serious malware/virus on my system.(RESOLVED)

**walterj** · 29-09-2006

System HP A384. AMD2800, 1 gig mem, 3 HD(80g primary ide, 2 36g SCSI secondary)
nvida mx440 64meg video, dvd reader, cd burner. XP home SP1. (had to reformat and reload entire system still in process of installing programs. Since I have dial up SP2 is taking long time not finished dowloading it), using AVG, adaware 1.06(setup done as recomended on dal site) spyboot 1.4. This week at work we had serious prblem wih virus, spam and so on and I did send some work to my pc at home. I have AVG showing up with virus in msconfig and trojan backdoor in system32(l.exe some of them). running spyboot get about 12 hits. adaware 3 to 5. When I go back and rerun same all virus and spyware shows up again this is without going to net or restarting pc. Did power pc off and pulled plug from wall and waited for 10 min and then started in safe mode and ran all 3. Same result all garbage back rerun in safe mode just brings all back like if i did not get anything done. Restarted in normal and all showed up again. Also message shows up that I am off line and hit to start working off line message keeps poping up erery 10 to 15 minutes. that started after my emails from work to home. Attached is hijack log. any help will be deeply appretiated. Walter
PS all 3 (avg, adaware, spyboot are up to date.)

**Neal** · 29-09-2006

Welcome,

Please post your hijackthis log directly into this thread instead of as an attachment. Thanks.

Download and install
Ewido anti-spyware
4.0 (uninstall any previous version first).

Click the Download BUTTON. On the next page click the
Download now BUTTON.
Save and then install (Run) from the save location.
Open/Run ewido anti-spyware
Wait a few moments and Ewido should Auto update itself (note date of last
update). If it doesn't update, click the update ICON at top of
screen:
Click on the Update now LINK at the top of the window
- Click on the Start update button
- Wait for the update to download and install

**walterj** · 29-09-2006

Originally Posted by Neal

Welcome,

Please post your hijackthis log directly into this thread instead of as an attachment. Thanks.

Download and install
Ewido anti-spyware
4.0 (uninstall any previous version first).

Click the Download BUTTON. On the next page click the
Download now BUTTON.
Save and then install (Run) from the save location.
Open/Run ewido anti-spyware
Wait a few moments and Ewido should Auto update itself (note date of last
update). If it doesn't update, click the update ICON at top of
screen:
This is very important to get the LATEST
updates
Click on the Status ICON
- Under "Your computers Security"
  Click change status on Resident shield to inactive
  (ONLY consider activation of that feature once you are
  clean)
Click on the Scanner ICON at the top of the window
Click on the Settings tab then select Recommended Actions
and choose Quarantine

Close ALL open Windows / Programs / Folders. Please start
Ewido, and run a full scan:

Click on the default Status ICON and select
the Scan now LINK.

OR
Click on the Scanner ICON . Select the Scan
TAB.
- Select Complete System Scan. Ewido will now begin to scan your
  system.

If Ewido finds anything it will list them in the Preview WINDOW:
- Make sure that Set all elements to: shows
  Quarantine, if not click on the link and choose
  Quarantine from the popup menu.
- Select Apply all actions at the bottom of the window (and the
  items found will be quarantined - and recoverable, if any items are needed
  back).
When the scan has completed, click on the Save Scan Report button
and save the scan to your Desktop where it can be easily found.
Copy and paste the EWIDO scan results into your next
post.
Close Ewido.

Go here BitDefender and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post back and let us know what it found (post the log).

And post a new HJT log also..

To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner

Don't install any Toolbars, or other programs, should it ask you!Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.

Before first use:
Select Options then Advanced.
UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Click on CCleaner to start it. Then click "Run Cleaner", just use the windows tab up front by default.

