WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Having Problems With Hanonvt.ini

Started by Tomboymama , Aug 20 2007 01:56 PM

Please log in to reply

48 replies to this topic

#16 Tomboymama

Authentic Member

Authentic Member
46 posts

Posted 24 August 2007 - 08:17 PM

SERVICE_NAME: HidServ Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 4 DISABLED ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Human Interface Device Access DEPENDENCIES : RpcSs SERVICE_START_NAME: LocalSystem SERVICE_NAME: IDriverT Provides support for the Running Object Table for InstallShield Drivers TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : InstallDriver Table Manager DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: ImapiService Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\imapi.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : IMAPI CD-Burning COM Service DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: InCDsrv Helper service for the InCD filesystem driver TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Ahead\InCD\InCDsrv.exe LOAD_ORDER_GROUP : LocalValidation TAG : 0 DISPLAY_NAME : InCD Helper DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: InCDsrvR Helper service for the InCD filesystem driver (read only) TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Ahead\InCD\InCDsrv.exe -r LOAD_ORDER_GROUP : LocalValidation TAG : 0 DISPLAY_NAME : InCD Helper (read only) DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: iPod Service iPod hardware management services TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\iPod\bin\iPodService.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : iPod Service DEPENDENCIES : RPCSS SERVICE_START_NAME: LocalSystem SERVICE_NAME: lanmanserver Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Server DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: lanmanworkstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : NetworkProvider TAG : 0 DISPLAY_NAME : Workstation DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: LexBceS (null) TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\LEXBCES.EXE LOAD_ORDER_GROUP : SpoolerGroup TAG : 0 DISPLAY_NAME : LexBce Server DEPENDENCIES : RPCSS SERVICE_START_NAME: LocalSystem SERVICE_NAME: LmHosts Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService LOAD_ORDER_GROUP : TDI TAG : 0 DISPLAY_NAME : TCP/IP NetBIOS Helper DEPENDENCIES : NetBT : Afd SERVICE_START_NAME: NT AUTHORITY\LocalService SERVICE_NAME: LWWLicenseService LWW product license service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : LWWLicenseService DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: Messenger Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 4 DISABLED ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Messenger DEPENDENCIES : LanmanWorkstation : NetBIOS : PlugPlay : RpcSS SERVICE_START_NAME: LocalSystem SERVICE_NAME: mnmsrvc Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\mnmsrvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : NetMeeting Remote Desktop Sharing DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: MSDTC Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\msdtc.exe LOAD_ORDER_GROUP : MS Transactions TAG : 0 DISPLAY_NAME : Distributed Transaction Coordinator DEPENDENCIES : RPCSS : SamSS SERVICE_START_NAME: LocalSystem SERVICE_NAME: MSIServer Installs, repairs and removes software according to instructions contained in .MSI files. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\msiexec.exe /V LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows Installer DEPENDENCIES : RpcSs SERVICE_START_NAME: LocalSystem SERVICE_NAME: NetDDE Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe LOAD_ORDER_GROUP : NetDDEGroup TAG : 0 DISPLAY_NAME : Network DDE DEPENDENCIES : NetDDEDSDM SERVICE_START_NAME: LocalSystem SERVICE_NAME: NetDDEdsdm Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Network DDE DSDM DEPENDENCIES : : EGrLocalSystem : Network DDE DSDM : etwork DDE : ributed Transaction Coordinator : r : enseService : r : ion : Files\Jp : SERVICE_START_NAME: LocalSystem SERVICE_NAME: Netlogon Supports pass-through authentication of account logon events for computers in a domain. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe LOAD_ORDER_GROUP : RemoteValidation TAG : 0 DISPLAY_NAME : Net Logon DEPENDENCIES : LanmanWorkstation SERVICE_START_NAME: LocalSystem SERVICE_NAME: Netman Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections. TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Network Connections DEPENDENCIES : RpcSs SERVICE_START_NAME: LocalSystem SERVICE_NAME: Nla Collects and stores network configuration and location information, and notifies applications when this information changes. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Network Location Awareness (NLA) DEPENDENCIES : Tcpip : Afd SERVICE_START_NAME: LocalSystem SERVICE_NAME: NtLmSsp Provides security to remote procedure call (RPC) programs that use transports other than named pipes. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : NT LM Security Support Provider DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: NtmsSvc (null) TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Removable Storage DEPENDENCIES : RpcSs SERVICE_START_NAME: LocalSystem SERVICE_NAME: PcCtlCom Manages the Trend Micro PC-cillin components. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Trend Micro Central Control Component DEPENDENCIES : RPCSS SERVICE_START_NAME: LocalSystem SERVICE_NAME: PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe LOAD_ORDER_GROUP : PlugPlay TAG : 0 DISPLAY_NAME : Plug and Play DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: PolicyAgent Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : IPSEC Services DEPENDENCIES : RPCSS : Tcpip : IPSec SERVICE_START_NAME: LocalSystem SERVICE_NAME: ProtectedStorage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Protected Storage DEPENDENCIES : RpcSs SERVICE_START_NAME: LocalSystem SERVICE_NAME: RasAuto Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Remote Access Auto Connection Manager DEPENDENCIES : RasMan : Tapisrv SERVICE_START_NAME: LocalSystem SERVICE_NAME: RasMan Creates a network connection. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Remote Access Connection Manager DEPENDENCIES : Tapisrv SERVICE_START_NAME: LocalSystem SERVICE_NAME: RDSessMgr Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Remote Desktop Help Session Manager DEPENDENCIES : RPCSS SERVICE_START_NAME: LocalSystem SERVICE_NAME: RemoteAccess Offers routing services to businesses in local area and wide area network environments. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 4 DISABLED ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Routing and Remote Access DEPENDENCIES : RpcSS : +NetBIOSGroup SERVICE_START_NAME: LocalSystem SERVICE_NAME: RpcLocator Manages the RPC name service database. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\locator.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Remote Procedure Call (RPC) Locator DEPENDENCIES : LanmanWorkstation SERVICE_START_NAME: NT AUTHORITY\NetworkService SERVICE_NAME: RpcSs Provides the endpoint mapper and other miscellaneous RPC services. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss LOAD_ORDER_GROUP : COM Infrastructure TAG : 0 DISPLAY_NAME : Remote Procedure Call (RPC) DEPENDENCIES : SERVICE_START_NAME: LocalSystem FAIL_RESET_PERIOD : 0 seconds FAILURE_ACTIONS : Reboot DELAY: 60000 seconds SERVICE_NAME: RSVP Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\rsvp.