Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Naecd & Smitfraud


  • Please log in to reply
14 replies to this topic

#1 juicyplasma

juicyplasma

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 24 May 2007 - 07:48 AM

Hello,

Now that we have the pleasantries aside :thumbsup: Let's get down to my problem.

I'll try to be as specific as possible.

I've been playing Knights of the Old Republic for the past week and have run into no technical issues until today. Basically the game won't run anymore and I believe that naecd.sys is the antagonist here.

When I try to run the game these two things happen:

1 - A popup error saying the following, "Conflict with Disc Emulator Software detected. See www.securom.com/emulation for more details." I am not emulating anything, neither am I using any "No-CD cracks" or the like so am at a loss to explain the reason for this occurence.

EDIT:
I have tried playing the game with a No-CD crack and it actually plays. Now we just have to find out why this is happening and how to prevent it.

2 - The file naecd.sys is created in Documents and Settings/(my username)/Local Settings/Temp. AVG Antivirus jumps on this instantly and rids the computer of it.

So finding that there is a Trojan on my computer I do every scan I can think of (AVG, Spybot, Adaware). Now, while AVG and Adaware found nothing of any real consequence, Spybot found Smitfraud Toolbar. Unfortunately it couldn't remove it then and there (stating that it would be removed on next startup). So I reboot the computer and let Spybot do its thing. It finds the Smitfraud Toolbar again so I set it to fix the problem... only to have it say that the problem will be removed on the next startup again!

EDIT:
Taking one more stab at Smitfraud with Spybot seems to have rid my system of it. I do still have the naecd.sys problem however so any help would be much appreciated :flowers:

Finding no other solution to my problem (after combing through Google with a fine-toothed comb) I come to you fine people pleading a solution that will hopefully not involve full reformat of my HDD.

HijackThis log as follows.

Logfile of HijackThis v1.99.1
Scan saved at 9:03:00 PM, on 24/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\INTERN~2\mum.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D1D89F7-633C-3AC7-3825-6FE4BBBAB2C8} - C:\WINDOWS\system32\jrtv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {79FEA479-47BF-4616-EAE8-43A60F51C3CD} - C:\WINDOWS\system32\nyklr.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A910EA82-0B31-53E2-40D4-71F2C75641CF} - C:\WINDOWS\system32\kqltt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [{6466EA8E-0BB0-3081-0929-03102005003d}] "C:\Program Files\Common Files\{6466EA8E-0BB0-3081-0929-03102005003d}\Update.exe" mc-110-12-0001592
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {59131903-4A33-40D5-80C2-5242DD365AB3} - http://www.swissquake.ch/chumbalum-soft/fi...3DViewerOCX.cab
O16 - DPF: {5DBF08EF-4BDE-11D3-B8E4-0080C84E9C66} (Medi@Show Control) - http://tw.cyberlink.com/medi@show/tv/MediaShow.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5046CF9E-920C-463E-998C-DECDAEB3221D}: NameServer = 192.231.203.132,192.231.203.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O23 - Service: ZyDAS1211BBG - Unknown owner - C:\Program Files\WIFI_LINK\WL_Utility\srvany.exe (file missing)

Edited by juicyplasma, 24 May 2007 - 08:37 AM.


BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:07:00 PM

Posted 24 May 2007 - 08:49 AM

Analyzing your log and will post instructions for malware removal later today.

Thank you for your patience.

Old duck...


#3 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:07:00 PM

Posted 24 May 2007 - 10:30 AM

Please close all windows, and with just HijackThis open, Scan
Check box for:

O2 - BHO: (no name) - {0D1D89F7-633C-3AC7-3825-6FE4BBBAB2C8} - C:\WINDOWS\system32\jrtv.dll (file missing)
O2 - BHO: (no name) - {79FEA479-47BF-4616-EAE8-43A60F51C3CD} - C:\WINDOWS\system32\nyklr.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A910EA82-0B31-53E2-40D4-71F2C75641CF} - C:\WINDOWS\system32\kqltt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Select: Fix checked

~~~~
Restart the computer.

~~~~
Run HijackThis once again, and Scan.

After the scan, select: Config > Misc Tools
Next, to Generate StartupList log, place a check next to:
List also minor sections (full)
List empty sections (complete)

