Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win Nt 2003 X64


  • Please log in to reply
1 reply to this topic

#1 logikz

logikz

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 11 May 2007 - 10:17 PM

I have a never ending reinstalling trojan that seems to use a ramdisk to cache the system so formatting the drive doesnt fix. It seems to package itself in with anything i burn or create to spread to other systems. It creates "QL1080 > QL1 0wnt". i have several scans which offer some clues...

C:\$AttrDef 12/31/2005 8:09 PM 2.50 KB Hidden from Windows API.
C:\$BadClus 12/31/2005 8:09 PM 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 12/31/2005 8:09 PM 128.00 GB Hidden from Windows API.
C:\$Bitmap 12/31/2005 8:09 PM 4.00 MB Hidden from Windows API.
C:\$Boot 12/31/2005 8:09 PM 8.00 KB Hidden from Windows API.
C:\$Extend 12/31/2005 8:09 PM 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 12/31/2005 8:09 PM 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 12/31/2005 8:09 PM 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 12/31/2005 8:09 PM 0 bytes Hidden from Windows API.
C:\$LogFile 12/31/2005 8:09 PM 64.00 MB Hidden from Windows API.
C:\$MFT 12/31/2005 8:09 PM 44.92 MB Hidden from Windows API.
C:\$MFTMirr 12/31/2005 8:09 PM 4.00 KB Hidden from Windows API.
C:\$Secure 12/31/2005 8:09 PM 0 bytes Hidden from Windows API.
C:\$UpCase 12/31/2005 8:09 PM 128.00 KB Hidden from Windows API.
C:\$Volume 12/31/2005 8:09 PM 0 bytes Hidden from Windows API.
D:\$AttrDef 5/9/2007 4:08 PM 2.50 KB Hidden from Windows API.
D:\$BadClus 5/9/2007 4:08 PM 0 bytes Hidden from Windows API.
D:\$BadClus:$Bad 5/9/2007 4:08 PM 170.09 GB Hidden from Windows API.
D:\$Bitmap 5/9/2007 4:08 PM 42.52 MB Hidden from Windows API.
D:\$Boot 5/9/2007 4:08 PM 8.00 KB Hidden from Windows API.
D:\$Extend 5/9/2007 4:08 PM 0 bytes Hidden from Windows API.
D:\$Extend\$ObjId 5/9/2007 4:10 PM 0 bytes Hidden from Windows API.
D:\$Extend\$Quota 5/9/2007 4:10 PM 0 bytes Hidden from Windows API.
D:\$Extend\$Reparse 5/9/2007 4:10 PM 0 bytes Hidden from Windows API.
D:\$LogFile 5/9/2007 4:08 PM 64.00 MB Hidden from Windows API.
D:\$MFT 5/9/2007 4:08 PM 9.72 MB Hidden from Windows API.
D:\$MFTMirr 5/9/2007 4:08 PM 4.00 KB Hidden from Windows API.
D:\$Secure 5/9/2007 4:08 PM 0 bytes Hidden from Windows API.
D:\$UpCase 5/9/2007 4:08 PM 128.00 KB Hidden from Windows API.
D:\$Volume 5/9/2007 4:08 PM 0 bytes Hidden from Windows API.
E:\$AttrDef 5/11/2007 12:49 AM 2.50 KB Hidden from Windows API.
E:\$BadClus 5/11/2007 12:49 AM 0 bytes Hidden from Windows API.
E:\$BadClus:$Bad 5/11/2007 12:49 AM 2.49 MB Hidden from Windows API.
E:\$Bitmap 5/11/2007 12:49 AM 640 bytes Hidden from Windows API.
E:\$Boot 5/11/2007 12:49 AM 8.00 KB Hidden from Windows API.
E:\$Extend 5/11/2007 12:49 AM 0 bytes Hidden from Windows API.
E:\$Extend\$ObjId 5/11/2007 12:49 AM 0 bytes Hidden from Windows API.
E:\$Extend\$Quota 5/11/2007 12:49 AM 0 bytes Hidden from Windows API.
E:\$Extend\$Reparse 5/11/2007 12:49 AM 0 bytes Hidden from Windows API.
E:\$LogFile 5/11/2007 12:49 AM 2.00 MB Hidden from Windows API.
E:\$MFT 5/11/2007 12:49 AM 48.00 KB Hidden from Windows API.
E:\$MFTMirr 5/11/2007 12:49 AM 4.00 KB Hidden from Windows API.
E:\$Secure 5/11/2007 12:49 AM 0 bytes Hidden from Windows API.
E:\$UpCase 5/11/2007 12:49 AM 128.00 KB Hidden from Windows API.
E:\$Volume 5/11/2007 12:49 AM 0 bytes Hidden from Windows API.
----SOURCE ROOTKIT REVEALER -----