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : QoS RSVP DEPENDENCIES : TcpIp : Afd : RpcSs SERVICE_START_NAME: LocalSystem SERVICE_NAME: SamSs Stores security information for local user accounts. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe LOAD_ORDER_GROUP : LocalValidation TAG : 0 DISPLAY_NAME : Security Accounts Manager DEPENDENCIES : RPCSS SERVICE_START_NAME: LocalSystem SERVICE_NAME: SCardSvr Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Smart Card DEPENDENCIES : PlugPlay SERVICE_START_NAME: NT AUTHORITY\LocalService SERVICE_NAME: Schedule Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : SchedulerGroup TAG : 0 DISPLAY_NAME : Task Scheduler DEPENDENCIES : RpcSs SERVICE_START_NAME: LocalSystem SERVICE_NAME: ScsiAccess (null) TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Photodex\ProShowGold\progold3\ScsiAccess.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ScsiAccess DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: sdAuxService Provides auxiliary Spyware Doctor services. If this service is disabled spyware protection will be reduced. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Spyware Doctor\svcntaux.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : PC Tools Auxiliary Service DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: sdCoreService Provides spyware and malware protection for the system. If this service is disabled spyware protection will be disabled. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Spyware Doctor\swdsvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : PC Tools Security Service DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: seclogon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Secondary Logon DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: SENS Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : Network TAG : 0 DISPLAY_NAME : System Event Notification DEPENDENCIES : EventSystem SERVICE_START_NAME: LocalSystem SERVICE_NAME: SharedAccess Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Internet Connection Sharing DEPENDENCIES : Netman : NLA : RasMan : ALG SERVICE_START_NAME: LocalSystem SERVICE_NAME: ShellHWDetection (null) TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : ShellSvcGroup TAG : 0 DISPLAY_NAME : Shell Hardware Detection DEPENDENCIES : RpcSs SERVICE_START_NAME: LocalSystem SERVICE_NAME: Spooler Loads files to memory for later printing. TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe LOAD_ORDER_GROUP : SpoolerGroup TAG : 0 DISPLAY_NAME : Print Spooler DEPENDENCIES : LexBceS : RPCSS SERVICE_START_NAME: LocalSystem FAIL_RESET_PERIOD : 86400 seconds FAILURE_ACTIONS : Restart DELAY: 60000 seconds : Restart DELAY: 60000 seconds : None DELAY: 0 seconds SERVICE_NAME: srservice Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : System Restore Service DEPENDENCIES : RpcSs SERVICE_START_NAME: LocalSystem SERVICE_NAME: SSDPSRV Enables discovery of UPnP devices on your home network. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : SSDP Discovery Service DEPENDENCIES : SERVICE_START_NAME: NT AUTHORITY\LocalService SERVICE_NAME: stisvc Provides image acquisition services for scanners and cameras. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k imgsvc LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows Image Acquisition (WIA) DEPENDENCIES : RpcSs SERVICE_START_NAME: LocalSystem SERVICE_NAME: SwPrv Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{F79A1568-D6C5-4C69-A086-936CF52DBBE3} LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : MS Software Shadow Copy Provider DEPENDENCIES : rpcss SERVICE_START_NAME: LocalSystem SERVICE_NAME: SysmonLog Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Performance Logs and Alerts DEPENDENCIES : SERVICE_START_NAME: NT Authority\NetworkService SERVICE_NAME: TapiSrv Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Telephony DEPENDENCIES : PlugPlay : RpcSs SERVICE_START_NAME: LocalSystem SERVICE_NAME: TermService Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Terminal Services DEPENDENCIES : RPCSS SERVICE_START_NAME: LocalSystem SERVICE_NAME: Themes Provides user experience theme management. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : UIGroup TAG : 0 DISPLAY_NAME : Themes DEPENDENCIES : SERVICE_START_NAME: LocalSystem FAIL_RESET_PERIOD : 86400 seconds FAILURE_ACTIONS : Restart DELAY: 60000 seconds : Restart DELAY: 60000 seconds : None DELAY: 0 seconds SERVICE_NAME: Tmntsrv Enables scanning in real time. TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Trend Micro Real-time Service DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: TmPfw Manages the Trend Micro Personal Firewall. TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Trend Micro Personal Firewall DEPENDENCIES : tm_cfw SERVICE_START_NAME: LocalSystem SERVICE_NAME: tmproxy Manages the Trend Micro Proxy. TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Trend Micro Proxy Service DEPENDENCIES : tmtdi SERVICE_START_NAME: LocalSystem SERVICE_NAME: TrkWks Maintains links between NTFS files within a computer or across computers in a network domain. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Distributed Link Tracking Client DEPENDENCIES : RpcSs SERVICE_START_NAME: LocalSystem SERVICE_NAME: UMWdf Enables Windows user mode drivers. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\wdfmgr.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows User Mode Driver Framework DEPENDENCIES : RpcSs SERVICE_START_NAME: NT AUTHORITY\LocalService SERVICE_NAME: upnphost Provides support to host Universal Plug and Play devices. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Universal Plug and Play Device Host DEPENDENCIES : SSDPSRV SERVICE_START_NAME: NT AUTHORITY\LocalService FAIL_RESET_PERIOD : -1 seconds FAILURE_ACTIONS : Restart DELAY: 0 seconds SERVICE_NAME: UPS Manages an uninterruptible power supply (UPS) connected to the computer. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Uninterruptible Power Supply DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: VSS Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Volume Shadow Copy DEPENDENCIES : RPCSS SERVICE_START_NAME: LocalSystem SERVICE_NAME: w32time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows Time DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: WebClient Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService LOAD_ORDER_GROUP : NetworkProvider TAG : 0 DISPLAY_NAME : WebClient DEPENDENCIES : MRxDAV SERVICE_START_NAME: NT AUTHORITY\LocalService SERVICE_NAME: winmgmt Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows Management Instrumentation DEPENDENCIES : RPCSS : Eventlog SERVICE_START_NAME: LocalSystem FAIL_RESET_PERIOD : 86400 seconds FAILURE_ACTIONS : Restart DELAY: 60000 seconds : Restart DELAY: 60000 seconds SERVICE_NAME: WmdmPmSN Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Portable Media Serial Number Service DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: WmiApSrv Provides performance library information from WMI HiPerf providers. TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\wbem\wmiapsrv.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : WMI Performance Adapter DEPENDENCIES : RPCSS SERVICE_START_NAME: LocalSystem SERVICE_NAME: wuauserv Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Automatic Updates DEPENDENCIES : SERVICE_START_NAME: LocalSystem SERVICE_NAME: WZCSVC Provides automatic configuration for the 802.11 adapters TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs LOAD_ORDER_GROUP : TDI TAG : 0 DISPLAY_NAME : Wireless Zero Configuration DEPENDENCIES : RpcSs : Ndisuio SERVICE_START_NAME: LocalSystem

