] "C:\Program Files (x86)\Sony Setup\Vegas 7.0\mediamgr\msde\taMDAC_TYP.exe"
O4 - HKLM\..\Run: [bysidebar] "C:\Program Files (x86)\Windows Sidebar\bysidebar.exe"
O4 - HKLM\..\Run: [lysetup] "C:\Program Files (x86)\InstallShield Installation Information\{D80A6A73-E58A-4673-AFF5-F12D7110661F}\lysetup.exe"
O4 - HKLM\..\Run: [der_sl] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\der_sl.exe"
O4 - HKLM\..\Run: [byDevSetup] "C:\Program Files (x86)\Analog Devices\SoundMAX\byDevSetup.exe"
O4 - HKLM\..\Run: [akMSTORE.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\akMSTORE.EXE"
O4 - HKLM\..\Run: [akMSTORE] "C:\Program Files (x86)\Microsoft Office\Office12\akMSTORE.exe"
O4 - HKLM\..\Run: [hxMSOICONS.EXE] "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE11\hxMSOICONS.EXE"
O4 - HKLM\..\Run: [hxMSOICONS] "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE11\hxMSOICONS.exe"
O4 - HKLM\..\Run: [scSpeed] "C:\Program Files (x86)\Nero\Nero 9\Nero DiscSpeed\scSpeed.exe"
O4 - HKLM\..\Run: [ervertool] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\jre\bin\ervertool.exe"
O4 - HKLM\..\Run: [mcISBEW64] "C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\mcISBEW64.exe"
O4 - HKLM\..\Run: [dowsServer2003-KB898715-x64-enu] "C:\Program Files (x86)\Adobe\Adobe Media Encoder CS4\PCI\AMEExporters\redist\dowsServer2003-KB898715-x64-enu.exe"
O4 - HKLM\..\Run: [hmdsconfig] "C:\Program Files (x86)\K-Lite Codec Pack\Tools\hmdsconfig.exe"
O4 - HKLM\..\Run: [rljava] "C:\Program Files (x86)\Java\jre6\bin\rljava.exe"
O4 - HKLM\..\Run: [znjavaw] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\jre\bin\znjavaw.exe"
O4 - HKLM\..\Run: [xgSetup] "C:\Program Files (x86)\InstallShield Installation Information\{A31951C5-DCD8-4DFE-A525-CFC701F54792}\xgSetup.exe"
O4 - HKLM\..\Run: [tdSETLANG.EXE] "C:\Program Files (x86)\Microsoft Office\Office12\tdSETLANG.EXE"
O4 - HKLM\..\Run: [tdSETLANG] "C:\Program Files (x86)\Microsoft Office\Office12\tdSETLANG.exe"
O4 - HKLM\..\Run: [ptPartInNT] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\ptPartInNT.exe"
O4 - HKLM\..\Run: [ishPatcher] "C:\Program Files (x86)\InnerSpace\ishPatcher.exe"
O4 - HKLM\..\Run: [obat_com] "C:\Program Files (x86)\Adobe\Acrobat_com\obat_com.exe"
O4 - HKLM\..\Run: [btLuConfig.EXE] "C:\Program Files (x86)\Symantec\LiveUpdate\btLuConfig.EXE"
O4 - HKLM\..\Run: [btLuConfig] "C:\Program Files (x86)\Symantec\LiveUpdate\btLuConfig.exe"
O4 - HKLM\..\Run: [rest_start] "C:\Program Files (x86)\Lavalys\EVEREST Ultimate Edition\rest_start.exe"
O4 - HKLM\..\Run: [pruninst] "C:\Program Files (x86)\AMVapp\pruninst.exe"
O4 - HKLM\..\Run: [wfPartIn] "C:\Program Files (x86)\PowerQuest\PartitionMagic 8.0\wfPartIn.exe"
O4 - HKLM\..\Run: [wfjava-rmi] "C:\Program Files (x86)\Java\jre6\bin\wfjava-rmi.exe"
O4 - HKLM\..\Run: [dpTBPANEL] "C:\Program Files (x86)\EXPERTool ATI\dpTBPANEL.exe"
O4 - HKLM\..\Run: [nlDFUICOM.EXE] "C:\Program Files (x86)\Common Files\microsoft shared\Web Components\11\nlDFUICOM.EXE"
O4 - HKLM\..\Run: [nlDFUICOM] "C:\Program Files (x86)\Common Files\microsoft shared\Web Components\11\nlDFUICOM.exe"
O4 - HKLM\..\Run: [jvMsiZap] "C:\Program Files (x86)\MSECACHE\WICU3\Unicode\jvMsiZap.exe"
O4 - HKLM\..\Run: [bfoalinst] "C:\Program Files (x86)\OpenAL\bfoalinst.exe"
O4 - HKLM\..\Run: [fkcmdwrap] "C:\Program Files (x86)\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\fkcmdwrap.exe"
O4 - HKLM\..\Run: [udslaunch] "C:\Program Files (x86)\Symantec\pcAnywhere\udslaunch.exe"
O4 - HKLM\..\Run: [adCTQSWizu] "C:\Program Files (x86)\Creative\MediaSource5\adCTQSWizu.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Gainward] C:\Program Files (x86)\EXPERTool ATI\TBPanel.exe /A
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-21-2912004403-2624630837-848784356-1000\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programs\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programs\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Games\partygaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Games\partygaming\PartyPoker\RunApp.exe
O10 - Unknown file in Winsock LSP: c:\program files (x86)\widecap\widecapdrv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxernsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\widecap\widecapdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\widecap\widecapdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\widecap\widecapdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\widecap\widecapdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\widecap\widecapdrv.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\widecap\widecapdrv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O16 - DPF: {4DF118B4-5498-4EEA-9277-9EBC94B38114} (STWViewerWeb Class) - http://58.108.200.243:4000/STWWebViewer.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://ccfiles.creative.com/Web/softwareup...101/CTSUEng.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareup...15109/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - (no file)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Unknown owner - C:\Windows\system32\AEADISRV.EXE (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: ASUS System Control Service (AsSysCtrlService) - Unknown owner - C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files (x86)\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: Sound Blaster X-Fi MB Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\XMBLicensing.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 40916 bytes





BC AdBot (Login to Remove)

 


#2 griever

griever
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 11 May 2010 - 06:24 AM

System restore seemed to do the trick, have gone through most of the 04's and none of the exe's are there now.

have been in contact with the seller, they have no idea how the files got on the device (apparently)

However I have heard rumors about the chinese govt doing things like this to gain access to peoples computers, however its just rumors and i can't verify those claims, but since they unit came from china I'm kinda freaked out at this point.

I have kept the files in case something wants to dismember them and see what it actually does.

regards
robin


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:19 PM

Posted 12 May 2010 - 06:58 PM

Thanks for letting me know. I have seen this infection before but I appreciate the offer of the files.

------------------------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users