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows Server 2003 (interpreted as Windows XP)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Steam" = ""C:\Program Files (x86)\Steam\Steam.exe" -silent" ["Valve Corporation"]
"ccleaner" = ""C:\Program Files (x86)\CCleaner\ccleaner.exe" /AUTO" ["Piriform Ltd"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"Karen" = "(empty string)" [file not found]
"raVe" = "(empty string)" [file not found]
"SystemBackup" = "(empty string)" [file not found]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{03B6C51D-9552-4416-B111-45AE011448DC}" = "Panda Antivirus"
-> {HKLM...CLSID} = "Panda Antivirus"
\InProcServer32\(Default) = "C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\ShellTit64.dll" ["Panda Software International"]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\System\CurrentControlSet\Control\SecurityProviders\
<<!>> ("msapsspc.dll" [file not found], "msnsspc.dll" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> dimsntfy\DLLName = "dimsntfy.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
Panda Antivirus\(Default) = "{03B6C51D-9552-4416-B111-45AE011448DC}"
-> {HKLM...CLSID} = "Panda Antivirus"
\InProcServer32\(Default) = "C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\ShellTit64.dll" ["Panda Software International"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Panda Antivirus\(Default) = "{03B6C51D-9552-4416-B111-45AE011448DC}"
-> {HKLM...CLSID} = "Panda Antivirus"
\InProcServer32\(Default) = "C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\ShellTit64.dll" ["Panda Software International"]


Default executables:
--------------------

<<!>> HKLM\Software\Classes\htafile\shell\open\command\(Default) = "C:\WINDOWS\SysWOW64\mshta.exe "%1" %*" [MS]

<<!>> HKLM\Software\Classes\scrfile\shell\open\command\(Default) = ""%1" %*" [file not found]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktop" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoActiveDesktopChanges" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"ForceActiveDesktopOn" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Windows XP.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Windows XP.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\pavlsp.dll ["Panda Software International"], 1 - 3, 9
%SystemRoot%\system32\mswsock.dll [MS], 4 - 8


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Application Experience Lookup Service, AeLookupSvc, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\aelupsvc.dll" [MS]}
HDD Information Service, HDDSvc, "C:\WINDOWS\system32\HDDSvc.exe" [file not found]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\lsass.exe" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc64.exe" ["NVIDIA Corporation"]
Panda anti-virus service, PAVSRV, ""C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\pavsrvx86.exe"" ["Panda Software International"]
Panda Function Service, PAVFNSVR, ""C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe"" ["Panda Software International"]
Panda Host Service, PSHost, ""c:\program files (x86)\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXE"" ["Panda Software International"]
Panda IManager Service, PSIMSVC, ""C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe"" ["Panda Software International"]
Panda Software Controller, Panda Software Controller, ""C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exe"" ["Panda Software International"]
Panda TPSrv, TPSrv, ""C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\TPSrvWow.exe"" ["Panda Software International"]
WinHTTP Web Proxy Auto-Discovery Service, WinHttpAutoProxySvc, "C:\WINDOWS\system32\svchost.exe -k LocalService" {"winhttp.dll" [file not found]}