Then Reboot (Exit)

Thnks for your reply. Will install evido tonight after work. all symantec programs are going to be removed since all are trial versions that came with pc and are on original restore cd's.
Here is hijack listing
Logfile of HijackThis v1.99.1
Scan saved at 5:30:59 AM, on 9/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
h:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
h:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
h:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system\winlogon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
H:\LOTUS\REGISTER\remind32.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
H:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
H:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/ie4/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.attwireless.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.attwireless.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.elderscrolls.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG7_CC] h:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpybotSD TeaTimer] h:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Lotus SmartSuite 9.6 - English Registration.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - H:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.attwireless.att.net
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe

Thanks Walter

**walterj** · 23-10-2006

Sorry about not replying for 3 weeks. Had to go out of town.
1. did download 3 weeks ago ewido software and updated it.
result of that scan

wido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:47:20 PM 9/29/2006

+ Scan result:

C:\WINDOWS\system32\x.exe -> Backdoor.VanBot.w : Cleaned with backup (quarantined).
C:\WINDOWS\system\winlogon.exe -> Backdoor.VanBot.w : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).

::Report end

2. did triger bit defender. I have unfortunetly dialup only after almost 3 hours my ISP did drop connection. At that point it did scan C where it did remove stuff in documents and c(root and windows directory.( spyware, and back door in windows.) scan G gave clean results and it was about 90% done on H.
3. ran ccleaner.

After coming back this is condition of my system.
In "normal" mode I can not run AVG ewido spy boot or bitdefender or hijjack. Flashes for a second and is gone. If I go to explorer I can not access ewido, hijack avg folders. Same if I go to the net and try to go to any AV sites(AVG norton or macaffe or ewido).
I safe mode here are listing
ewido from 10/22
wido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:07:31 PM 10/22/2006

+ Scan result:

C:\RECYCLER\S-1-5-21-3790483622-3555323011-4162805953-1003\Dc1.exe -> Backdoor.Rbot.bgu : Cleaned with backup (quarantined).
C:\WINDOWS\system32\svchosts.exe -> Backdoor.Rbot.bjx : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3790483622-3555323011-4162805953-1003\Dc4.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3790483622-3555323011-4162805953-1003\Dc5.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ehg-attworldnet.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).

::Report end

Spyboot
Search result list ---
Microsoft.WindowsSecurityCenter.SP2Update: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\DoNotAllowXPSP2!=dword:0

Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\wscsvc\Start!=W=2

Avenue A, Inc.: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)
Hijack
Logfile of HijackThis v1.99.1
Scan saved at 9:53:03 AM, on 10/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
H:\Program Files\Grisoft\AVG Free\avgwb.dat
H:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/ie4/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.attwireless.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.attwireless.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.elderscrolls.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Worldnet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG7_CC] h:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "H:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "h:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SVC Hosts] svchosts.exe
O4 - HKLM\..\RunServices: [SVC Hosts] svchosts.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] h:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WrCtrl] "h:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe"
O4 - HKCU\..\Run: [SVC Hosts] svchosts.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = H:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - H:\Program Files\AT&T\WnClient\Programs\AnyWho.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F34894FD-513A-4F60-A21C-15AF72553396}: NameServer = 204.127.129.3 12.102.244.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - h:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Mass Effect(TM) Xbox 360 - Unknown owner - C:\WINDOWS\System32\dllcache\mfxbox.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - h:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - h:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe (file missing)
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - h:\Program Files\Kerio\WinRoute Firewall\winroute.exe

AVG keeps reporting same infection. marks as cured datk.exe shows up in c and in windows/system32 and in documents

rebot into normal brings same junk right back and reboot inot safe mode finds same suff right back. I am using different pc since when ondal forum I can not get into AV area( any other is OK)
Thanks for any help in advance Walter

**Neal** · 23-10-2006

Hi,

Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Re-hide after we are done

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter. If not already in safe mode.

Run hijackthis and click on scan button and put checks next to these:

O4 - HKLM\..\Run: [SVC Hosts] svchosts.exe
O4 - HKLM\..\RunServices: [SVC Hosts] svchosts.exe
O4 - HKCU\..\Run: [SVC Hosts] svchosts.exe

Nothing open but hijackthis and click on fix checked

Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):

DELETE FILES:

svchosts.exe

Be very careful of the spelling here, notice the letter "s" at the end, delete the one with letter "s" at the end. There is a very legit file spelled just like that "without" the "s" DO NOT DELETE that one.

Let me know how things are doing now after the above.

Post a new hijackthis log please.