Then click: Generate StartupList log
Click: Yes at the prompt to run a StartupList


~~~~
Please post the following in your reply:
The StartupList
A new HijackThis log

Old duck...


#4 juicyplasma

juicyplasma
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 24 May 2007 - 10:53 AM

Hey there Aaflac,

Thank you for your reply. I have done as you instructed and below are the logs you requested.

StartupList:

StartupList report, 25/05/2007, 1:42:38 AM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\INTERN~2\mum.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\JP Fernandez\Start Menu\Programs\Startup]
wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
InternodeUsage = C:\PROGRA~1\INTERN~2\mum.exe
type32 = "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\point32.exe"
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
ATICCC = "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
{6466EA8E-0BB0-3081-0929-03102005003d} = "C:\Program Files\Common Files\{6466EA8E-0BB0-3081-0929-03102005003d}\Update.exe" mc-110-12-0001592
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
DAEMON Tools = "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe
McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=wbsys.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\DREAMA~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get/shock...director/sw.cab

[{39B0684F-D7BF-4743-B050-FDC3F48F7E3B}]
CODEBASE = http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab

[{59131903-4A33-40D5-80C2-5242DD365AB3}]
CODEBASE = http://www.swissquake.ch/chumbalum-soft/fi...3DViewerOCX.cab

[Medi@Show Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PresentCtl.dll
CODEBASE = http://tw.cyberlink.com/medi@show/tv/MediaShow.cab

[GSDACtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gsda.dll
CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7885.6847222222

[MSN Games - Installer]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.5.0_09]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.5.0_11]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\System32\nwprovau.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll
Protocol #23: C:\WINDOWS\system32\mswsock.dll
Protocol #24: C:\WINDOWS\system32\mswsock.dll
Protocol #25: C:\WINDOWS\system32\mswsock.dll
Protocol #26: C:\WINDOWS\system32\mswsock.dll
Protocol #27: C:\WINDOWS\system32\mswsock.dll
Protocol #28: C:\WINDOWS\system32\mswsock.dll
Protocol #29: C:\WINDOWS\system32\mswsock.dll
Protocol #30: C:\WINDOWS\system32\mswsock.dll
Protocol #31: C:\WINDOWS\system32\mswsock.dll
Protocol #32: C:\WINDOWS\system32\mswsock.dll
Protocol #33: C:\WINDOWS\system32\mswsock.dll
Protocol #34: C:\WINDOWS\system32\mswsock.dll
Protocol #35: C:\WINDOWS\system32\mswsock.dll
Protocol #36: C:\WINDOWS\system32\mswsock.dll
Protocol #37: C:\WINDOWS\system32\mswsock.dll
Protocol #38: C:\WINDOWS\system32\mswsock.dll
Protocol #39: C:\WINDOWS\system32\mswsock.dll
Protocol #40: C:\WINDOWS\system32\mswsock.dll
Protocol #41: C:\WINDOWS\system32\mswsock.dll
Protocol #42: C:\WINDOWS\system32\mswsock.dll
Protocol #43: C:\WINDOWS\system32\mswsock.dll
Protocol #44: C:\WINDOWS\system32\mswsock.dll
Protocol #45: C:\WINDOWS\system32\mswsock.dll
Protocol #46: C:\WINDOWS\system32\mswsock.dll
Protocol #47: C:\WINDOWS\system32\mswsock.dll
Protocol #48: C:\WINDOWS\system32\mswsock.dll
Protocol #49: C:\WINDOWS\system32\mswsock.dll
Protocol #50: C:\WINDOWS\system32\mswsock.dll
Protocol #51: C:\WINDOWS\system32\mswsock.dll
Protocol #52: C:\WINDOWS\system32\mswsock.dll
Protocol #53: C:\WINDOWS\system32\mswsock.dll
Protocol #54: C:\WINDOWS\system32\mswsock.dll
Protocol #55: C:\WINDOWS\system32\mswsock.dll
Protocol #56: C:\WINDOWS\system32\mswsock.dll
Protocol #57: C:\WINDOWS\system32\mswsock.dll
Protocol #58: C:\WINDOWS\system32\mswsock.dll
Protocol #59: C:\WINDOWS\system32\mswsock.dll
Protocol #60: C:\WINDOWS\system32\mswsock.dll
Protocol #61: C:\WINDOWS\system32\mswsock.dll
Protocol #62: C:\WINDOWS\system32\mswsock.dll
Protocol #63: C:\WINDOWS\system32\mswsock.dll
Protocol #64: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

2hotspot Miniport: system32\DRIVERS\acontrol.sys (manual start)
IPv6 Helper Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (autostart)
AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Bluetooth Audio Service: system32\DRIVERS\blueletaudio.sys (manual start)
BlueSoleil Hid Service: C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe (autostart)
BootScreen: \SystemRoot\System32\drivers\vidstub.sys (system)
BRGSp50 NDIS Protocol Driver: System32\Drivers\BRGSp50.sys (manual start)
MAC Bridge: System32\DRIVERS\bridge.sys (manual start)
MAC Bridge Miniport: System32\DRIVERS\bridge.sys (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Bluetooth PAN Network Adapter: system32\DRIVERS\btnetdrv.sys (manual start)
Bluetooth USB For Bluetooth Service: System32\Drivers\btcusb.sys (manual start)
Bluetooth Request Block Driver: system32\DRIVERS\BthEnum.sys (manual start)
Bluetooth HID Enumerator: system32\DRIVERS\vbtenum.sys (manual start)
Bluetooth HID Manager Service: System32\Drivers\BTHidMgr.sys (system)
Bluetooth Modem Communications Driver: system32\DRIVERS\bthmodem.sys (manual start)
Bluetooth Device (Personal Area Network): system32\DRIVERS\bthpan.sys (manual start)
Bluetooth Port Driver: System32\Drivers\BTHport.sys (manual start)
Bluetooth Support Service: %SystemRoot%\system32\svchost.exe -k bthsvcs (autostart)
Bluetooth Radio USB Driver: System32\Drivers\BTHUSB.sys (manual start)
Bluetooth Network Filter: \??\C:\WINDOWS\system32\drivers\BTNetFilter.sys (manual start)
MEDION (7134) WDM Video Capture: System32\DRIVERS\Cap7134.sys (manual start)
Card Reader Filter: \??\C:\WINDOWS\system32\Drivers\USBCRFT.SYS (manual start)
CA License Client: C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe (manual start)
CA License Server: C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe (manual start)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
C-Media WDM Audio Interface: system32\drivers\cmuda.sys (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
enodpl: System32\drivers\enodpl.sys (autostart)
ENTECH: \??\C:\WINDOWS\System32\DRIVERS\ENTECH.SYS (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
VIA Rhine-Family Fast Ethernet Adapter Driver Service: system32\DRIVERS\fetnd5bv.sys (manual start)
VIA Rhine Family Fast Ethernet Adapter Driver Service: System32\DRIVERS\fetnd5b.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