Advertisements

Register to Remove

#17 Jintan

Advanced Member

Visiting Fellow
791 posts

Posted 25 August 2007 - 11:44 AM

One of my favorite logs to read I must admit, but no amiss service activity showing in that last one. The earlier progress and Avenger results suggest SuperAntiSpyware's second removal of that infection file may have successfully removed that, so let's check now. Run new HijackThis and ComboFix scans and post those logs please.

#18 Tomboymama

Authentic Member

Authentic Member
46 posts

Posted 25 August 2007 - 01:19 PM

Well, I am glad my logs were not a total drudge :-). I have no idea what they mean, sadly.

I did get a Trend Micro popup this morning:

Denied access:
TROJ_AGENT.VPN
Infected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1710\A0280021.ini

ComboFix 07-08-23.5 - "AndiL" 2007-08-25 13:48:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.269 [GMT -5:00]

((((((((((((((((((((((((( Files Created from 2007-07-25 to 2007-08-25 )))))))))))))))))))))))))))))))

2007-08-24 21:13 <DIR> d----c--- C:\getservice
2007-08-24 20:31 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-23 23:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-23 23:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-23 23:40 <DIR> d-------- C:\DOCUME~1\AndiL\APPLIC~1\SUPERAntiSpyware.com
2007-08-23 23:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-23 00:34 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-18 22:52 82,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-08-18 22:52 57,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-08-18 22:52 40,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-08-18 22:52 29,000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-08-18 22:52 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-08-18 22:52 <DIR> d-------- C:\DOCUME~1\AndiL\APPLIC~1\PC Tools
2007-08-18 22:50 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-08-18 21:43 77,312 --a------ C:\WINDOWS\ua2.dll
2007-08-17 23:57 <DIR> d-------- C:\WINDOWS\Google Toolbar
2007-08-17 19:44 5,140 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-11 16:50 4,096 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ohciusb.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-25 10:15 --------- d-------- C:\DOCUME~1\AndiL\APPLIC~1\WeatherBug
2007-08-25 10:15 --------- d-------- C:\DOCUME~1\AndiL\APPLIC~1\WeatherBug
2007-08-24 15:07 --------- d-------- C:\DOCUME~1\AndiL\APPLIC~1\BayScribe
2007-08-24 15:07 --------- d-------- C:\DOCUME~1\AndiL\APPLIC~1\BayScribe
2007-08-24 08:13 2433 --a------ C:\WINDOWS\system32\drivers\ohciusb.zip
2007-08-24 06:53 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GuruNet
2007-08-18 21:48 --------- d-------- C:\Program Files\Pink Calendar
2007-08-18 21:30 131584 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-08-18 00:05 --------- d-------- C:\Program Files\Collectorz.com
2007-08-18 00:03 --------- d-------- C:\Program Files\ICQ
2007-08-18 00:02 --------- d-------- C:\Program Files\WS_FTP Pro
2007-08-18 00:00 --------- d-------- C:\Program Files\MUSICMATCH
2007-08-17 23:59 --------- d-------- C:\Program Files\Ahead
2007-08-17 23:55 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-17 23:53 --------- d-------- C:\Program Files\Critical Thinking Software
2007-08-17 23:52 --------- d--h----- C:\Program Files\Zero G Registry
2007-08-17 23:52 --------- d-------- C:\Program Files\Critical Thinking Demos
2007-08-17 23:50 --------- d-------- C:\Program Files\Spelling Bee Tutor-PDA
2007-08-17 23:48 --------- d-------- C:\Program Files\Yahoo!
2007-08-17 23:48 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo
2007-08-13 09:41 --------- d-------- C:\Program Files\Red NoteBook
2007-08-11 16:16 --------- d-------- C:\Program Files\Creative
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-29 13:02 --------- d-------- C:\Program Files\BayScribe
2007-07-19 12:20 --------- d-------- C:\Program Files\Google
2007-07-05 13:44 --------- d-------- C:\DOCUME~1\AndiL\APPLIC~1\Sibelius Software
2007-07-05 13:44 --------- d-------- C:\DOCUME~1\AndiL\APPLIC~1\Sibelius Software
2007-07-05 13:42 --------- d-------- C:\Program Files\Sibelius Software
2005-09-19 12:30 774144 --a------ C:\Program Files\RngInterstitial.dll
2005-05-18 00:18 224590 --a--c--- C:\WINDOWS\Fonts.\PCSimplicitee.exe
2005-05-18 00:18 145088 --a--c--- C:\WINDOWS\Fonts.\PCHardBall.exe
2005-05-18 00:18 141355 --a--c--- C:\WINDOWS\Fonts.\PCmichelle.exe
2005-05-18 00:18 138703 --a--c--- C:\WINDOWS\Fonts.\PCBrita.exe
2005-05-18 00:17 233454 --a--c--- C:\WINDOWS\Fonts.\PCLewis.exe
2005-05-18 00:17 146103 --a--c--- C:\WINDOWS\Fonts.\PCScratchPad.exe
2005-05-18 00:17 133873 --a--c--- C:\WINDOWS\Fonts.\pcplayful.exe
2005-05-18 00:17 128153 --a--c--- C:\WINDOWS\Fonts.\PCBigStick.exe
2005-05-18 00:17 124681 --a--c--- C:\WINDOWS\Fonts.\PCKnobbish.exe
2005-05-18 00:16 134489 --a--c--- C:\WINDOWS\Fonts.\PCGoo.exe
2005-05-18 00:16 131330 --a--c--- C:\WINDOWS\Fonts.\PCSketched.exe
2005-05-18 00:16 130498 --a--c--- C:\WINDOWS\Fonts.\PCEightBall.exe
2005-05-18 00:16 130000 --a--c--- C:\WINDOWS\Fonts.\PCJennPen.exe
2005-05-18 00:14 130751 --a--c--- C:\WINDOWS\Fonts.\PCSquirrelly.exe
2005-05-07 21:49 6132 --a--c--- C:\Program Files\top52--0047.htm
2005-05-07 21:48 6132 --a--c--- C:\Program Files\top52--0028.htm
2005-05-07 21:47 1039189 --a--c--- C:\Program Files1mp3ins.exe
2005-04-17 12:07 1584088 --a--c--- C:\Program Files\earpro4setup.exe
2005-03-27 20:08 10831584 --a--c--- C:\Program Files\PestPatrolv5.exe
2004-10-20 21:18 376672 --a--c--- C:\Program Files\DLM_2200043_ENU.exe
2004-06-22 21:03 411329 --a--c--- C:\Program Files\slimlist.exe
2004-05-04 11:50 8029451 --a--c--- C:\Program Files\SetupPestPatrolHome.exe
2004-04-07 09:28 2736029 --a--c--- C:\Program Files\treepadplus.zip
2004-02-19 23:15 457 --a--c--- C:\Program Files\INSTALL.LOG
2003-05-21 19:10 3662787 --a--c--- C:\Program Files\spybotsd12.exe
2003-05-15 11:17 2838184 --a--c--- C:\Program Files\ica32.exe
2003-05-13 23:30 260684 --a--c--- C:\Program Files\ICQMessageArchive.exe
2003-05-13 18:14 1897672 --a--c--- C:\Program Files\winzip81.exe
2003-05-12 22:51 660696 --a--c--- C:\Program Files\rednotebook19b.exe
2003-05-12 18:55 5082328 --a--c--- C:\Program Files\cuteftppro.exe
2003-05-12 18:48 3025408 --a--c--- C:\Program Files\cuteftp.exe
2003-05-12 18:16 3978384 --a--c--- C:\Program Files\icqpro2003a.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E028439-81C7-4B82-BC74-25156306F532}]
2007-06-14 09:10 258048 --a------ C:\Program Files\BayScribe\bayscribe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2003-06-17 10:12]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-04-29 18:31]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 21:45]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2006-03-08 13:30]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [2006-03-14 16:52]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-08-14 17:02]
"TB_setup"="C:\DOCUME~1\AndiL\LOCALS~1\Temp\TB_ANI~1.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2005-06-07 13:58]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 20:14]