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 34 seconds.
---------- (total run time: 65 seconds)

StartupList report, 5/7/2007, 4:11:40 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.EXE
Detected: Windows 2003 SP2 (WinNT 5.02.3790)
Detected: Internet Explorer v7.00 (7.00.5730.0011)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\TPSrvWow.exe
C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\WebProxy.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
c:\program files (x86)\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files (x86)\uTorrent\utorrent.exe
C:\Program Files (x86)\LimeWire\LimeWire.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
LimeWire On Startup.lnk = C:\Program Files (x86)\LimeWire\LimeWire.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

APVXDWIN = "C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
Tau Monitor = C:\PROGRA~2\Agnitum\TAUSCA~1.7\taumon.exe
SunJavaUpdateSched = "C:\Program Files (x86)\Java\jre1.5.0_03\bin\jusched.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

OE_WMPWMP7_Install_0 = C:\WINDOWS\INF\unregmp2.exe /MigrateLibrary
OE_WMPWMP7_Install_1 = C:\WINDOWS\SysWOW64\regsvr32 /s C:\WINDOWS\SysWOW64\wmp.dll
OE_WMPWMP7_Install_8 = C:\WINDOWS\SysWOW64\regsvr32 /s C:\WINDOWS\SysWOW64\wmpshell.dll
OE_WMPWMP7_Install_9 = C:\WINDOWS\SysWOW64\regsvr32 /s C:\WINDOWS\SysWOW64\wmpasf.dll
OE_WMPWMP7_Install_10 = C:\WINDOWS\SysWOW64\regsvr32 /s C:\WINDOWS\SysWOW64\wmpdxm.dll
OE_WMPWMP7_Install_11 = C:\WINDOWS\SysWOW64\regsvr32 /s C:\WINDOWS\SysWOW64\wmpencen.dll
OE_WMPWMP7_Install_12 = C:\WINDOWS\SysWOW64\regsvr32 /s C:\WINDOWS\SysWOW64\wmpsrcwp.dll
OE_WMPWMP7_Install_20 = C:\WINDOWS\INF\unregmp2.exe /Shortcuts /RegExts
OE_WMPWMP7_Install_21 = "C:\Program Files (x86)\Windows Media Player\wmpenc.exe" /RegServer

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
Steam = "C:\Program Files (x86)\Steam\Steam.exe" -silent