**walterj** · 24-10-2006

Originally Posted by Neal

Hi,

Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Re-hide after we are done

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter. If not already in safe mode.

Run hijackthis and click on scan button and put checks next to these:

O4 - HKLM\..\Run: [SVC Hosts] svchosts.exe
O4 - HKLM\..\RunServices: [SVC Hosts] svchosts.exe
O4 - HKCU\..\Run: [SVC Hosts] svchosts.exe

Nothing open but hijackthis and click on fix checked

Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):

DELETE FILES:

svchosts.exe

Be very careful of the spelling here, notice the letter "s" at the end, delete the one with letter "s" at the end. There is a very legit file spelled just like that "without" the "s" DO NOT DELETE that one.

Let me know how things are doing now after the above.

Post a new hijackthis log please.

Hi Neal
hidden files are showing up. Did go into save mode and ran hijack. this hijack log same as my previous hijack had no svchosts at all.
only svchosts is in C:\WINDOWS\Prefetch
SVCHOSTS.EXE-39f6f7ec.pf(found by search)
After running hijack did go ad ran in save mode avg, evido and spyboot. all same junk did show up again and was cured. Did power pc off. let it sit for 30 sec. then started in normal mode. In normal mode AV, ewido, spyboot will not start. can not go to any av sites.Same type as posting by kewama.
reboot to safe mode at that point did show infection again.all the problems back again.
Thanks in advance Walter

Logfile of HijackThis v1.99.1
Scan saved at 5:30:59 AM, on 9/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
h:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
h:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
h:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system\winlogon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
H:\LOTUS\REGISTER\remind32.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
H:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
H:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/ie4/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.attwireless.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.attwireless.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.elderscrolls.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG7_CC] h:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpybotSD TeaTimer] h:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Lotus SmartSuite 9.6 - English Registration.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - H:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.attwireless.att.net
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - h:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe

S

**Neal** · 25-10-2006

Well this is not good at all I'm afraid, see if you can do these two scans below:

Try running this:

Download http://www.bleepingcomputer.com/files/winpfind.php

Extract WinPFind.zip to your c:\ folder.
Please print these instructions as you will be going into safe mode.
Reboot your computer into Safe Mode by following the following steps:

Reboot.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt

Download Silent runners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click yes to the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

**walterj** · 25-10-2006

since I am at work will get that done tonight. Thanks Walter

**walterj** · 26-10-2006

Hi Neal
Loaded both in and ran both of them. Still are not able to start any type AV software in normal mode or go to av sites or open AV folders.
here are posts from both runs.
here is wipfind

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 8/29/2002 6:00:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 9/28/2006 6:06:52 AM 778656 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 9/28/2006 6:06:52 AM 778656 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 9/28/2006 6:06:52 AM 778656 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 9/28/2006 6:06:52 AM 778656 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/26/2006 12:04:00 AM S 2048 C:\WINDOWS\bootstat.dat
9/29/2006 12:50:04 AM HS 830595 C:\WINDOWS\system32\ilkkj.bak1
10/4/2006 5:16:50 AM HS 816904 C:\WINDOWS\system32\ilkkj.bak2
10/26/2006 12:14:02 AM HS 1888 C:\WINDOWS\system32\ilkkj.ini
9/29/2006 12:49:08 AM HS 577588 C:\WINDOWS\system32\jkkli.dll
9/29/2006 12