C:\DOCUME~1\AndiL\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]
PinkCal.lnk - C:\Program Files\Pink Calendar\PinkCal.exe [2007-08-18 21:30:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap
"Notification Packages"= :\WINDOWS\System32\srrstr.dll cecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk
backup=C:\WINDOWS\pss\Device Detector 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu.lnk
backup=C:\WINDOWS\pss\eFax Tray Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GuruNet.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GuruNet.lnk
backup=C:\WINDOWS\pss\GuruNet.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printkey2000.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk
backup=C:\WINDOWS\pss\Printkey2000.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^AndiL^Start Menu^Programs^Startup^.lnk]
path=C:\Documents and Settings\AndiL\Start Menu\Programs\Startup\.lnk
backup=C:\WINDOWS\pss\.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^AndiL^Start Menu^Programs^Startup^eBot.lnk]
path=C:\Documents and Settings\AndiL\Start Menu\Programs\Startup\eBot.lnk
backup=C:\WINDOWS\pss\eBot.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^AndiL^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\AndiL\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
"C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]
"C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
C:\PROGRA~1\ICQ\ICQNet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
"C:\Program Files\Microsoft Money\System\Activation.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\System32\DRIVERS\snapman.sys
R0 timounter;Acronis TrueImage Backup Archive Explorer;C:\WINDOWS\System32\DRIVERS\timntr.sys
R2 ohciusb;Open Host Controller Miniport USB Driver;\??\C:\WINDOWS\System32\drivers\ohciusb.sys
R2 tifsfilter;Acronis TrueImage FS Filter;C:\WINDOWS\System32\DRIVERS\tifsfilt.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\System32\DRIVERS\BCMSM.sys
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\System32\DRIVERS\ss.sys
S2 InCDsrvR;InCD Helper (read only);C:\Program Files\Ahead\InCD\InCDsrv.exe -r
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\System32\Drivers\StMp3Rec.sys
S3 VNUSB;VN Series Device;C:\WINDOWS\System32\DRIVERS\VNUSB.sys

Contents of the 'Scheduled Tasks' folder
2007-08-22 23:01:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-21 06:56:23 C:\WINDOWS\Tasks\PPv5Scan_Daily as AndiL at 1 55 AM.job - C:\Program Files\CA\eTrust PestPatrol\ppv5consumercl.exe
2007-08-24 17:12:01 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job - C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
2007-05-16 17:12:19 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job - C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-25 13:55:14
Windows 5.1.2600 Service Pack 1 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-25 13:57:24
C:\ComboFix-quarantined-files.txt ... 2007-08-25 13:56
C:\ComboFix2.txt ... 2007-08-23 01:01

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 2:17:25 PM, on 8/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\Program Files\Photodex\ProShowGold\progold3\ScsiAccess.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Pink Calendar\PinkCal.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~3\PccIeBar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: BayScribeBHO - {5E028439-81C7-4B82-BC74-25156306F532} - C:\Program Files\BayScribe\bayscribe.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~3\PccIeBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: PinkCal.lnk = C:\Program Files\Pink Calendar\PinkCal.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxdm824DHUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...tup1.0.0.15.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LWWLicenseService - WoltersKluwerLWW - C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\progold3\ScsiAccess.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

#19 Jintan

Advanced Member

Visiting Fellow
791 posts

Posted 25 August 2007 - 05:29 PM

Let's run a follow up scan now, but so far only that System Restore item you just mentioned is all that is showing of infection.

Right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then recheck the box, and Apply/OK. This is the fast reset though not all info changes will be completed until after a reboot.

Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)". Then post that back here please.

Also there is one still unfamiliar setting there I would like you to check. Go here http://www.billsway.com/vbspage/ and download, unzip and run the Registry Search Tool (scroll down the page to locate it). Type (or copy/paste) cecli in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them back here please.

#20 Tomboymama

Authentic Member

Authentic Member
46 posts

Posted 25 August 2007 - 11:08 PM

------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Saturday, August 25, 2007 11:56:09 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 26/08/2007 Kaspersky Anti-Virus database records: 391520 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 99004 Number of viruses found: 5 Number of infected objects: 14 Number of suspicious objects: 0 Duration of the scan process: 02:31:13 Infected Object Name / Virus Name / Last Action C:\195.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped C:\195.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped C:\195.tmp NSIS: infected - 2 skipped C:\196.tmp Infected: Trojan-Downloader.Win32.Small.eqn skipped C:\1E5.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped C:\1E5.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped C:\1E5.tmp NSIS: infected - 2 skipped C:\1E6.tmp Infected: Trojan-Downloader.Win32.Small.eqn skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\AndiL\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped C:\Documents and Settings\AndiL\Cookies\index.dat Object is locked skipped C:\Documents and Settings\AndiL\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\AndiL\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\AndiL\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\AndiL\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped C:\Documents and Settings\AndiL\Desktop\trend log.CSV Object is locked skipped C:\Documents and Settings\AndiL\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped C:\Documents and Settings\AndiL\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped C:\Documents and Settings\AndiL\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped C:\Documents and Settings\AndiL\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped C:\Documents and Settings\AndiL\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\AndiL\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\AndiL\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\AndiL\Local Settings\History\History.IE5\MSHist012007082520070826\index.dat Object is locked skipped C:\Documents and Settings\AndiL\Local Settings\Temp\108.tmp Object is locked skipped C:\Documents and Settings\AndiL\Local Settings\Temp\~DF465E.tmp Object is locked skipped C:\Documents and Settings\AndiL\Local Settings\Temp\~DF7F7B.tmp Object is locked skipped C:\Documents and Settings\AndiL\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\AndiL\ntuser.dat Object is locked skipped C:\Documents and Settings\AndiL\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\MyWebSearchWB\bar\1.bin\W6PLUGIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\hanonvt_bac.VI2 Infected: Trojan-Downloader.Win32.Agent.bxx skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1712\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\MEMORY.DMP Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\WIADEBUG.LOG Object is locked skipped C:\WINDOWS\WIASERVC.LOG Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. REGEDIT4 ; RegSrch.vbs © Bill James ; Registry search results for string "cecli" 8/25/2007 11:59:35 PM ; NOTE: This file will be deleted when you close WordPad. ; You must manually save this file to a new location if you want to refer to it again later. ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.) [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\9040030900063D11C8EF00054038389C] "Clips"="OfficeClipArt" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\9040030900063D11C8EF00054038389C] "OfficeClipArt"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\9040030900063D11C8EF00054038389C] "NotInstalled"="OfficeClipArt" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\9040030900063D11C8EF00054038389C] "ProductNonBootFiles"="OfficeClipArt" "Clips"="z3aPK[`+`9I1~x,$l9K05C0FEm%Wa=QtKVvy'69-n+h&*c5p}917ZTDE0vX$s)RhG8tWr=t`pgO,!W53U}S''dJeH=__j)6B%n~q*au=vOE$=?)f^l9j*t,'1]cJ(1-Ek=~mw=-Fp@fRuReDcMgII=PS6a6WSEuIW^F_R?rx(=xs^^LOb?7d_QWq1IU]q=ws*WPJwUqn1^g+eX1Y)A`~JOjMu3BPP@PMm}z7$9FrFI1k)!%da{IBDrmwDAAM92Zb}B`QOfficeClipArt" "Clips"="z3aPK[`+`9I1~x,$l9K05C0FEm%Wa=QtKVvy'69-n+h&*c5p}917ZTDE0vX$s)RhG8tWr=t`pgO,!W53U}S''dJeH=__j)6B%n~q*au=vOE$=?)f^l9j*t,'1]cJ(1-Ek=~mw=-Fp@fRuReDcMgII=PS6a6WSEuIW^F_R?rx(=xs^^LOb?7d_QWq1IU]q=ws*WPJwUqn1^g+eX1Y)A`~JOjMu3BPP@PMm}z7$9FrFI1k)!%da{IBDrmwDAAM92Zb}B`QOfficeClipArt" "OfficeClipArt"="nc!BJ6!dM9!u@jtQnZTPb5Dz]AA.@A*.&tVUl^1s" "Clips"="z3aPK[`+`9I1~x,$l9K05C0FEm%Wa=QtKVvy'69-n+h&*c5p}917ZTDE0vX$s)RhG8tWr=t`pgO,!W53U}S''dJeH=__j)6B%n~q*au=vOE$=?)f^l9j*t,'1]cJ(1-Ek=~mw=-Fp@fRuReDcMgII=PS6a6WSEuIW^F_R?rx(=xs^^LOb?7d_QWq1IU]q=ws*WPJwUqn1^g+eX1Y)A`~JOjMu3BPP@PMm}z7$9FrFI1k)!%da{IBDrmwDAAM92Zb}B`QOfficeClipArt" "NotInstalled"="OfficeClipArt" "ProductNonBootFiles"="}cHQ?K@mf([['L[_GKbaOfficeClipArt" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040030900063D11C8EF00054038389C\Usage] "OfficeClipArt"=dword:351c0012 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Wds\rdpwd] "fForceClientLptDef"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp] "fForceClientLptDef"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\SceCli] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Terminal Server\Wds\rdpwd] "fForceClientLptDef"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\RDP-Tcp] "fForceClientLptDef"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\SceCli] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd] "fForceClientLptDef"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] "fForceClientLptDef"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\SceCli]