IEEE-1284.4 Driver HPZid412: system32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: system32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: system32\DRIVERS\HPZius12.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (disabled)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
Creatix V.9X DSP Data Fax Modem: System32\DRIVERS\ctxs51.sys (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
ithsgt: system32\DRIVERS\ithsgt.sys (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
lilsgt: system32\DRIVERS\lilsgt.sys (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Event Log Watch: C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
MR97310 CIF Dual Mode Camera: system32\DRIVERS\mr97310c.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Microsoft IR Communications Driver: System32\DRIVERS\MSIRCOMM.sys (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NPPTNT2: \??\C:\WINDOWS\system32\npptNT2.sys (system)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
VIA OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
VSO Software pcouffin: System32\Drivers\Pcouffin.sys (manual start)
Pen Class: system32\Drivers\PenClass.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
MEDION TV-TUNER 7134 MK2/3: System32\DRIVERS\PhTVTune.sys (manual start)
Video Blaster WebCam 5 (WDM): System32\DRIVERS\Pd100Vid.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Microsoft IntelliPoint Filter Driver: system32\DRIVERS\point32.sys (manual start)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
PRISM 802.11g Driver: System32\DRIVERS\PRISMA00.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PsSdk30: \??\C:\WINDOWS\system32\Drivers\PsSdk30.drv (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: system32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Bluetooth Device (RFCOMM Protocol TDI): system32\DRIVERS\rfcomm.sys (manual start)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
StarForce Protection Environment Driver (version 1.x): System32\drivers\sfdrv01.sys (system)
StarForce Protection Helper Driver (version 2.x): System32\drivers\sfhlp02.sys (system)
High-Capacity Floppy Disk Drive: System32\DRIVERS\sfloppy.sys (manual start)
StarForce Protection Synchronization Driver (version 2.x): System32\drivers\sfsync02.sys (system)
StarForce Protection VFS Driver (version 2.x): System32\drivers\sfvfs02.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Sony USB Filter Driver (SONYPVU1): system32\DRIVERS\SONYPVU1.SYS (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
sptd: System32\Drivers\sptd.sys (system)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
srescan: system32\ZoneLabs\srescan.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
SigmaTel USB-IrDA Dongle: System32\DRIVERS\irstusb.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{407FC3A4-9CF7-4F29-92A8-23260A3665D7} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
TabletService: C:\WINDOWS\system32\Tablet.exe (autostart)
tandpl: System32\drivers\tandpl.sys (autostart)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Microsoft IPv6 Protocol Driver: System32\DRIVERS\tcpip6.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Tetris driver: System32\Drivers\Tetris.sys (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
tmcomm: \??\C:\WINDOWS\system32\drivers\tmcomm.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microsoft Tun Miniport Adapter Driver: System32\DRIVERS\tunmp.sys (manual start)
UMP Serial Port Driver: system32\DRIVERS\umpusbxp.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
%StandardHub.SvcDesc%: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
Motorola USB Modem Driver: system32\DRIVERS\usbser.sys (manual start)
Motorola USB Modem Driver for MPT: system32\DRIVERS\usbsermpt.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
USB RNDIS Adapter: system32\DRIVERS\usb8023x.sys (manual start)
Messenger Sharing Folders USN Journal Reader service: "C:\Program Files\MSN Messenger\usnsvc.exe" (manual start)
User Privilege Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
vaxscsi: \SystemRoot\System32\Drivers\vaxscsi.sys (manual start)
Bluetooth VComm Manager Service: System32\Drivers\VcommMgr.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
Windows CE USB Serial Host Driver: system32\DRIVERS\wceusbsh.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (autostart)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
X10 Device Network Service: C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (manual start)
%DESCRIPTION%: System32\Drivers\x10uif.sys (manual start)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WIFI LINK IEEE 802.11 b+g Wireless LAN Driver (USB)(MAYFLASH): system32\DRIVERS\zd1211Bu.sys (manual start)
ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS): system32\DRIVERS\zd1211Bu.sys (manual start)
ZDPSp50 NDIS Protocol Driver: System32\Drivers\ZDPSp50.sys (manual start)
ZyDAS1211BBG: "C:\Program Files\WIFI_LINK\WL_Utility\srvany.exe" (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

0aMCPClient: *Registry key not found*
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 45,826 bytes
Report generated in 0.219 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 1:43:54 AM, on 25/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\INTERN~2\mum.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [{6466EA8E-0BB0-3081-0929-03102005003d}] "C:\Program Files\Common Files\{6466EA8E-0BB0-3081-0929-03102005003d}\Update.exe" mc-110-12-0001592
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {59131903-4A33-40D5-80C2-5242DD365AB3} - http://www.swissquake.ch/chumbalum-soft/fi...3DViewerOCX.cab
O16 - DPF: {5DBF08EF-4BDE-11D3-B8E4-0080C84E9C66} (Medi@Show Control) - http://tw.cyberlink.com/medi@show/tv/MediaShow.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5046CF9E-920C-463E-998C-DECDAEB3221D}: NameServer = 192.231.203.132,192.231.203.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O23 - Service: ZyDAS1211BBG - Unknown owner - C:\Program Files\WIFI_LINK\WL_Utility\srvany.exe (file missing)


Cheers,
JP

#5 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:07:00 PM

Posted 24 May 2007 - 09:20 PM

Looks as if naecd.sys is rather elusive!

Let’s back-up the Registry before working with it.

Please go to Start > Run, and type: Regedit
On the left side, click and highlight My Computer
Go to the File menu (at the top)
Select: Export
Save in: Desktop
File Name: BackUp
Save As Type: leave as Registration Files
Click: Save
Then go to File > Exit
(This saves a backup copy of the Registry.)