48 AM HS 40973 C:\WINDOWS\system32\qommnki.dll
9/30/2006 1:13:10 PM H 46913 C:\WINDOWS\system32\Wnccdctl.log
10/26/2006 12:04:06 AM H 12288 C:\WINDOWS\system32\config\default.LOG
10/26/2006 12:05:46 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/26/2006 12:04:02 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
10/26/2006 12:12:46 AM H 1024 C:\WINDOWS\system32\config\software.LOG
10/26/2006 12:05:48 AM H 1024 C:\WINDOWS\system32\config\system.LOG
9/16/2006 2:02:58 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DA T.LOG
9/16/2006 2:02:58 AM H 262144 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
9/16/2006 2:02:58 AM H 1024 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
10/21/2006 5:06:26 AM RHS 95232 C:\WINDOWS\system32\dllcache\mfxbox.exe
9/16/2006 2:15:22 AM RHS 3934 C:\WINDOWS\system32\drivers\HP_DT170A-ABA A384X_YC_Pavi_QMXK343_E34NAheBLU2_4_IA7N8X-LA_SASUSTeK Computer INC._V1.xx_B3.12_T040831_WXH1_L409_M1024_J80_7AMD_ 8Athlon XP 2800+_92.08_110DE006E_N10DE0066_P_Z11C1044C_K90050 010_A10DE006A_U10DE0067_G10DE0181.MRK
9/15/2006 11:05:34 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\1ec14b7b-5ce2-413c-bbda-0f0c68fb2d83
9/16/2006 2:05:56 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\9e9da261-fd8d-4cd5-baa0-e4e1b6d142c1
9/16/2006 2:05:56 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\bd89f925-c22a-4064-9c95-be5482897b46
9/16/2006 2:05:56 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e50a488c-09ab-46c4-bad8-134bdb55cfb9
9/15/2006 11:05:34 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
10/25/2006 11:43:30 PM H 6 C:\WINDOWS\Tasks\SA.DAT
9/29/2006 8:41:54 PM HS 43 C:\WINDOWS\Temp\removalfile.bat
9/16/2006 2:07:12 AM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
9/16/2006 2:07:12 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
9/16/2006 2:07:12 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4R9EM4E3\desktop.ini
9/16/2006 2:07:12 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8IEWGXNI\desktop.ini
9/16/2006 2:07:12 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GDIFGLMJ\desktop.ini
9/16/2006 2:07:12 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OPQRSPUV\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/29/2002 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 6/27/2003 11:40:32 PM 8606208 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 4/7/2003 9:14:30 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 2/20/2003 4:42:34 PM 229487 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
12/10/2005 3:06:00 AM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 10/3/2003 3:14:30 PM 314880 C:\WINDOWS\SYSTEM32\QuickTime.cpl
SiSoftware 1/29/2005 6:10:02 PM 53248 C:\WINDOWS\SYSTEM32\SanCpl.cpl
Softex, Inc 2/21/2003 6:06:04 AM 32768 C:\WINDOWS\SYSTEM32\scurecpl.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Intel Corporation 4/7/2003 9:14:30 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFi les\igfxcpl.cpl
Realtek Semiconductor Corp. 6/27/2003 11:40:32 PM 8606208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0010\DriverFi les\ALSNDMGR.CPL
NVIDIA Corporation 5/3/2003 1:19:00 AM 143360 C:\WINDOWS\SYSTEM32\ReinstallBackups\0012\DriverFi les\nvtuicpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/23/2006 7:19:08 PM 901 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
10/1/2006 9:31:16 PM 1615 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
8/23/2003 7:53:32 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/23/2003 8:58:42 AM 1879 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
9/30/2006 1:54:08 PM 1595 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
10/15/2006 9:44:22 AM 1769 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
8/23/2003 9:25:14 AM 675 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
9/30/2006 1:54:08 PM 780 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
9/29/2006 8:34:32 PM 626 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/23/2003 12:46:38 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
8/23/2003 9:02:04 AM 504 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
8/23/2003 7:53:32 AM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
8/28/2003 10:19:16 PM 844 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk

Checking files in %USERPROFILE%\Application Data folder...
8/23/2003 12:46:38 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
AT&T CSM7.0 = AT&T CSM7.0
AT&T CSM8.2 = AT&T CSM8.2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AV G7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = h:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ew ido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = h:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Of fline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\OP ShellE
{CCFE56EE-C7DE-44EE-A160-4553A5A912C9} = C:\Program Files\Softex\OmniPass\opshelle.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Sy mantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Wi nZip
{E0D79304-84BE-11CE-9641-444553540000} = H:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a 2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = h:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\Symantec.Norton.Antivirus.IEC ontextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = H:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = h:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\OPShellE
{CCFE56EE-C7DE-44EE-A160-4553A5A912C9} = C:\Program Files\Softex\OmniPass\opshelle.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = H:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= H:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Adobe PDF Reader Link Helper = H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{0F660F64-F4C9-477F-8529-44181B717472}
CSMHelperObj Class = H:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}
= C:\Program Files\Microsoft Money\System\mnyside.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= H:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{656EC4B7-072B-4698-B504-2A414C1F0037}
IE_PopupBlocker Class = h:\Program Files\AT&T Worldnet Accelerator\prpl_IePopupBlocker.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{68676EFE-9B30-4EBD-B842-7ED9B3460C53}
= C:\WINDOWS\System32\qommnki.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = c:\Program Files\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{ED1A1378-D8B5-4780-8C9A-14F0942A5F58}
= C:\WINDOWS\System32\jkkli.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ade-8052-AA58578A21BD}
hp view = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
= :
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP View : c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : c:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{0264505A-6793-44E0-AC75-9DCE3B13185C}
ButtonText = AnyWho : H:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : c:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
hpsysdrv c:\windows\system\hpsysdrv.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
CamMonitor c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
HP Software Update "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
HPHUPD05 c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HPHmon05 C:\WINDOWS\System32\hphmon05.exe
StorageGuard "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
AVG7_CC h:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
!ewido "H:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
Adobe Photo Downloader "H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
Propel Accelerator "h:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH
KBD C:\HP\KBD\KBD.EXE
PS2 C:\WINDOWS\system32\ps2.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
SpybotSD TeaTimer h:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
WrCtrl "h:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
navapsvc 2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE -h
item Kodak EasyShare software
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE -h
item Kodak EasyShare software

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Kodak\KODAKS~1\7288971\Program\KODAKS~ 1.EXE
item Kodak software updater
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Kodak\KODAKS~1\7288971\Program\KODAKS~ 1.EXE
item Kodak software updater

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus Organizer EasyClip.lnk
backup C:\WINDOWS\pss\Lotus Organizer EasyClip.lnkCommon Startup
location Common Startup
command H:\Lotus\organize\easyclip.exe
item Lotus Organizer EasyClip
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus Organizer EasyClip.lnk
backup C:\WINDOWS\pss\Lotus Organizer EasyClip.lnkCommon Startup
location Common Startup
command H:\Lotus\organize\easyclip.exe
item Lotus Organizer EasyClip

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk
backup C:\WINDOWS\pss\Lotus QuickStart.lnkCommon Startup
location Common Startup
command H:\Lotus\wordpro\ltsstart.exe
item Lotus QuickStart
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk
backup C:\WINDOWS\pss\Lotus QuickStart.lnkCommon Startup
location Common Startup
command H:\Lotus\wordpro\ltsstart.exe
item Lotus QuickStart

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SmartCenter.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus SmartCenter.lnk
backup C:\WINDOWS\pss\Lotus SmartCenter.lnkCommon Startup
location Common Startup
command H:\Lotus\smartctr\SMARTCTR.EXE
item Lotus SmartCenter
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus SmartCenter.lnk
backup C:\WINDOWS\pss\Lotus SmartCenter.lnkCommon Startup
location Common Startup
command H:\Lotus\smartctr\SMARTCTR.EXE
item Lotus SmartCenter

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SuiteStart.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus SuiteStart.lnk
backup C:\WINDOWS\pss\Lotus SuiteStart.lnkCommon Startup
location Common Startup
command H:\Lotus\smartctr\SUITEST.EXE
item Lotus SuiteStart
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus SuiteStart.lnk
backup C:\WINDOWS\pss\Lotus SuiteStart.lnkCommon Startup
location Common Startup
command H:\Lotus\smartctr\SUITEST.EXE
item Lotus SuiteStart

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
location Common Startup
command H:\PROGRA~1\MICROS~1\Office\1033\OLFSNT40.EXE
item Symantec Fax Starter Edition Port
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
location Common Startup
command H:\PROGRA~1\MICROS~1\Office\1033\OLFSNT40.EXE
item Symantec Fax Starter Edition Port