#21 Jintan

Advanced Member

Visiting Fellow
791 posts

Posted 26 August 2007 - 02:26 PM

Wow - nice new forum background colors, ey?

Kaspersky located some infection files that had slipped by so far, but mostly showing normally locked system functions. The registry search only shows perhaps curious looking but normal registry entries for Word and other functions, but does not show what is showing in other logs, which suggests the item I am looking at has possible undesirable use there.

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\195.tmp
C:\196.tmp
C:\1E5.tmp
C:\1E6.tmp
Folder::
C:\Program Files\MyWebSearchWB

Save this as "CFScript"

(include the "quotation marks" with the name)

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will run as it has for you already. When the fix completes it will create a C:\ComboFix.txt log. Please post that log in your next reply.

Also Download gmer.zip from here. Once downloaded, doubleclick on gmer.zip and unzip the file to its own folder

When you have done this, doubleclick on Gmer.exe to run it and click on Settings. Check the first five settings (see below)

System Protection and Tracing
Processes
Save created processes to the log
Drivers
Save loaded drivers to the log

You will be prompted to restart your computer. Please do so.

Run Gmer again and click on the Rootkit tab. Look at the righthand side (under Files) and uncheck all drives with the exception of your C drive and then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

One additional task - Go to Start > Run and type:

cmd.exe

and ok. Copy and paste the below string after the prompt >

dir /s /a "c:\srrstr*.*" > c:\find.txt & start notepad c:\find.txt

Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.

#22 Tomboymama

Authentic Member

Authentic Member
46 posts

Posted 26 August 2007 - 04:02 PM

ComboFix 07-08-23.5 - "AndiL" 2007-08-26 16:24:25.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.357 [GMT -5:00]
Command switches used :: C:\Documents and Settings\AndiL\Desktop\CFScript
* Created a new restore point