~~~~
Next, please download RegSearch
http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip
Save to the Desktop
Right click the RegSearch zipped folder
Select: Extract All

In the Extraction Wizard, click: Next > Next > Finish
A folder is created on the Desktop, and RegSearch is in it.
We will use it shortly

~~~~
Now, create a file for RegSearch to use
Go to Start > Run, type in: notepad > OK
Copy and paste the following blue text to Notepad:

RegSearch Options File

[Search]
naecd

[Exclude]

[Options]
Filter=KVDLU


Save the above as naecd.txt, and to the Desktop.

~~~~
Double click RegSearch.exe
Allow it to run if a Security prompt appears
Click: Import
In the Import prompt click the drop arrow to the right of Look in
Select the Desktop
Select naecd.txt and double click it
Click OK

The results of RegSearch are saved to a file named RegSearch.txt in the same location as the program.

~~~~
Now, please download ComboFix (by sUBs):
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Save it to the Desktop.
Double-click combofix.exe and follow the prompts.

CAUTION: Do not mouse-click ComboFix's window while it is running.

When finished, it produces a log: combofix.txt

~~~~
Please provide the contents of the RegSearch.txt and the
combofix.txt in your reply.

Old duck...


#6 juicyplasma

juicyplasma
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 24 May 2007 - 10:31 PM

As requested Aaflac :thumbsup:

ComboFix

"JP Fernandez" - 2007-05-25 13:11:15 Service Pack 2
ComboFix 07-05.25.V - Running from: "C:\Program Files\SlimBrowser\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\Common Files\{6466E~1\system.dll"
"C:\Program Files\Common Files\{6466E~1"
"C:\WINDOWS\system32\drivers\sfsync02.sys"

Purity Folders:

C:\Program Files\Common Files\SKS~1
C:\Program Files\SKS~1
C:\DOCUME~1\JPFERN~1\APPLIC~1\CROSOF~1.NET



((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_COM+_MESSAGES
-------\LEGACY_SFSYNC02
-------\sfsync02


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-25 ))))))))))))))))))))))))))))))))))


2007-05-25 13:15 0 --a------ C:\WINDOWS\system32\sfsync02.dll
2007-05-24 19:43 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-24 19:31 <DIR> d-------- C:\DOCUME~1\JPFERN~1\.housecall6.6
2007-05-24 18:43 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-05-24 18:43 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-05-24 18:43 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-05-24 18:43 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-05-24 17:05 3,844 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-18 21:09 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-18 21:09 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-18 21:09 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-05-17 17:14 <DIR> d-------- C:\Program Files\LucasArts
2007-05-13 14:37 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-05-13 13:54 <DIR> d-------- C:\Program Files\Atari
2007-05-09 22:26 <DIR> d-------- C:\Program Files\Activision
2007-05-07 14:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2007-05-06 23:53 <DIR> d-------- C:\Program Files\EvilLyrics
2007-05-06 22:24 <DIR> d-------- C:\DOCUME~1\JPFERN~1\APPLIC~1\Screenshot Sender
2007-05-06 22:23 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2007-05-06 21:36 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-06 20:59 <DIR> d-------- C:\Program Files\Your Uninstaller 2006
2007-05-06 20:59 <DIR> d-------- C:\DOCUME~1\JPFERN~1\APPLIC~1\URSoft
2007-05-06 20:40 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-05-06 20:40 <DIR> d-------- C:\WINDOWS\nview
2007-05-06 17:08 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-05-06 17:08 <DIR> d-------- C:\NVIDIA
2007-05-03 00:07 <DIR> d-------- C:\Program Files\Lionhead Studios
2007-05-03 00:04 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2007-05-02 19:57 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-04-30 20:45 2,050 --a------ C:\WINDOWS\system32\sdbackup.reg


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-25 03:18:23 12,630 ----a-w C:\WINDOWS\system32\tablet.dat
2007-05-25 03:16:37 -------- d-----w C:\DOCUME~1\JPFERN~1\APPLIC~1\SlimBrowser
2007-05-25 03:10:53 -------- d-----w C:\Program Files\SlimBrowser
2007-05-24 13:08:43 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-24 09:02:21 -------- d-----w C:\DOCUME~1\JPFERN~1\APPLIC~1\Azureus
2007-05-24 08:45:51 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-05-24 08:06:04 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-19 07:57:34 -------- d-----w C:\DOCUME~1\JPFERN~1\APPLIC~1\Vso
2007-05-18 23:07:19 -------- d-----w C:\Program Files\7-Zip
2007-05-18 14:31:25 -------- d-----w C:\Program Files\Blaze Media Pro
2007-05-18 11:37:45 -------- d-----w C:\Program Files\Winamp
2007-05-06 13:54:00 -------- d-----w C:\Program Files\Common Files\ODBC
2007-05-06 12:23:26 -------- d-----w C:\Program Files\MSN Messenger
2007-05-06 11:28:23 -------- d-----w C:\Program Files\PPCTT
2007-05-06 11:28:23 -------- d-----w C:\Program Files\PenPlus Personal
2007-05-06 11:28:23 -------- d-----w C:\Program Files\Microsoft Works
2007-05-06 11:28:21 -------- d-----w C:\Program Files\Fx Vid Cap
2007-05-06 11:28:21 -------- d-----w C:\Program Files\DivX
2007-05-06 11:21:00 -------- d-----w C:\Program Files\LimeWire
2007-05-06 11:21:00 -------- d-----w C:\Program Files\GetRight
2007-05-06 11:21:00 -------- d-----w C:\Program Files\Common Files\Real
2007-05-06 11:20:59 -------- d-----w C:\Program Files\pspvideo9
2007-05-06 07:13:41 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-05-05 13:07:18 -------- d-----w C:\DOCUME~1\JPFERN~1\APPLIC~1\Lionhead Studios
2007-05-05 13:05:24 -------- d-----w C:\DOCUME~1\JPFERN~1\APPLIC~1\Microsoft Games
2007-05-02 10:00:41 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-21 03:33:30 163,712 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2007-04-20 13:45:41 23,584 ----a-w C:\DOCUME~1\JPFERN~1\APPLIC~1\wklnhst.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 05:27:39 -------- d-----w C:\Program Files\DAEMON Tools
2007-04-16 05:23:11 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-04-14 13:26:15 -------- d-----w C:\Program Files\HHD Software
2007-04-13 12:35:21 48,928 ----a-w C:\WINDOWS\system32\drivers\Tetris.sys
2007-04-13 12:27:16 162,432 ----a-w C:\WINDOWS\system32\drivers\ithsgt.sys
2007-04-13 12:27:14 12,032 ----a-w C:\WINDOWS\system32\drivers\lilsgt.sys
2007-04-13 10:31:15 -------- d-----w C:\Program Files\Trillian
2007-04-13 05:40:24 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2007-04-10 10:30:34 87,608 ----a-w C:\DOCUME~1\JPFERN~1\APPLIC~1\ezpinst.exe
2007-04-10 10:30:34 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2007-04-10 10:30:34 47,360 ----a-w C:\DOCUME~1\JPFERN~1\APPLIC~1\pcouffin.sys
2007-04-10 10:30:30 -------- d-----w C:\Program Files\vso
2007-04-07 04:35:42 -------- d-----w C:\Program Files\Dream Aquarium
2007-04-04 03:29:26 1,098 -c--a-w C:\WINDOWS\ssconf.bin
2007-04-04 03:29:14 44,239 ----a-w C:\sound32.dll
2007-04-04 02:44:29 -------- d-----w C:\Program Files\Astro Gemini Software
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 23:51:00 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 00:47]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 13:03 C:\WINDOWS\system32\TWEAKUI.CPL]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"InternodeUsage"="C:\PROGRA~1\INTERN~2\mum.exe" [2004-05-21 14:40]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2003-05-16 09:45]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-16 09:41]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-22 08:21]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 15:13]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 08:29]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"McAfee.InstantUpdate.Monitor"="C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