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\UPDATE~1\137903\Program\BACKWE~1.EXE -startup
item Updates from HP
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\UPDATE~1\137903\Program\BACKWE~1.EXE -startup
item Updates from HP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk
path C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup C:\WINDOWS\pss\HP Organize.lnkStartup
location Startup
command C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\DISPLA~1.EXE "-application" "core.hp.main/application.xml" "-appname" "eLife"
item HP Organize
path C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup C:\WINDOWS\pss\HP Organize.lnkStartup
location Startup
command C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\DISPLA~1.EXE "-application" "core.hp.main/application.xml" "-appname" "eLife"
item HP Organize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Lotus SmartSuite 9.6 - English Registration.lnk
path C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Lotus SmartSuite 9.6 - English Registration.lnk
backup C:\WINDOWS\pss\Lotus SmartSuite 9.6 - English Registration.lnkStartup
location Startup
command H:\LOTUS\REGISTER\remind32.exe
item Lotus SmartSuite 9.6 - English Registration
path C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Lotus SmartSuite 9.6 - English Registration.lnk
backup C:\WINDOWS\pss\Lotus SmartSuite 9.6 - English Registration.lnkStartup
location Startup
command H:\LOTUS\REGISTER\remind32.exe
item Lotus SmartSuite 9.6 - English Registration

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\System
DisableRegistryTools 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkli
= C:\WINDOWS\System32\jkkli.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OPXPGina
= C:\Program Files\Softex\OmniPass\opxpgina.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qommnki
= qommnki.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/26/2006 12:14:07 AM

and here is silen runner
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"SpybotSD TeaTimer" = "h:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"WrCtrl" = ""h:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe"" ["Kerio Technologies"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"CamMonitor" = "c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [empty string]
"HP Software Update" = ""c:\Program Files\HP\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"]
"HPHUPD05" = "c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" ["Hewlett-Packard"]
"HPHmon05" = "C:\WINDOWS\System32\hphmon05.exe" ["Hewlett-Packard"]
"StorageGuard" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"AVG7_CC" = "h:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"!ewido" = ""H:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]
"Adobe Photo Downloader" = ""H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"Propel Accelerator" = ""h:\Program Files\AT&T Worldnet Accelerator\trayctl.exe" /STARTUPLAUNCH" ["Propel Software Corporation"]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"PS2" = "C:\WINDOWS\system32\ps2.exe" ["Hewlett-Packard Company"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{0F660F64-F4C9-477F-8529-44181B717472}\(Default) = (no title provided)
-> {HKLM...CLSID} = "CSMHelperObj Class"
\InProcServer32\(Default) = "H:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll" [file not found]
{243B17DE-77C7-46BF-B94B-0B5F309A0E64}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "H:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{656EC4B7-072B-4698-B504-2A414C1F0037}\(Default) = (no title provided)
-> {HKLM...CLSID} = "IE_PopupBlocker Class"
\InProcServer32\(Default) = "h:\Program Files\AT&T Worldnet Accelerator\prpl_IePopupBlocker.dll" ["Propel Software Corporation"]
{68676EFE-9B30-4EBD-B842-7ED9B3460C53}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\qommnki.dll" [null data]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {HKLM...CLSID} = "CNavExtBho Class"
\InProcServer32\(Default) = "c:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{ED1A1378-D8B5-4780-8C9A-14F0942A5F58}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\jkkli.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{19CC43A1-6925-4B48-B292-830291F393A6}" = "HPNSView"
-> {HKLM...CLSID} = "My Kahuna"
\InProcServer32\(Default) = "c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdns_01.dll" [empty string]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{CCFE56EE-C7DE-44EE-A160-4553A5A912C9}" = "OmniPass Shell Extension"
-> {HKLM...CLSID} = "OmniPass Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opshelle.dll" ["Softex Incorporated"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "h:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "h:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {HKLM...CLSID} = "Microsoft Office Binder Unbind"
\InProcServer32\(Default) = "H:\PROGRA~1\MICROS~1\Office\1033\UNBIND.DLL" [MS]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {HKLM...CLSID} = "KodakShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "H:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "H:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "H:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "H:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "H:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{68676EFE-9B30-4EBD-B842-7ED9B3460C53}" = "*P" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\qommnki.dll" [null data]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "h:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> jkkli\DLLName = "C:\WINDOWS\System32\jkkli.dll" [null data]
<<!>> OPXPGina\DLLName = "C:\Program Files\Softex\OmniPass\opxpgina.dll" [null data]
<<!>> qommnki\DLLName = "qommnki.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "H:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "h:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "h:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
OPShellE\(Default) = "{CCFE56EE-C7DE-44EE-A160-4553A5A912C9}"
-> {HKLM...CLSID} = "OmniPass Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opshelle.dll" ["Softex Incorporated"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "c:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "H:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "h:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
OPShellE\(Default) = "{CCFE56EE-C7DE-44EE-A160-4553A5A912C9}"
-> {HKLM...CLSID} = "OmniPass Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opshelle.dll" ["Softex Incorporated"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "H:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "h:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "c:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "H:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------