FILE::
C:\195.tmp
C:\196.tmp
C:\1E5.tmp
C:\1E6.tmp

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\195.tmp
C:\196.tmp
C:\1E5.tmp
C:\1E6.tmp
C:\Program Files\MyWebSearchWB
C:\Program Files\MyWebSearchWB\bar\1.bin\W6FFXTBR.JAR
C:\Program Files\MyWebSearchWB\bar\1.bin\W6NTSTBR.JAR
C:\Program Files\MyWebSearchWB\bar\1.bin\W6PLUGIN.DLL
C:\Program Files\MyWebSearchWB\bar\1.bin\W6WBTEMP.DLL
C:\Program Files\MyWebSearchWB\bar\Cache025876.bin
C:\Program Files\MyWebSearchWB\bar\Cache025FF8.bin
C:\Program Files\MyWebSearchWB\bar\Cache027CF6.bin
C:\Program Files\MyWebSearchWB\bar\Cache02895A.bin
C:\Program Files\MyWebSearchWB\bar\Cache02A406.bin
C:\Program Files\MyWebSearchWB\bar\Cache02BD7A
C:\Program Files\MyWebSearchWB\bar\Cache02C26B.bin
C:\Program Files\MyWebSearchWB\bar\Cache06880E.bin
C:\Program Files\MyWebSearchWB\bar\Cache08772C.bin
C:\Program Files\MyWebSearchWB\bar\Cache0BC85B.bin
C:\Program Files\MyWebSearchWB\bar\Cache0C3C53.bin
C:\Program Files\MyWebSearchWB\bar\Cache0FAEC5.bin
C:\Program Files\MyWebSearchWB\bar\Cache104A49.bin
C:\Program Files\MyWebSearchWB\bar\Cache13A50D
C:\Program Files\MyWebSearchWB\bar\Cache15FFB6.bin
C:\Program Files\MyWebSearchWB\bar\Cache160842.bin
C:\Program Files\MyWebSearchWB\bar\Cache16E40B.bin
C:\Program Files\MyWebSearchWB\bar\Cache1BD955.bin
C:\Program Files\MyWebSearchWB\bar\Cache1D8D3F
C:\Program Files\MyWebSearchWB\bar\Cache1F7095.bin
C:\Program Files\MyWebSearchWB\bar\Cache1F72B8.bin
C:\Program Files\MyWebSearchWB\bar\Cache2047FA.bin
C:\Program Files\MyWebSearchWB\bar\Cache2417AF.bin
C:\Program Files\MyWebSearchWB\bar\Cache25EC21.bin
C:\Program Files\MyWebSearchWB\bar\Cache286629.bin
C:\Program Files\MyWebSearchWB\bar\Cache287AF9.bin
C:\Program Files\MyWebSearchWB\bar\Cache2DCEFD.bin
C:\Program Files\MyWebSearchWB\bar\Cache32D137.bin
C:\Program Files\MyWebSearchWB\bar\Cache39DA1E.bin
C:\Program Files\MyWebSearchWB\bar\Cache4843C1.bin
C:\Program Files\MyWebSearchWB\bar\Cache494775.bin
C:\Program Files\MyWebSearchWB\bar\Cache54FD91.bin
C:\Program Files\MyWebSearchWB\bar\Cache566ABD.bin
C:\Program Files\MyWebSearchWB\bar\Cache574A6F.bin
C:\Program Files\MyWebSearchWB\bar\Cache682B5B.bin
C:\Program Files\MyWebSearchWB\bar\Cache753EF4.bin
C:\Program Files\MyWebSearchWB\bar\Cache83F772.bin
C:\Program Files\MyWebSearchWB\bar\Cache8BB765.bin
C:\Program Files\MyWebSearchWB\bar\Cache8BE386.bin
C:\Program Files\MyWebSearchWB\bar\Cache8C1DCF.bin
C:\Program Files\MyWebSearchWB\bar\Cache91FFFA.bin
C:\Program Files\MyWebSearchWB\bar\Cache9752C5
C:\Program Files\MyWebSearchWB\bar\Cache9AA02A
C:\Program Files\MyWebSearchWB\bar\CacheB19B97.bin
C:\Program Files\MyWebSearchWB\bar\CacheB2BFF2.bin
C:\Program Files\MyWebSearchWB\bar\CacheB443C4.bin
C:\Program Files\MyWebSearchWB\bar\CacheC2B2F4.bin
C:\Program Files\MyWebSearchWB\bar\CacheC62F5A.bin
C:\Program Files\MyWebSearchWB\bar\CacheCD5483.bin
C:\Program Files\MyWebSearchWB\bar\CacheD5861C.bin
C:\Program Files\MyWebSearchWB\bar\CacheE02E71.bin
C:\Program Files\MyWebSearchWB\bar\CacheEC1F24.bin
C:\Program Files\MyWebSearchWB\bar\CacheF9FC46.bin
C:\Program Files\MyWebSearchWB\bar\Cache115582E.bin
C:\Program Files\MyWebSearchWB\bar\Cache11994C7.bin
C:\Program Files\MyWebSearchWB\bar\Cache11995F0.bin
C:\Program Files\MyWebSearchWB\bar\Cache11996DA.bin
C:\Program Files\MyWebSearchWB\bar\Cache1199786.bin
C:\Program Files\MyWebSearchWB\bar\Cache119B5BC.bin
C:\Program Files\MyWebSearchWB\bar\Cache119B6D5.bin
C:\Program Files\MyWebSearchWB\bar\Cache119B7A1.bin
C:\Program Files\MyWebSearchWB\bar\Cache11D5D96.bin
C:\Program Files\MyWebSearchWB\bar\Cache11D5EEE.bin
C:\Program Files\MyWebSearchWB\bar\Cache11D6B62.bin
C:\Program Files\MyWebSearchWB\bar\Cache11D6C1D.bin
C:\Program Files\MyWebSearchWB\bar\Cache125FCEC
C:\Program Files\MyWebSearchWB\bar\Cache128D2A2.bin
C:\Program Files\MyWebSearchWB\bar\Cache12C585D.bin
C:\Program Files\MyWebSearchWB\bar\Cache12C5977.bin
C:\Program Files\MyWebSearchWB\bar\Cache12C5A51.bin
C:\Program Files\MyWebSearchWB\bar\Cache13A0E50.bin
C:\Program Files\MyWebSearchWB\bar\Cache13C3F0B.bin
C:\Program Files\MyWebSearchWB\bar\Cache159224F.bin
C:\Program Files\MyWebSearchWB\bar\Cache15D5DDD.bin
C:\Program Files\MyWebSearchWB\bar\Cache15FC6EE.bin
C:\Program Files\MyWebSearchWB\bar\Cache167C9C6.bin
C:\Program Files\MyWebSearchWB\bar\Cache167F460.bin
C:\Program Files\MyWebSearchWB\bar\Cache1966E91.bin
C:\Program Files\MyWebSearchWB\bar\Cache1966F8B.bin
C:\Program Files\MyWebSearchWB\bar\Cache1967076.bin
C:\Program Files\MyWebSearchWB\bar\Cache1967122.bin
C:\Program Files\MyWebSearchWB\bar\Cache19671ED.bin
C:\Program Files\MyWebSearchWB\bar\Cache19672B8.bin
C:\Program Files\MyWebSearchWB\bar\Cache19B762A.bin
C:\Program Files\MyWebSearchWB\bar\Cache19E8A50.bin
C:\Program Files\MyWebSearchWB\bar\Cache1A1807E.bin
C:\Program Files\MyWebSearchWB\bar\Cache1CA5233.bin
C:\Program Files\MyWebSearchWB\bar\Cache1E10C8F.bin
C:\Program Files\MyWebSearchWB\bar\Cache1E5CA2E.bin
C:\Program Files\MyWebSearchWB\bar\Cache1F94A5E.bin
C:\Program Files\MyWebSearchWB\bar\Cache1FDA099
C:\Program Files\MyWebSearchWB\bar\Cache2014249.bin
C:\Program Files\MyWebSearchWB\bar\Cache20D49FF.bin
C:\Program Files\MyWebSearchWB\bar\Cache20D4B47.bin
C:\Program Files\MyWebSearchWB\bar\Cache20D4BE4.bin
C:\Program Files\MyWebSearchWB\bar\Cache212EA7D.bin
C:\Program Files\MyWebSearchWB\bar\Cache2287C47.bin
C:\Program Files\MyWebSearchWB\bar\Cache233B498.bin
C:\Program Files\MyWebSearchWB\bar\Cache233B592.bin
C:\Program Files\MyWebSearchWB\bar\Cache233B67C.bin
C:\Program Files\MyWebSearchWB\bar\Cache233B728.bin
C:\Program Files\MyWebSearchWB\bar\Cache233B7E3.bin
C:\Program Files\MyWebSearchWB\bar\Cache23F58A2.bin
C:\Program Files\MyWebSearchWB\bar\Cache2952684.bin
C:\Program Files\MyWebSearchWB\bar\Cache29F52D3.bin
C:\Program Files\MyWebSearchWB\bar\Cache2A6156A.bin
C:\Program Files\MyWebSearchWB\bar\Cache2CCC019.bin
C:\Program Files\MyWebSearchWB\bar\Cache2E8BC77.bin
C:\Program Files\MyWebSearchWB\bar\Cache32B8CD6.bin
C:\Program Files\MyWebSearchWB\bar\Cache32B8DEF.bin
C:\Program Files\MyWebSearchWB\bar\Cache32B8EAA.bin
C:\Program Files\MyWebSearchWB\bar\Cache32B8F75.bin
C:\Program Files\MyWebSearchWB\bar\Cache3566DD3.bin
C:\Program Files\MyWebSearchWB\bar\Cache3566EDD.bin
C:\Program Files\MyWebSearchWB\bar\Cache3566F88.bin
C:\Program Files\MyWebSearchWB\bar\Cache38F9981.bin
C:\Program Files\MyWebSearchWB\bar\Cache\files.ini
C:\Program Files\MyWebSearchWB\bar\History\search
C:\Program Files\MyWebSearchWB\bar\Settings\prevcfg.htm

((((((((((((((((((((((((( Files Created from 2007-07-26 to 2007-08-26 )))))))))))))))))))))))))))))))

