OK, here are the logs of the VundoFix removals. As a quick aside, how does infection with this little beast normally occur?

Beginning removal...
Attempting to delete C:\WINDOWS\system32\jkkjg.dll
C:\WINDOWS\system32\jkkjg.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\awtst.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.bak1 Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\pmnnm.dll Has been deleted!
Performing Repairs to the registry.
Done!

I have not seen this many variants of vundo before on any computer, these guys that invent this crap are very smart and unfortunately the guys that make fixes for this stuff are kind of behind but maybe we are getting close.

Good job on what you just done, now let me see a new combofix log please as combo is suposed to remove purity scan infection and hopefully no vundo files will show up if it does then there must a be a re-infector some where deep in your computer called a rootkit infection and those are very hard if not impossible to get rid of.

Ron - 06-12-05 1415.15 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Program Files\Combofix"

((((((((((((((((((((((((((((((( Files Created from 2006-11-05 to 2006-12-05 ))))))))))))))))))))))))))))))))))


2006-12-04 23:25 <DIR> dr-h----- C:\Documents and Settings\Ron\Recent
2006-11-30 22:02 <DIR> d-------- C:\Program Files\SiteAdvisor
2006-11-30 22:02 <DIR> d-------- C:\Documents and Settings\Ron\Application Data\SiteAdvisor
2006-11-30 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2006-11-30 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2006-11-30 21:43 <DIR> d-------- C:\Program Files\Site Advisor
2006-11-29 13:25 <DIR> d-------- C:\Program Files\Combofix
2006-11-28 09:38 3,138 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-28 09:27 <DIR> d-------- C:\VundoFix Backups
2006-11-27 09:43 <DIR> d-------- C:\Program Files\CCleaner
2006-11-26 14:11 <DIR> d-------- C:\Program Files\SilentRunner
2006-11-24 14:43 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-24 14:04 <DIR> d-------- C:\Program Files\Grisoft
2006-11-23 13:28 <DIR> d-------- C:\Documents and Settings\Ron\Application Data\Lavasoft
2006-11-23 13:11 <DIR> d-------- C:\Program Files\AdAwareSE
2006-11-23 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-23 12:11 <DIR> d-------- C:\Program Files\Spybot
2006-11-16 09:55 31,248 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2006-11-16 09:55 197,648 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2006-11-16 09:55 1,051,456 --a------ C:\WINDOWS\system32\drivers\VsapiNT.sys
2006-11-16 07:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2006-12-05 14:53 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-05 08:45 -------- d-------- C:\Program Files\MSN
2006-12-04 23:27 -------- d-------- C:\Program Files\Hijackthis
2006-12-04 09:37 -------- d-------- C:\Program Files\BBasics1
2006-11-29 13:39 -------- d-------- C:\Program Files\Common Files
2006-11-16 07:08 -------- d-------- C:\Program Files\Trend Micro
2006-11-14 09:51 -------- d-------- C:\Program Files\Apple Software Update
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-03 22:01 -------- d-------- C:\Documents and Settings\Ron\Application Data\Goodsol
2006-11-03 02:19 -------- d-------- C:\Program Files\Bonjour
2006-11-03 02:13 -------- d-------- C:\Program Files\Internet Explorer
2006-11-03 01:59 110612 --a------ C:\WINDOWS\system32\tytgrhpj.exe
2006-11-03 00:09 110612 --a------ C:\WINDOWS\system32\acvqsreg.exe
2006-11-02 21:54 110612 --a------ C:\WINDOWS\system32\bkuiuaqm.exe
2006-11-02 16:07 110612 --a------ C:\WINDOWS\system32\fstgqlxw.exe
2006-11-02 08:19 110612 --a------ C:\WINDOWS\system32\jpwwbdjd.exe
2006-11-01 17:26 110612 --a------ C:\WINDOWS\system32\rvsxvwym.exe
2006-11-01 17:14 110612 --a------ C:\WINDOWS\system32\rkewjxeq.exe
2006-11-01 09:28 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-01 09:22 -------- d-------- C:\Program Files\NetAccelerator
2006-11-01 01:30 110612 --a------ C:\WINDOWS\system32\hfffmevx.exe
2006-11-01 00:58 110612 --a------ C:\WINDOWS\system32\pvqlhbrx.exe
2006-11-01 00:38 110612 --a------ C:\WINDOWS\system32\kblrhrbc.exe
2006-11-01 00:22 110612 --a------ C:\WINDOWS\system32\qrvoydnd.exe
2006-10-31 23:55 110612 --a------ C:\WINDOWS\system32\sxbbwqkf.exe
2006-10-31 22:02 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-31 16:48 110612 --a------ C:\WINDOWS\system32\kjmvfqmo.exe
2006-10-31 16:45 110612 --a------ C:\WINDOWS\system32\afgqotio.exe
2006-10-31 16:29 110612 --a------ C:\WINDOWS\system32\iebcrqex.exe
2006-10-31 16:12 110612 --a------ C:\WINDOWS\system32\uvjgxsgh.exe
2006-10-31 15:55 110612 --a------ C:\WINDOWS\system32\dkjulumy.exe
2006-10-31 15:52 110612 --a------ C:\WINDOWS\system32\qorpsfda.exe
2006-10-31 15:48 -------- d-------- C:\Program Files\Java