D:\
<<!>> D:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"]

Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
"spamsubtract" -> shortcut to: "C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe -q" ["interMute, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader.exe" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"Microsoft Office" -> shortcut to: "H:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Microtek Scanner Finder" -> shortcut to: "C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe" [empty string]
"Quicken Scheduled Updates" -> shortcut to: "C:\Program Files\Quicken\bagent.exe" ["Intuit Inc."]
"Symantec Fax Starter Edition Port" -> shortcut to: "H:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE" [MS]
"WinZip Quick Pick" -> shortcut to: "H:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing LP"]

Enabled Scheduled Tasks:
------------------------

"Spybot - Search & Destroy - Scheduled Task" -> launches: "H:\Program Files\Spybot - Search & Destroy\SpybotSD.exe /AUTOCHECK /AUTOFIX" ["Safer Networking Limited"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
SpSubLSP.dll ["interMute, Inc."], 01 - 05, 11
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 25
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "c:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" = (no title provided)
-> {HKLM...CLSID} = "HP View"
\InProcServer32\(Default) = "c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll" ["Hewlett-Packard Company"]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "c:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{8F4902B6-6C04-4ADE-8052-AA58578A21BD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "hp view"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}\(Default) = "HP View"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll" ["Hewlett-Packard Company"]

HKLM\Software\Classes\CLSID\{D6A116E7-5906-42E4-87F6-E7E15936415E}\(Default) = "MoneySide"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{0264505A-6793-44E0-AC75-9DCE3B13185C}\
"ButtonText" = "AnyWho"
"Exec" = "H:\Program Files\AT&T\WnClient\Programs\AnyWho.exe" [file not found]

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {HKLM...CLSID} = "Web Browser Applet Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{DD6687B5-CB43-4211-BFC9-2942CCBDCB3E}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line

All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

Application Management, AppMgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\appmgmts.dll" [file not found]}
ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspn et_state.exe" [MS]
AVG E-mail Scanner, AVGEMS, "h:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "h:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "h:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "h:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS]
Kerio WinRoute Firewall, WinRoute, "h:\Program Files\Kerio\WinRoute Firewall\winroute.exe" ["Kerio Technologies"]
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Mass Effect(TM) Xbox 360, Mass Effect(TM) Xbox 360, ""C:\WINDOWS\System32\dllcache\mfxbox.exe"" [null data]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mspmsnsv.dll" [MS]}
Sandra Data Service, SandraDataSrv, "h:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe" ["SiSoftware"]
Sandra Service, SandraTheSrv, "h:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe" ["SiSoftware"]
Softex OmniPass Service, omniserv, "C:\Program Files\Softex\OmniPass\Omniserv.exe" [null data]
Windows NT Logon Application, WINLOGON, ""C:\WINDOWS\system\winlogon.exe"" [file not found]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
Canon BJ Language Monitor S450\Driver = "CNMLM2R.DLL" ["CANON INC."]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
OLFax Ports\Driver = "OLFMNT40.DLL" [MS]

----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 1073 seconds, including 16 seconds for message boxes)
Thanks Walter

**Neal** · 26-10-2006

Well that turned up some things,

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Also give me a new winpfind log please.

serious malware/virus on my system.(RESOLVED)

serious malware/virus on my system.(RESOLVED)

Similar Threads

Xp smart security malware/virus

[Resolved] Vista Issues, Virus, Malware ????

Help Please - Horrible Virus/Malware/Spyware(RESOLVED)

virus/malware assistance urgent (RESOLVED)

Have serious virus or malware problem(s) - please help! (RESOLVED)