SafeBoot registry key needs to be repaired. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Free WebSite Tools.lnk
backup=C:\WINDOWS\pss\Free WebSite Tools.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
c:\program files\altnet\points manager\points manager.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntivirusRegistration]
C:\Program Files\Excid.com Aps\eTrust Antivirus Registration\EzAntivirusRegistrationCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Documents and Settings\JP Fernandez\My Documents\Burning Software\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Guardian]
"C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
C:\PROGRA~1\ICQ\ICQNet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Medion Home Cinema XL II\PowerCinema\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\System32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Realtime Monitor]
C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
C:\Program Files\Common files\updater\wupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vssms32]
C:\WINDOWS\system32\vssms32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
"C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"InoRT"=2 (0x2)
"InoRPC"=2 (0x2)
"ImapiService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070525-013620-470
O2 - BHO: (no name) - {79FEA479-47BF-4616-EAE8-43A60F51C3CD} - C:\WINDOWS\system32\nyklr.dll (file missing)

backup-20070525-013620-961
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

backup-20070525-013620-752
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

backup-20070525-013620-147
O2 - BHO: (no name) - {A910EA82-0B31-53E2-40D4-71F2C75641CF} - C:\WINDOWS\system32\kqltt.dll (file missing)

backup-20070525-013620-553
O2 - BHO: (no name) - {0D1D89F7-633C-3AC7-3825-6FE4BBBAB2C8} - C:\WINDOWS\system32\jrtv.dll (file missing)
********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-25 13:18:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\BTHPORT\Parameters\Services\{00001105-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]


Completion time: 2007-05-25 13:20:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-25 13:20

--- E O F ---

RegistrySearch

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.4.2

; Results at 25/05/2007 1:08:12 PM for strings:
; 'naecd'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\ATI Technologies\CDS\Device\0]
"DeviceItem0075"="[Non-Plug and Play Drivers] -> [naecd] (0x00000000)"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NAECD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NAECD\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NAECD\0000]
"Service"="naecd"
"DeviceDesc"="naecd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NAECD\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\naecd]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\naecd]
"DisplayName"="naecd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\naecd\Security]

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="naecd"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"f"="C:\\Documents and Settings\\JP Fernandez\\Desktop\\naecd.txt"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt]
"c"="C:\\Documents and Settings\\JP Fernandez\\Desktop\\naecd.txt"

; End Of The Log...

#7 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:07:00 PM

Posted 25 May 2007 - 04:09 PM

There is a Safe Mode problem showing on the ComboFix log.

Please download AVZ:
http://z-oleg.com/avz4en.zip

Unzip it to a folder on the Desktop
Open the avz4en folder and double-click on AVZ.exe

In the program window, click on the File tab
Next, click on System Recovery
Place a checkmark next to: Restore SafeBoot Registry keys
Click on the Execute selected operations button
Close AVZ

~~~~
Next, please launch Notepad, (Start > Run, type in: notepad)
Copy/paste all the blue REGEDIT below to it

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\P2P Networking]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vssms32]


In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: delete.reg
Save as Type: All files
Click: Save
Exit out of Notepad.

Back on the Desktop, double-click on the delete.reg file just saved and click on Yes when asked to merge the information into the Registry.

~~~~
Search for and remove the following folders (bold):
C:\Program Files\Common files\updater
C:\WINDOWS\system32\P2P Networking

Search for and remove the following file (bold):
C:\WINDOWS\system32\vssms32.exe

~~~~
Next, download SuperAntiSpyware Home Edition Free Version
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