2006-10-31 15:31 110612 --a------ C:\WINDOWS\system32\iykwhbkc.exe
2006-10-31 15:19 110612 --a------ C:\WINDOWS\system32\vmrfirtr.exe
2006-10-31 13:39 110612 --a------ C:\WINDOWS\system32\obwcwpxn.exe
2006-10-31 12:51 110612 --a------ C:\WINDOWS\system32\gttcadbf.exe
2006-10-31 11:04 -------- d-------- C:\Program Files\Nero
2006-10-27 15:09 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-27 15:09 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-27 15:09 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-27 15:09 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-27 15:09 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-27 15:09 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-27 15:09 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-27 02:44 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-27 02:44 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-27 02:44 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-27 02:44 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-27 02:44 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-27 02:44 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-27 02:44 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-27 02:44 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-27 02:44 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-27 02:42 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-26 11:36 -------- d-------- C:\Program Files\OfficeUpdate11
2006-10-23 20:40 -------- d-------- C:\Program Files\Autodesk
2006-10-23 20:28 -------- d-------- C:\Documents and Settings\Ron\Application Data\SolidDynamics
2006-10-23 20:06 -------- d-------- C:\Program Files\Common Files\Autodesk
2006-10-23 19:58 -------- d-------- C:\Program Files\Microsoft Office
2006-10-23 19:58 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-10-23 19:58 -------- d-------- C:\Program Files\Common Files\Autodesk Shared
2006-10-23 19:58 -------- d-------- C:\Program Files\AnswerWorks 4.0
2006-10-23 14:42 -------- d-------- C:\Program Files\Apple Quicktime
2006-10-18 14:59 -------- d-------- C:\Program Files\WinRAR
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-16 17:54 -------- d-------- C:\Program Files\Google Talk
2006-10-16 17:54 -------- d-------- C:\Program Files\Google
2006-10-13 23:05 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 23:05 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 23:05 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 20:53 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-12 08:02 -------- d-------- C:\Program Files\Common Files\Kodak
2006-10-12 03:05 58880 --a------ C:\WINDOWS\system32\pnrpnsp.dll
2006-10-12 03:05 553984 --a------ C:\WINDOWS\system32\p2psvc.dll
2006-10-12 03:05 313344 --a------ C:\WINDOWS\system32\p2pgraph.dll
2006-10-12 03:05 153088 --a------ C:\WINDOWS\system32\p2p.dll
2006-10-12 03:05 115712 --a------ C:\WINDOWS\system32\p2pnetsh.dll
2006-10-12 03:05 104960 --a------ C:\WINDOWS\system32\p2pgasvc.dll
2006-10-11 12:52 -------- d-------- C:\Documents and Settings\Ron\Application Data\Sun
2006-10-09 23:44 -------- d---s---- C:\Documents and Settings\Ron\Application Data\Microsoft
2006-10-09 11:20 -------- d-------- C:\Program Files\Limewire
2006-09-18 11:33 2249 --a------ C:\Documents and Settings\Ron\Application Data\AdobeDLM.log
2006-09-18 11:33 0 --a------ C:\Documents and Settings\Ron\Application Data\dm.ini
2006-09-13 15:31 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 06:27 62 --ahs---- C:\Documents and Settings\Ron\Application Data\desktop.ini
2006-09-11 21:13 0 -rahs---- C:\MSDOS.SYS
2006-09-11 21:13 0 -rahs---- C:\IO.SYS
2006-09-11 21:13 0 --a------ C:\CONFIG.SYS
2006-09-11 21:13 0 --a------ C:\AUTOEXEC.BAT
2006-09-06 17:43 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.ex e"
"OE"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\TMAS_OE\\TMAS_OEMon.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"RTHDCPL"="RTHDCPL.EXE"
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINT LGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT \\TINTSETP.EXE /IMEName"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG .EXE\" /Spoil /RemAdvDef /Migration32"
"EPSON Stylus Photo R310 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W3 2X86\\3\\E_S4I3F2.EXE /P30 \"EPSON Stylus Photo R310 Series\" /O6 \"USB001\" /M \"Stylus Photo R310\""
"DT Task"="C:\\Program Files\\Portrait Displays\\forteManager\\DTHtml.exe -startup_folder"
"QuickTime Task"="\"C:\\Program Files\\Apple Quicktime\\qttask.exe\" -atboottime"
"pccguide.exe"="C:\\PROGRA~1\\TRENDM~1\\INTERN~2\\ pccguide.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe"
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\4608\\SiteAdv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000006