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SysWOW64\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\SysWOW64\Rundll32.exe C:\WINDOWS\SysWOW64\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files (x86)\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files (x86)\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\pavlsp.dll
Protocol #2: C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\pavlsp.dll
Protocol #3: C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\pavlsp.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\mswsock.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\pavlsp.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
Application Experience Lookup Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCWDM64.SYS (manual start)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K8 Processor Driver: system32\DRIVERS\amdk8.sys (manual start)
AmFSM: system32\DRIVERS\amfsm.sys (autostart)
App Filter Plugin: \??\C:\WINDOWS\system32\Drivers\APPFLT64.SYS (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CdaC15BA: system32\DRIVERS\CdaC15BA.sys (autostart)
CdaD10BA: system32\DRIVERS\CdaD10BA.sys (autostart)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (disabled)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (autostart)
.NET Runtime Optimization Service v2.0.50727_x64: C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe (autostart)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Panda CPoint Driver: system32\Drivers\cpoint64.sys (autostart)
CRC Disk Filter Driver: system32\DRIVERS\crcdisk.sys (system)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost.exe -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
DSA Filter Plugin: \??\C:\WINDOWS\system32\Drivers\DSAFLT64.SYS (system)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k WinErr (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (autostart)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
NetMon Filter Plugin: \??\C:\WINDOWS\system32\Drivers\fnetm64.SYS (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
gmer: System32\DRIVERS\gmer.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\lsass.exe (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
IAS Jet Database Access: %SystemRoot%\SysWOW64\svchost.exe -k iasjet (manual start)
Ids Filter Plugin: \??\C:\WINDOWS\system32\Drivers\IDSFLT64.SYS (system)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Kernel Streaming WOW64 Thunk Service: system32\drivers\ksthunk.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
ATK0110 ACPI UTILITY: system32\DRIVERS\ASACPI.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Panda Net Driver [TDI Layer]: \??\C:\WINDOWS\system32\Drivers\NETTDI64.SYS (system)
PANDA NDIS IM Filter Miniport: system32\DRIVERS\netim64.sys (manual start)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
nvata64: system32\DRIVERS\nvata64.sys (system)
NVIDIA nForce Networking Controller Driver: system32\DRIVERS\NVENETFD.sys (manual start)
NVIDIA Network Bus Enumerator: system32\DRIVERS\nvnetbus.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc64.exe (autostart)
Panda Software Controller: "C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exe" (autostart)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
Panda Function Service: "C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe" (autostart)
Panda anti-virus service: "C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\pavsrvx86.exe" (autostart)
PavTPK.sys: \??\C:\WINDOWS\system32\PavTPK.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Prot6Flt: system32\DRIVERS\Prot6Flt.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Panda Host Service: "c:\program files (x86)\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXE" (autostart)
Panda IManager Service: "C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe" (autostart)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost.exe -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Security Driver: system32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SMS Filter Plugin: \??\C:\WINDOWS\system32\Drivers\SMSFLT64.SYS (system)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (disabled)
Windows Service Pack Installer update service: C:\WINDOWS\system32\spupdsvc.exe (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (disabled)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Microsoft Software Shadow Copy Provider: %SystemRoot%\System32\svchost.exe -k swprv (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (autostart)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)
Panda TPSrv: "C:\Program Files (x86)\Panda Software\Panda Antivirus + Firewall 2007\TPSrvWow.exe" (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start)
Virtual Disk Service: %SystemRoot%\System32\vds.exe (manual start)
vga: system32\DRIVERS\vgapnp.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Storage volumes: system32\DRIVERS\volsnap.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
WinHTTP Web Proxy Auto-Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files (x86)\Windows Media Player\WMPNetwk.exe" (manual start)
Wifi Monitor Filter Plugin: \??\C:\WINDOWS\system32\Drivers\WNMFLT64.SYS (system)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~nsu.tmp\Au_.exe|||L

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\syswow64\SHELL32.dll
CDBurn: C:\WINDOWS\syswow64\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\SysWOW64\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 32,734 bytes
Report generated in 0.969 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

ALSO administrator, administrators, and the system (NT authority) do they all need rights?

HERE is another scan

Volume in drive C has no label.
Volume Serial Number is CC04-7D83

Directory of c:\

05/11/2007 09:51 PM 0 dirdat.txt
05/11/2007 02:18 AM 1,610,612,736 pagefile.sys
05/11/2007 12:38 AM 1,162 rapport.txt
05/11/2007 12:11 AM 323 boot.ini
05/09/2007 09:18 PM 73,391,578 BackupRegistry(20070509).reg
05/07/2007 02:16 AM 297,072 ntldr
05/06/2007 02:29 PM 0 MSDOS.SYS
05/06/2007 02:29 PM 0 IO.SYS
05/06/2007 02:29 PM 0 CONFIG.SYS
05/06/2007 02:29 PM 0 AUTOEXEC.BAT
03/25/2005 06:00 AM 47,772 NTDETECT.COM
11 File(s) 1,684,350,643 bytes
0 Dir(s) 32,728,948,736 bytes free
Volume in drive C has no label.
Volume Serial Number is CC04-7D83