~~~~
Run ComboFix once again.

~~~~
Please post the SuperAntiSpyware log, and a new ComboFix.txt

Old duck...


#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:07:00 PM

Posted 25 May 2007 - 09:50 PM

One more thing, please download SilentRunners:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the Desktop and double-click on SilentRunners.vbs

SilentRunners shows a few Registry keys that HijackThis does not, so let's get more of the picture.

If an alert about scripting appears from your anti-virus, choose to allow the script to run.
When the scan is done, Notepad opens with a log which is saved in the SilentRunners folder.

Provide the content of the SilentRunners log in your reply.

Old duck...


#9 juicyplasma

juicyplasma
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 25 May 2007 - 10:05 PM

Search for and remove the following folders (bold):
C:\Program Files\Common files\updater
C:\WINDOWS\system32\P2P Networking

Search for and remove the following file (bold):
C:\WINDOWS\system32\vssms32.exe


Those files don't exist on my system - is that a problem?

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:07:00 PM

Posted 25 May 2007 - 11:13 PM

See if this helps:
Enable the viewing of Hidden Files and Folders as follows:
-At your Desktop, go to Start > My Computer
-Select the Tools menu and then Folder Options
-After the new window appears select the View tab
-Select: Display the contents of system folders
-Under the Hidden files and folders section select: Show hidden files and folders
-Remove the checkmark from: Hide file extensions for known file types
-Remove the checkmark from: Hide protected operating system files (Recommended)
-Press the Apply button
Click OK

Old duck...


#11 juicyplasma

juicyplasma
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 25 May 2007 - 11:14 PM

Here you go Aaflac. My desktop is in a state of anarchy right now :thumbsup:

SuperAntiSpyWare:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/26/2007 at 01:48 PM

Application Version : 3.8.1002

Core Rules Database Version : 3245
Trace Rules Database Version: 1256

Scan type : Complete Scan
Total Scan Time : 00:41:47

Memory items scanned : 534
Memory threats detected : 0
Registry items scanned : 7453
Registry threats detected : 0
File items scanned : 45970
File threats detected : 214

Adware.Tracking Cookie
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@mysexdreams[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@cgi-bin[9].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@atdmt[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@media.filmforce.ign[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ad.sensismediasmart.com[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@advertising[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@harrymedia[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@qnsr[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@hothousemedia[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@media.ps2.ign[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@fresh-sex-girls[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@fastclick[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@sitestats.tiscali.co[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.sexygonzo[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@mb[5].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@click.payserve[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@tracking.webdiversity.co[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@xren_cj[4].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.us.e-planning[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@mediats.lostfrog[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@tripod.lycos[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@clicksor[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@media.psp.ign[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@sexgallerypost[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@sexy-superheroine-models[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.tampabayadult[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@overture[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@usenext[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.heias[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@sex-team[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@avsmedia[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.hairboutique[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@audit.median[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@xiti[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.blizzard[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@partners.adultadworld[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.sexy-celebs[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@banners.nbcupromotes[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@xren_cj[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.harrymedia[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.thestar[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@stats.unwired-i[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@counter.inkfrog[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@webstats.thefa[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@adbrite[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@xren_cj[5].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.sextasya[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@toplist[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.cosplay[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@au.media.psx.ign[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@cgi-bin[5].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@surveys.spotsitemedia[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@image.masterstats[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@itxt.vibrantmedia[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ad.tiscali[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@icc.intellisrv[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@msnportal.112.2o7[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.101sexsecret[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@acvs.mediaonenetwork[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@jimhillmedia[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@oddcast[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.admedian[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@media.xbox360.ign[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www2.mystats[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.freepornsexgallery[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.theporntoplist[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@counter.blogexplosion[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@media.ps3.ign[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@kanoodle[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.dailysexy[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.eliteclips[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.longxxxclips[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@xxx-seek[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@i[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.mantis-multimedia[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@therichmedia[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.belstat[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@atwola[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.neowin[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@media.psx.ign[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@2o7[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ad2.pamedia.com[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@homesexcams[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@stats.adbrite[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@zedo[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@media.tv.ign[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@media.ds.ign[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.voyeurxxxvideos[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@clickhype[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@hit.stat[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.toomuchsexy[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@server.cpmstar[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@st[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@centrebet.advertserve[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.uknetguide.co[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@mediaonenetwork[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ad1.clickhype[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@dcsi583rp10000oevcqz9y4us_6l6d[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ad.100.tbn[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.burstbeacon[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@dtr[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@admarketplace[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@portal[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ad.adocean[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@toomuchsexy[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@track.publicisdigital.com[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.4xxxtremepleasures[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@statsgold[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@au.media.movies.ign[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@gamestats[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.webnetad[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@yadro[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@monstersandcritics.advertserve[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.fliptrack[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.mkgmedia[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@au.media.psp.ign[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@media.sensis.com[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@fr.clickintext[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@sfs220[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@711340[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.fatpenguinmedia[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@netmediagroup[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