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EX E"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EX E"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\polic ies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-12-05 14:57:37.56
C:\ComboFix.txt ... 06-12-05 14:57
C:\ComboFix2.txt ... 06-11-29 13:40

Well no vundo is showing and apparently no purity scan resides on your computer either but we still need to see what those other files are but first...



Go here BitDefender and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post back and let us know what it found (post the log).

And post a new HJT log also..


One other thing, those files I found are probably from the same thing what ever that is so I will pick five of them at random and I need you to scan them individually, instructions are below for that. Thanks.



Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Re-hide after we are done



Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:


C:\WINDOWS\system32\tytgrhpj.exe


Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.


Also these:One at a time

C:\WINDOWS\system32\jpwwbdjd.exe
C:\WINDOWS\system32\kblrhrbc.exe
C:\WINDOWS\system32\iebcrqex.exe
C:\WINDOWS\system32\wnsintsu.exe

Ran 4 of those 5 files thru VirusTotal. The fifth file appears to have gone missing.

Here are the logs for the 4 files I did scan. Just about to run BitDefender.

STATUS: FINISHED
Complete scanning result of "tytgrhpj.exe", received in VirusTotal at 12.05.2006, 23:38:39 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.49 12.05.2006 ADSPY/VSAddinDLL.A
Authentium 4.93.8 12.05.2006 no virus found
Avast 4.7.892.0 12.05.2006 no virus found
AVG 386 12.05.2006 Adware Generic.RUQ
BitDefender 7.2 12.05.2006 Adware.Agent.AT
CAT-QuickHeal 8.00 12.05.2006 Adware.Virtumonde.sr (Not a Virus)
ClamAV devel-20060426 12.05.2006 no virus found
DrWeb 4.33 12.05.2006 no virus found
eSafe 7.0.14.0 12.03.2006 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.77 12.05.2006 no virus found
eTrust-Vet 30.3.3232 12.05.2006 no virus found
Ewido 4.0 12.05.2006 no virus found
Fortinet 2.82.0.0 12.05.2006 suspicious
F-Prot 3.16f 12.05.2006 no virus found
F-Prot4 4.2.1.29 12.05.2006 no virus found
Ikarus T3.1.0.26 12.05.2006 no virus found
Kaspersky 4.0.2.24 12.05.2006 not-a-virus:AdWare.Win32.Agent.at
McAfee 4911 12.05.2006 potentially unwanted program Adware-SearchColours
Microsoft 1.1804 12.05.2006 no virus found
NOD32v2 1903 12.05.2006 Win32/Adware.Toolbar.SearchColours
Norman 5.80.02 12.05.2006 W32/Virtumonde.SR
Panda 9.0.0.4 12.05.2006 Application/VSToolbar
Prevx1 V2 12.06.2006 no virus found
Sophos 4.12.0 12.05.2006 no virus found
Sunbelt 2.2.907.0 11.30.2006 VIPRE.Suspicious
TheHacker 6.0.3.129 12.05.2006 Adware/Agent.at
UNA 1.83 12.05.2006 Adware.Agent.C0AA
VBA32 3.11.1 12.05.2006 AdWare.Win32.Searchcolor.a
VirusBuster 4.3.15:9 12.05.2006 Adware.SearchColors.A