Directory of C:\WINDOWS\system32

05/11/2007 02:19 AM 88,566 nvapps.xml
05/11/2007 02:19 AM 13,646 wpa.dbl
05/10/2007 11:33 PM 82,466 perfc009.dat
05/10/2007 11:33 PM 471,292 perfh009.dat
05/10/2007 11:33 PM 563,436 PerfStringBackup.INI
05/07/2007 02:49 AM 293 PavCPL64.dat
05/07/2007 02:40 AM 84,720 FNTCACHE.DAT
05/07/2007 02:26 AM 13,646 wpa.bak
05/06/2007 03:47 PM 286 $winnt$.inf
05/06/2007 03:01 PM 749 cdplayer.exe.manifest
05/06/2007 03:01 PM 749 ncpa.cpl.manifest
05/06/2007 03:01 PM 749 wuaucpl.cpl.manifest
05/06/2007 03:01 PM 749 nwc.cpl.manifest
05/06/2007 03:01 PM 749 sapi.cpl.manifest
05/06/2007 03:00 PM 22,588 emptyregdb.dat
04/03/2007 01:27 PM 15,152 spmsg.dll
04/03/2007 01:09 PM 1,019,392 wininet.dll
04/03/2007 01:09 PM 295,424 webcheck.dll
04/03/2007 01:09 PM 1,417,728 urlmon.dll
04/03/2007 01:09 PM 108,544 url.dll
04/03/2007 01:09 PM 148,480 occache.dll
04/03/2007 01:09 PM 1,128,960 mstime.dll
04/03/2007 01:09 PM 242,176 msrating.dll
04/03/2007 01:09 PM 758,784 mshtmled.dll
04/03/2007 01:09 PM 32,256 jsproxy.dll
04/03/2007 01:09 PM 553,472 msfeeds.dll
04/03/2007 01:09 PM 5,665,792 mshtml.dll
04/03/2007 01:09 PM 75,264 msfeedsbs.dll
04/03/2007 01:09 PM 13,824 ieudinit.exe
04/03/2007 01:09 PM 2,021,888 inetcpl.cpl
04/03/2007 01:09 PM 355,328 iertutil.dll
04/03/2007 01:09 PM 57,344 iernonce.dll
04/03/2007 01:09 PM 983,552 ieframe.dll.mui
04/03/2007 01:09 PM 7,054,848 ieframe.dll
04/03/2007 01:09 PM 424,448 ieapfltr.dll
04/03/2007 01:09 PM 2,453,952 ieapfltr.dat
04/03/2007 01:09 PM 161,792 ieakui.dll
04/03/2007 01:09 PM 467,968 iedkcs32.dll
04/03/2007 01:09 PM 195,584 ieakeng.dll
04/03/2007 01:09 PM 68,608 ie4uinit.exe
04/03/2007 01:09 PM 267,264 ieaksie.dll
04/03/2007 01:09 PM 185,856 extmgr.dll
04/03/2007 01:09 PM 161,280 advpack.dll
03/21/2007 08:18 AM 454,144 w03a2409.dll
03/21/2007 12:05 AM 512,512 winsrv.dll
03/15/2007 07:38 PM 46,640 pavcpl64.cpl
03/02/2007 01:54 AM 4,530,176 win32k.sys
03/02/2007 01:54 AM 95,744 mf3216.dll
03/02/2007 01:54 AM 619,520 gdi32.dll
03/02/2007 01:54 AM 1,086,464 user32.dll
02/28/2007 06:05 PM 217,136 TpUtil64.dll
02/28/2007 06:04 PM 481,840 PavSHook64.dll
02/28/2007 06:04 PM 78,896 PavIpc64.dll
02/18/2007 11:12 AM 25,904 spupdsvc.exe
02/18/2007 11:03 AM 456,704 vdsdyndr.dll
02/18/2007 11:03 AM 29,696 vdsldr.exe
02/18/2007 11:03 AM 94,720 vdsutil.dll
02/18/2007 11:03 AM 254,976 vdsbas.dll
02/18/2007 11:03 AM 613,376 vds.exe
02/18/2007 11:03 AM 41,472 vds_ps.dll
02/18/2007 11:02 AM 103,936 telnet.exe