.morpheus[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@webstats4u[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@media.movies.ign[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@stats.gamestop[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ats[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@m.rmbclick[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@stats.canalblog[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.adultplayersclub[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ad.zanox[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@stats.ilsemedia[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@vhost.oddcast[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@banner.cdpoker[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@1070618844[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@au.media.pc.ign[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@media.www.michigandaily[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.tripod.lycos.co[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.clickxchange[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@adopt.specificclick[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.moviemaze[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.12titans[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@nextag.co[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.adbrite[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@porn_mov311tee[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.cnn[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@3.adbrite[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@adultadworld[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@clicktorrent[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@a[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@au.media.ps3.ign[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@au.media.ds.ign[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.romnation[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@anad.tacoda[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@au.media.gameboy.ign[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@au.media.wii.ign[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.realtechnetwork[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@au.media.comics.ign[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ad.bannerconnect[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.comprabanner[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.cosplay[3].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@stats[3].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@easywarez[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.adult-mpg[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@sexyteengalls[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@sexyshare[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@clickapps[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@tracker.bitebbs[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@burstnet[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@au.media.gear.ign[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@cgi-bin[4].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@stats[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ad-track[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@4.adbrite[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@adv.surinter[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@list[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@banner.32vegas[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@cgi-bin[6].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@pamedia.com[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.clickapps[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@dtr[5].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@au.media.xbox360.ign[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.movieweb[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@2.marketbanker[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@yourdailymedia[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@adecn[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@au.media.ps2.ign[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@au.media.dvd.ign[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@au.media.tv.ign[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ad.adtegrity[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@lifemediahouse2.onlinewelten[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@jamster.com[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.gamestats[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@cz11.clickzs[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@cgi-bin[8].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.mediology[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@orange-nl[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@orange[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@euros4click[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ads.rlcomics[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@cgi-bin[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@ad.ambiweb[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@statse.webtrendslive[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@www.yourdailymedia[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@access_tracker_pro[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@banner-tiscali[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@clickcount[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@cracks[2].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@mediaplayer[1].txt
C:\Documents and Settings\JP Fernandez\Cookies\jp fernandez@toplist[2].txt

Unclassified.Unknown Origin/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1719079C-1BA4-4CED-8C48-9A1E26F52136}\RP242\A0030752.EXE

Malware.VirusBurst
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1719079C-1BA4-4CED-8C48-9A1E26F52136}\RP242\A0030835.EXE

Trojan.Downloader-UnSVCHosts
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1719079C-1BA4-4CED-8C48-9A1E26F52136}\RP242\A0031022.EXE

SilentRunners:
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\wcescomm.exe"" [MS]
"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]
"McAfee.InstantUpdate.Monitor" = ""C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR" [file not found]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"InternodeUsage" = "C:\PROGRA~1\INTERN~2\mum.exe" [null data]
"type32" = ""C:\Program Files\Microsoft IntelliType Pro\type32.exe"" [MS]
"IntelliPoint" = ""C:\Program Files\Microsoft IntelliPoint\point32.exe"" [MS]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [file not found]
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [file not found]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"ZoneAlarm Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell"
-> {HKLM...CLSID} = "InoShell"
\InProcServer32\(Default) = "C:\Program Files\CA\eTrust Antivirus\InoShell.dll" [file not found]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Wireless Control Panel Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Scrolling Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Key Settings Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "Wireless Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {HKLM...CLSID} = "Wheel Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {HKLM...CLSID} = "Activities Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {HKLM...CLSID} = "Buttons Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {HKLM...CLSID} = "Microsoft Office Binder Unbind"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office\1033\UNBIND.DLL" [MS]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client 2.0\smarthook.dll" [file not found]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Mobile Device"
\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\Wcesview.dll" [MS]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{2F5AC606-70CF-461C-BFE1-734234536262}" = "WindowBlinds CPL Extension"
-> {HKLM...CLSID} = "DisplayCplExt Class"
\InProcServer32\(Default) = "C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbui.dll" ["Stardock.Net, Inc"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{B95713CD-06FF-4D35-A9DA-4DBDFE5FD7F4}" = "Hex Editor Shell Extension"
-> {HKLM...CLSID} = "ShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\HHD Software\Hex Editor 3.x\heshell.dll" ["HHD Software"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "wbsys.dll" ["Stardock.Net, Inc"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> WB\DLLName = "C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll" ["Stardock"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
IMMenuShellExt\(Default) = "{F8984111-38B6-11D5-8725-0050DA2761C4}"
-> {HKLM...CLSID} = "IMMenuShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\IncrediMail\bin\IMShExt.dll" ["IncrediMail, Ltd."]
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {HKLM...CLSID} = "InoShell"
\InProcServer32\(Default) = "C:\Program Files\CA\eTrust Antivirus\InoShell.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {HKLM...CLSID} = "InoShell"
\InProcServer32\(Default) = "C:\Program Files\CA\eTrust Antivirus\InoShell.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_BINARY) hex:03 F8 FF 01
{unrecognized setting}

"SpecifyDefaultButtons" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Btn_Search" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoBandCustomize" = (REG_DWORD) hex:0x00000000
{Disable customizing browser toolbars}

"NoToolbarCustomize" = (REG_DWORD) hex:0x00000000
{Disable customizing browser toolbar buttons}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\JP Fernandez\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "JP Fernandez" & "All Users" startup folders:
--------------------------------------------------------------

C:\Documents and Settings\JP Fernandez\Start Menu\Programs\Startup
"wkcalrem" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe" ["Microsoft® Corporation"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"TabUserW.exe" -> shortcut to: "C:\WINDOWS\system32\WTablet\TabUserW.exe" ["Wacom Technology, Corp."]
"ZDWLan Utility" -> shortcut to: "C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe -SETWZC" [empty string]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 64