2007-08-25 19:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-25 19:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-24 21:13 <DIR> d----c--- C:\getservice
2007-08-24 20:31 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-23 23:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-23 23:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-23 23:40 <DIR> d-------- C:\DOCUME~1\AndiL\APPLIC~1\SUPERAntiSpyware.com
2007-08-23 23:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-23 00:34 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-18 22:52 82,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-08-18 22:52 57,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-08-18 22:52 40,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-08-18 22:52 29,000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-08-18 22:52 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-08-18 22:52 <DIR> d-------- C:\DOCUME~1\AndiL\APPLIC~1\PC Tools
2007-08-18 22:50 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-08-18 21:43 77,312 --a------ C:\WINDOWS\ua2.dll
2007-08-17 23:57 <DIR> d-------- C:\WINDOWS\Google Toolbar
2007-08-17 19:44 5,140 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-08-11 16:50 4,096 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ohciusb.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-26 12:19 --------- d-------- C:\DOCUME~1\AndiL\APPLIC~1\BayScribe
2007-08-26 12:19 --------- d-------- C:\DOCUME~1\AndiL\APPLIC~1\BayScribe
2007-08-26 09:47 131584 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-08-25 10:15 --------- d-------- C:\DOCUME~1\AndiL\APPLIC~1\WeatherBug
2007-08-25 10:15 --------- d-------- C:\DOCUME~1\AndiL\APPLIC~1\WeatherBug
2007-08-24 08:13 2433 --a------ C:\WINDOWS\system32\drivers\ohciusb.zip
2007-08-24 06:53 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GuruNet
2007-08-18 21:48 --------- d-------- C:\Program Files\Pink Calendar
2007-08-18 00:05 --------- d-------- C:\Program Files\Collectorz.com
2007-08-18 00:03 --------- d-------- C:\Program Files\ICQ
2007-08-18 00:02 --------- d-------- C:\Program Files\WS_FTP Pro
2007-08-18 00:00 --------- d-------- C:\Program Files\MUSICMATCH
2007-08-17 23:59 --------- d-------- C:\Program Files\Ahead
2007-08-17 23:55 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-17 23:53 --------- d-------- C:\Program Files\Critical Thinking Software
2007-08-17 23:52 --------- d--h----- C:\Program Files\Zero G Registry
2007-08-17 23:52 --------- d-------- C:\Program Files\Critical Thinking Demos
2007-08-17 23:50 --------- d-------- C:\Program Files\Spelling Bee Tutor-PDA
2007-08-17 23:48 --------- d-------- C:\Program Files\Yahoo!
2007-08-17 23:48 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo
2007-08-13 09:41 --------- d-------- C:\Program Files\Red NoteBook
2007-08-11 16:16 --------- d-------- C:\Program Files\Creative
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-29 13:02 --------- d-------- C:\Program Files\BayScribe
2007-07-19 12:20 --------- d-------- C:\Program Files\Google
2007-07-05 13:44 --------- d-------- C:\DOCUME~1\AndiL\APPLIC~1\Sibelius Software
2007-07-05 13:44 --------- d-------- C:\DOCUME~1\AndiL\APPLIC~1\Sibelius Software
2007-07-05 13:42 --------- d-------- C:\Program Files\Sibelius Software
2005-09-19 12:30 774144 --a------ C:\Program Files\RngInterstitial.dll
2005-05-18 00:18 224590 --a--c--- C:\WINDOWS\Fonts.\PCSimplicitee.exe
2005-05-18 00:18 145088 --a--c--- C:\WINDOWS\Fonts.\PCHardBall.exe
2005-05-18 00:18 141355 --a--c--- C:\WINDOWS\Fonts.\PCmichelle.exe
2005-05-18 00:18 138703 --a--c--- C:\WINDOWS\Fonts.\PCBrita.exe
2005-05-18 00:17 233454 --a--c--- C:\WINDOWS\Fonts.\PCLewis.exe
2005-05-18 00:17 146103 --a--c--- C:\WINDOWS\Fonts.\PCScratchPad.exe
2005-05-18 00:17 133873 --a--c--- C:\WINDOWS\Fonts.\pcplayful.exe
2005-05-18 00:17 128153 --a--c--- C:\WINDOWS\Fonts.\PCBigStick.exe
2005-05-18 00:17 124681 --a--c--- C:\WINDOWS\Fonts.\PCKnobbish.exe
2005-05-18 00:16 134489 --a--c--- C:\WINDOWS\Fonts.\PCGoo.exe
2005-05-18 00:16 131330 --a--c--- C:\WINDOWS\Fonts.\PCSketched.exe
2005-05-18 00:16 130498 --a--c--- C:\WINDOWS\Fonts.\PCEightBall.exe
2005-05-18 00:16 130000 --a--c--- C:\WINDOWS\Fonts.\PCJennPen.exe
2005-05-18 00:14 130751 --a--c--- C:\WINDOWS\Fonts.\PCSquirrelly.exe
2005-05-07 21:49 6132 --a--c--- C:\Program Files\top52--0047.htm
2005-05-07 21:48 6132 --a--c--- C:\Program Files\top52--0028.htm
2005-05-07 21:47 1039189 --a--c--- C:\Program Files1mp3ins.exe
2005-04-17 12:07 1584088 --a--c--- C:\Program Files\earpro4setup.exe
2005-03-27 20:08 10831584 --a--c--- C:\Program Files\PestPatrolv5.exe
2004-10-20 21:18 376672 --a--c--- C:\Program Files\DLM_2200043_ENU.exe
2004-06-22 21:03 411329 --a--c--- C:\Program Files\slimlist.exe
2004-05-04 11:50 8029451 --a--c--- C:\Program Files\SetupPestPatrolHome.exe
2004-04-07 09:28 2736029 --a--c--- C:\Program Files\treepadplus.zip
2004-02-19 23:15 457 --a--c--- C:\Program Files\INSTALL.LOG
2003-05-21 19:10 3662787 --a--c--- C:\Program Files\spybotsd12.exe
2003-05-15 11:17 2838184 --a--c--- C:\Program Files\ica32.exe
2003-05-13 23:30 260684 --a--c--- C:\Program Files\ICQMessageArchive.exe
2003-05-13 18:14 1897672 --a--c--- C:\Program Files\winzip81.exe
2003-05-12 22:51 660696 --a--c--- C:\Program Files\rednotebook19b.exe
2003-05-12 18:55 5082328 --a--c--- C:\Program Files\cuteftppro.exe
2003-05-12 18:48 3025408 --a--c--- C:\Program Files\cuteftp.exe
2003-05-12 18:16 3978384 --a--c--- C:\Program Files\icqpro2003a.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E028439-81C7-4B82-BC74-25156306F532}]
2007-06-14 09:10 258048 --a------ C:\Program Files\BayScribe\bayscribe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2003-06-17 10:12]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-04-29 18:31]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 21:45]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2006-03-08 13:30]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [2006-03-14 16:52]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-08-14 17:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2005-06-07 13:58]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 20:14]

C:\DOCUME~1\AndiL\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]
PinkCal.lnk - C:\Program Files\Pink Calendar\PinkCal.exe [2007-08-18 21:30:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap
"Notification Packages"= :\WINDOWS\System32\srrstr.dll cecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk
backup=C:\WINDOWS\pss\Device Detector 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu.lnk
backup=C:\WINDOWS\pss\eFax Tray Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GuruNet.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GuruNet.lnk
backup=C:\WINDOWS\pss\GuruNet.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printkey2000.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk
backup=C:\WINDOWS\pss\Printkey2000.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^AndiL^Start Menu^Programs^Startup^.lnk]
path=C:\Documents and Settings\AndiL\Start Menu\Programs\Startup\.lnk
backup=C:\WINDOWS\pss\.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^AndiL^Start Menu^Programs^Startup^eBot.lnk]
path=C:\Documents and Settings\AndiL\Start Menu\Programs\Startup\eBot.lnk
backup=C:\WINDOWS\pss\eBot.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^AndiL^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\AndiL\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
"C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]
"C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
C:\PROGRA~1\ICQ\ICQNet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
"C:\Program Files\Microsoft Money\System\Activation.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\System32\DRIVERS\snapman.sys
R0 timounter;Acronis TrueImage Backup Archive Explorer;C:\WINDOWS\System32\DRIVERS\timntr.sys
R2 ohciusb;Open Host Controller Miniport USB Driver;\??\C:\WINDOWS\System32\drivers\ohciusb.sys
R2 tifsfilter;Acronis TrueImage FS Filter;C:\WINDOWS\System32\DRIVERS\tifsfilt.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\System32\DRIVERS\BCMSM.sys
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\System32\DRIVERS\ss.sys
S2 InCDsrvR;InCD Helper (read only);C:\Program Files\Ahead\InCD\InCDsrv.exe -r
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\System32\Drivers\StMp3Rec.sys
S3 VNUSB;VN Series Device;C:\WINDOWS\System32\DRIVERS\VNUSB.sys