02/18/2007 11:01 AM 1,204,224 storagemgmt.dll
02/18/2007 11:00 AM 179,577 schema.ini
02/18/2007 10:58 AM 71,680 pidgen.dll
02/18/2007 10:58 AM 55,296 ntsd.exe
02/18/2007 10:57 AM 1,254,400 ntdll.dll
02/18/2007 10:55 AM 55,296 mmcperf.exe
02/18/2007 10:55 AM 3,963,392 mmcndmgr.dll
02/18/2007 10:55 AM 90,112 mmcshext.dll
02/18/2007 10:55 AM 282,112 mmcbase.dll
02/18/2007 10:55 AM 397,312 mmcex.dll
02/18/2007 10:55 AM 106,496 mmcfxcommon.dll
02/18/2007 10:55 AM 3,177,984 mmc.exe
02/18/2007 10:54 AM 184,320 microsoft.managementconsole.dll
02/18/2007 10:53 AM 58,880 imagehlp.dll
02/18/2007 10:52 AM 578,560 diskraid.exe
02/18/2007 10:51 AM 1,643,520 dbgeng.dll
02/18/2007 10:50 AM 220,160 cic.dll
02/18/2007 10:50 AM 141,824 cabinet.dll
02/18/2007 10:50 AM 55 pid.inf
02/18/2007 10:50 AM 800,256 autofmt.exe
02/18/2007 10:50 AM 817,664 autochk.exe
02/18/2007 10:41 AM 36,864 srmlib.dll
02/18/2007 10:41 AM 155,648 microsoft.storage.vds.dll
02/18/2007 10:41 AM 98,304 fsmsnap.dll
02/18/2007 10:41 AM 720,896 dfsobjectmodel.dll
02/18/2007 10:41 AM 2,949,120 dfsmgmt.dll
02/18/2007 10:41 AM 229,376 cfscommonuifx.dll
02/17/2007 11:39 PM 592,728 slbcsp.dll
02/17/2007 11:39 PM 336,728 sccbase.dll
02/17/2007 11:39 PM 306,008 rsaenh.dll
02/17/2007 11:39 PM 236,888 dssenh.dll
02/17/2007 01:49 AM 1,079,808 mstscax.dll
02/17/2007 01:49 AM 481,280 mstsc.exe
02/17/2007 01:05 AM 460,288 zipfldr.dll
02/17/2007 01:05 AM 2,899,456 xpsp2res.dll
02/17/2007 01:05 AM 440,320 xpob2res.dll
02/17/2007 01:05 AM 10,752 xolehlp.dll
02/17/2007 01:05 AM 326,144 xmlprov.dll
02/17/2007 01:05 AM 137,728 xactsrv.dll
02/17/2007 01:05 AM 223,744 xmllite.dll
02/17/2007 01:05 AM 659,968 wzcsvc.dll
02/17/2007 01:05 AM 51,712 wzcsapi.dll
02/17/2007 01:05 AM 947,712 wzcdlg.dll
02/17/2007 01:05 AM 29,696 wtsapi32.dll
02/17/2007 01:05 AM 401,920 wssbrand.dll
02/17/2007 01:04 AM 69,120 wsnmp32.dll
02/17/2007 01:04 AM 124,416 wshom.ocx
02/17/2007 01:04 AM 22,528 wship6.dll
02/17/2007 01:04 AM 29,696 wshtcpip.dll
02/17/2007 01:04 AM 960,512 wsecedit.dll
02/17/2007 01:04 AM 81,920<

Edited by acklan, 12 May 2007 - 12:18 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:46 PM

Posted 12 May 2007 - 09:04 AM

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.) Do not post a log using the Beta version by Trend Micro as there have been reported problems and it is not being used by the HJT Team.

When you have done that, post your log in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users