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\INetRepl.dll" [MS]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.aldi.com

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe" [null data]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Event Log Watch, LogWatch, "C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe" ["Computer Associates"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Messenger Sharing Folders USN Journal Reader service, usnjsvc, ""C:\Program Files\MSN Messenger\usnsvc.exe"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
TabletService, TabletService, "C:\WINDOWS\system32\Tablet.exe" ["Wacom Technology, Corp."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows Media Player Network Sharing Service, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 54 seconds, including 15 seconds for message boxes)

ComboFix:
"JP Fernandez" - 2007-05-26 14:00:01 Service Pack 2
ComboFix 07-05.25.V - Running from: "C:\Documents and Settings\JP Fernandez\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-26 ))))))))))))))))))))))))))))))))))


2007-05-26 13:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-26 13:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-26 13:04 <DIR> d-------- C:\DOCUME~1\JPFERN~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-26 13:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-25 13:20 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-25 13:15 0 --a------ C:\WINDOWS\system32\sfsync02.dll
2007-05-24 19:43 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-24 19:31 <DIR> d-------- C:\DOCUME~1\JPFERN~1\.housecall6.6
2007-05-24 18:43 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-05-24 18:43 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-05-24 18:43 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-05-24 18:43 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-05-24 17:05 3,844 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-18 21:09 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-18 21:09 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-18 21:09 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-05-17 17:14 <DIR> d-------- C:\Program Files\LucasArts
2007-05-13 14:37 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-05-13 13:54 <DIR> d-------- C:\Program Files\Atari
2007-05-09 22:26 <DIR> d-------- C:\Program Files\Activision
2007-05-07 14:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2007-05-06 23:53 <DIR> d-------- C:\Program Files\EvilLyrics
2007-05-06 22:24 <DIR> d-------- C:\DOCUME~1\JPFERN~1\APPLIC~1\Screenshot Sender
2007-05-06 22:23 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2007-05-06 21:36 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-06 20:59 <DIR> d-------- C:\Program Files\Your Uninstaller 2006
2007-05-06 20:59 <DIR> d-------- C:\DOCUME~1\JPFERN~1\APPLIC~1\URSoft
2007-05-06 20:40 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-05-06 20:40 <DIR> d-------- C:\WINDOWS\nview
2007-05-06 17:08 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-05-06 17:08 <DIR> d-------- C:\NVIDIA
2007-05-03 00:07 <DIR> d-------- C:\Program Files\Lionhead Studios
2007-05-03 00:04 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2007-05-02 19:57 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-04-30 20:45 2,050 --a------ C:\WINDOWS\system32\sdbackup.reg


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-26 04:04:01 -------- d-----w C:\DOCUME~1\JPFERN~1\APPLIC~1\SlimBrowser
2007-05-26 03:51:13 12,630 ----a-w C:\WINDOWS\system32\tablet.dat
2007-05-26 02:52:04 -------- d-----w C:\DOCUME~1\JPFERN~1\APPLIC~1\Azureus
2007-05-25 15:51:22 -------- d-----w C:\DOCUME~1\JPFERN~1\APPLIC~1\Vso
2007-05-25 03:10:53 -------- d-----w C:\Program Files\SlimBrowser
2007-05-24 13:08:43 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-24 08:45:51 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-05-24 08:06:04 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-18 23:07:19 -------- d-----w C:\Program Files\7-Zip
2007-05-18 14:31:25 -------- d-----w C:\Program Files\Blaze Media Pro
2007-05-18 11:37:45 -------- d-----w C:\Program Files\Winamp
2007-05-06 13:54:00 -------- d-----w C:\Program Files\Common Files\ODBC
2007-05-06 12:23:26 -------- d-----w C:\Program Files\MSN Messenger
2007-05-06 11:28:23 -------- d-----w C:\Program Files\PPCTT
2007-05-06 11:28:23 -------- d-----w C:\Program Files\PenPlus Personal
2007-05-06 11:28:23 -------- d-----w C:\Program Files\Microsoft Works
2007-05-06 11:28:21 -------- d-----w C:\Program Files\Fx Vid Cap
2007-05-06 11:28:21 -------- d-----w C:\Program Files\DivX
2007-05-06 11:21:00 -------- d-----w C:\Program Files\LimeWire
2007-05-06 11:21:00 -------- d-----w C:\Program Files\GetRight
2007-05-06 11:21:00 -------- d-----w C:\Program Files\Common Files\Real
2007-05-06 11:20:59 -------- d-----w C:\Program Files\pspvideo9
2007-05-06 07:13:41 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-05-05 13:07:18 -------- d-----w C:\DOCUME~1\JPFERN~1\APPLIC~1\Lionhead Studios
2007-05-05 13:05:24 -------- d-----w C:\DOCUME~1\JPFERN~1\APPLIC~1\Microsoft Games
2007-05-02 10:00:41 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-04-21 03:33:30 163,712 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2007-04-20 13:45:41 23,584 ----a-w C:\DOCUME~1\JPFERN~1\APPLIC~1\wklnhst.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 05:27:39 -------- d-----w C:\Program Files\DAEMON Tools
2007-04-16 05:23:11 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-04-14 13:26:15 -------- d-----w C:\Program Files\HHD Software
2007-04-13 12:35:21 48,928 ----a-w C:\WINDOWS\system32\drivers\Tetris.sys
2007-04-13 12:27:16 162,432 ----a-w C:\WINDOWS\system32\drivers\ithsgt.sys
2007-04-13 12:27:14 12,032 ----a-w C:\WINDOWS\system32\drivers\lilsgt.sys
2007-04-13 10:31:15 -------- d-----w C:\Program Files\Trillian
2007-04-13 05:40:24 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2007-04-10 10:30:34 87,608 ----a-w C:\DOCUME~1\JPFERN~1\APPLIC~1\ezpinst.exe
2007-04-10 10:30:34 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2007-04-10 10:30:34 47,360 ----a-w C:\DOCUME~1\JPFERN~1\APPLIC~1\pcouffin.sys
2007-04-10 10:30:30 -------- d-----w C:\Program Files\vso
2007-04-07 04:35:42 -------- d-----w C:\Program Files\Dream Aquarium
2007-04-04 03:29:26 1,098 -c--a-w C:\WINDOWS\ssconf.bin
2007-04-04 03:29:14 44,239 ----a-w C:\sound32.dll
2007-04-04 02:44:29 -------- d-----w C:\Program Files\Astro Gemini Software
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 23:51:00 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 00:47]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 13:03 C:\WINDOWS\system32\TWEAKUI.CPL]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"InternodeUsage"="C:\PROGRA~1\INTERN~2\mum.exe" [2004-05-21 14:40]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2003-05-16 09:45]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-16 09:41]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-22 08:21]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 15:13]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 08:29]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"McAfee.InstantUpdate.Monitor"="C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Free WebSite Tools.lnk
backup=C:\WINDOWS\pss\Free WebSite Tools.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
c:\program files\altnet\points manager\points manager.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntivirusRegistration]
C:\Program Files\Excid.com Aps\eTrust Antivirus Registration\EzAntivirusRegistrationCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Documents and Settings\JP Fernandez\My Documents\Burning Software\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Guardian]
"C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
C:\PROGRA~1\ICQ\ICQNet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Medion Home Cinema XL II\PowerCinema\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\System32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Realtime Monitor]
C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
"C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"InoRT"=2 (0x2)
"InoRPC"=2 (0x2)
"ImapiService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-26 14:03:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\BTHPORT\Parameters\Services\{00001105-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]


Completion time: 2007-05-26 14:04:49
C:\ComboFix-quarantined-files.txt ... 2007-05-26 14:04
C:\ComboFix2.txt ... 2007-05-25 13:20

--- E O F ---

#12 juicyplasma

juicyplasma
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 25 May 2007 - 11:20 PM

See if this helps:
Enable the viewing of Hidden Files and Folders as follows:
-At your Desktop, go to Start > My Computer
-Select the Tools menu and then Folder Options
-After the new window appears select the View tab
-Select: Display the contents of system folders
-Under the Hidden files and folders section select: Show hidden files and folders
-Remove the checkmark from: Hide file extensions for known file types
-Remove the checkmark from: Hide protected operating system files (Recommended)
-Press the Apply button
Click OK

Still coming up trumps on those files. Could it be they're not there because I've disabled a few unscrupulous looking files from my Startup list in msconfig?

#13 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:07:00 PM

Posted 26 May 2007 - 09:37 PM

Looks as if the files are gone. That is fine.

Are you still having problems?

Old duck...


#14 juicyplasma

juicyplasma
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 27 May 2007 - 11:48 PM

The trojan has disappeared and I can now play the game with a disk without naecd.sys butting in!

You're a genius Aaflac :thumbsup:

These forums are fantastic, you guys give so much and ask for nothing in return.

I think I shall donate.

Many thanks,
JP

#15 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:07:00 PM

Posted 28 May 2007 - 11:54 AM

If you are not having malware problems, you are good to go!

Take a good look at the following suggestions to remain malware free:
Tony Klein’s article 'How Did I Get Infected In The First Place'
http://forums.spywareinfo.com/index.php?showtopic=60955

Thank you for your patience, and performing the procedures requested.
If you have any questions or comments, post back. Otherwise...


Good luck, and safe journey through the Internet!!

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users