Contents of the 'Scheduled Tasks' folder
2007-08-22 23:01:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-21 06:56:23 C:\WINDOWS\Tasks\PPv5Scan_Daily as AndiL at 1 55 AM.job - C:\Program Files\CA\eTrust PestPatrol\ppv5consumercl.exe
2007-08-24 17:12:01 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job - C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
2007-05-16 17:12:19 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job - C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-26 16:34:14
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-26 16:40:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-26 16:40
C:\ComboFix2.txt ... 2007-08-25 13:57
C:\ComboFix3.txt ... 2007-08-23 01:01

--- E O F ---

#23 Tomboymama

Authentic Member

Authentic Member
46 posts

Posted 26 August 2007 - 05:24 PM

I am having a problem getting Gmer to complete a scan. It scans awhile and stops (although I don't think is finished scanning) but if I choose copy I get an error that the program has encountered a problem and needs to close. I will keep trying to get a full scan on that. Here is the other information you requested: Volume in drive C has no label. Volume Serial Number is 98E4-1DFC Directory of c:\I386 08/29/2002 05:00 AM 226,304 SRRSTR.DLL 1 File(s) 226,304 bytes Directory of c:\WINDOWS\$NtUninstallKB835409$ 11/14/2002 12:50 PM 226,816 srrstr.dll 1 File(s) 226,816 bytes Directory of c:\WINDOWS\$NtUninstallQ329441$ 08/29/2002 05:00 AM 226,304 srrstr.dll 1 File(s) 226,304 bytes Directory of c:\WINDOWS\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e 08/04/2004 02:56 AM 239,104 srrstr.dll 1 File(s) 239,104 bytes Directory of c:\WINDOWS\SYSTEM32 10/27/2005 02:06 PM 226,816 srrstr.dll 1 File(s) 226,816 bytes Directory of c:\WINDOWS\SYSTEM32\DLLCACHE 10/27/2005 02:06 PM 226,816 srrstr.dll 1 File(s) 226,816 bytes Total Files Listed: 6 File(s) 1,372,160 bytes 0 Dir(s) 10,493,571,072 bytes free P.S. The new forum is pretty snazzy and I like the clever name!

#24 Tomboymama

Authentic Member

Authentic Member
46 posts

Posted 26 August 2007 - 07:19 PM

I am still unable to get the Gmer scan to complete and get a log. I have tried numerous times and it just quits scanning. When I attempt to copy or save the log, I get an error that the program needs to close. Not sure what to do at this point. Thanks

#25 Jintan

Advanced Member

Visiting Fellow
791 posts

Posted 26 August 2007 - 07:22 PM

Those files seem okay. On this system do you use a password required logon? For the GMER I need to check - you did the step where you made the settings changes, then rebooted (important), and then ran GMER?

Advertisements

Register to Remove

#26 Tomboymama

Authentic Member

Authentic Member
46 posts

Posted 26 August 2007 - 10:27 PM

It is not a password protected log in. I did reboot the computer after checking off the files, and believe I followed the instructions as described. It does seem to be stopping in the same place each time, although hard to see what exactly it is scanning when it stops as it goes so quickly. When I click on the technical information link on the error report, it says that the following file is included in the report: C:\DOCUME~\AndiL\LOCALS~1\Temp\WER2.tmp.dir00\appcompat.txt I am not sure if that helps any.

Edited by Tomboymama, 26 August 2007 - 11:02 PM.

#27 Jintan

Advanced Member

Visiting Fellow
791 posts

Posted 27 August 2007 - 05:49 AM

That file is created when you see those error reports to send to Microsoft. Let's see if bypassing some drivers will allow the scan.

Go to Start - Run, type gmer.exe (and Enter). When GMER opens click the Processes tab. To the right click the "Safe..." button, and agree to start GMER in Safe Mode. Your system will reboot. On reboot "OK" the prompt to run GMER Safe Mode. When GMER opens run a scan as you have done already, saving that new log to post back here. Once you have completed that click the Processes tab, and click Restart to reboot the computer. Then post the GMER log please. Make sure you use GMER for the "Restart" to avoid having it reboot into Safe Mode again.

Edited by Jintan, 27 August 2007 - 05:50 AM.

#28 Tomboymama

Authentic Member

Authentic Member
46 posts

Posted 27 August 2007 - 06:44 PM

Well, this is frustrating. It will scan completely in safe mode, but I cannot "save" a log. It freezes up when I choose the save option and requires a hard reboot to get out of it. It will copy fine, but then I have no way to paste it into another document as I am not even getting a desktop when it runs in this mode, just a black background. If you have any other ideas, I am all ears. I have tried everything I can think of.

#29 Jintan

Advanced Member

Visiting Fellow
791 posts

Posted 27 August 2007 - 07:41 PM

I can appreciate the extra measures you are trying to get this report created - let's go with some different tools and see if we draw out the desired information.

Download and Save Blacklight to your desktop:

* Double-click blbeta.exe then accept the agreement, click > scan then > next
* You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
* Copy and paste this log in your next reply. Don't choose any other options!

Download DiagHelp.zip from here and unzip it. In the DiagHelp folder created locate the go.cmd file and click on it to start the scan. A window will open, and from the menu select option 1. Follow all prompts, but do not run any other programs and unless you are responding to a prompt do not touch your keyboard. Once the scan has completed a text should open in Notepad - please copy the contents back here. This will take a few minutes so please be patient.

Due to a system difference in language use when the scan completes it will show the following in the command window:

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Just type in Exit at that point to finish out the scan. The resulting log should be C:\resultat.txt if a text copy does not popup at the end of the scan.

#30 Jintan

Advanced Member

Visiting Fellow
791 posts

Posted 27 August 2007 - 08:17 PM

I was assisting elsewhere and realized the steps for Blacklight I provided are not my current steps for the current scan tool. Instead of the previous Blacklight steps please download F-Secure Blacklight (fsbl.exe) from here (it is actually the same location, different name) and save it to your C drive (this should create C:\fsbl.exe). Once you have done that go to Start - Run, type cmd (and Enter). At the prompt copy/paste the following (then Enter after):

C:\fsbl.exe /expert

Accept the user agreement, then click Scan and allow BlackLight to scan your computer. When the scan completes click Next, and then Exit.

BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan). Please post that log here in your next reply.

Body Background

skin color theme