Aditional Information
File size: 110612 bytes
MD5: 5143f343d04f5f84dd38bde1af9d1d96
SHA1: cefad508a70bee2cb4ca9e5d631f1b7bc458edcf
packers: PECRYPT
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

STATUS: FINISHED
Complete scanning result of "jpwwbdjd.exe", received in VirusTotal at 12.05.2006, 23:43:41 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.49 12.05.2006 ADSPY/VSAddinDLL.A
Authentium 4.93.8 12.05.2006 no virus found
Avast 4.7.892.0 12.05.2006 no virus found
AVG 386 12.05.2006 Adware Generic.RUQ
BitDefender 7.2 12.05.2006 Adware.Agent.AT
CAT-QuickHeal 8.00 12.05.2006 Adware.Virtumonde.sr (Not a Virus)
ClamAV devel-20060426 12.05.2006 no virus found
DrWeb 4.33 12.05.2006 no virus found
eSafe 7.0.14.0 12.03.2006 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.77 12.05.2006 no virus found
eTrust-Vet 30.3.3232 12.05.2006 no virus found
Ewido 4.0 12.05.2006 no virus found
Fortinet 2.82.0.0 12.05.2006 suspicious
F-Prot 3.16f 12.05.2006 no virus found
F-Prot4 4.2.1.29 12.05.2006 no virus found
Ikarus T3.1.0.26 12.05.2006 no virus found
Kaspersky 4.0.2.24 12.05.2006 not-a-virus:AdWare.Win32.Agent.at
McAfee 4911 12.05.2006 potentially unwanted program Adware-SearchColours
Microsoft 1.1804 12.05.2006 no virus found
NOD32v2 1903 12.05.2006 Win32/Adware.Toolbar.SearchColours
Norman 5.80.02 12.05.2006 W32/Virtumonde.SR
Panda 9.0.0.4 12.05.2006 Application/VSToolbar
Prevx1 V2 12.06.2006 no virus found
Sophos 4.12.0 12.05.2006 no virus found
Sunbelt 2.2.907.0 11.30.2006 VIPRE.Suspicious
TheHacker 6.0.3.129 12.05.2006 Adware/Agent.at
UNA 1.83 12.05.2006 Adware.Agent.C0AA
VBA32 3.11.1 12.05.2006 AdWare.Win32.Searchcolor.a
VirusBuster 4.3.15:9 12.05.2006 Adware.SearchColors.A

Aditional Information
File size: 110612 bytes
MD5: 5143f343d04f5f84dd38bde1af9d1d96
SHA1: cefad508a70bee2cb4ca9e5d631f1b7bc458edcf
packers: PECRYPT
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

STATUS: FINISHED
Complete scanning result of "kblrhrbc.exe", received in VirusTotal at 12.05.2006, 23:47:49 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.49 12.05.2006 ADSPY/VSAddinDLL.A
Authentium 4.93.8 12.05.2006 no virus found
Avast 4.7.892.0 12.05.2006 no virus found
AVG 386 12.05.2006 Adware Generic.RUQ
BitDefender 7.2 12.05.2006 Adware.Agent.AT
CAT-QuickHeal 8.00 12.05.2006 Adware.Virtumonde.sr (Not a Virus)
ClamAV devel-20060426 12.05.2006 no virus found
DrWeb 4.33 12.05.2006 no virus found
eSafe 7.0.14.0 12.03.2006 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.77 12.05.2006 no virus found
eTrust-Vet 30.3.3232 12.05.2006 no virus found
Ewido 4.0 12.05.2006 no virus found
Fortinet 2.82.0.0 12.05.2006 suspicious
F-Prot 3.16f 12.05.2006 no virus found
F-Prot4 4.2.1.29 12.05.2006 no virus found
Ikarus T3.1.0.26 12.05.2006 no virus found
Kaspersky 4.0.2.24 12.05.2006 not-a-virus:AdWare.Win32.Agent.at
McAfee 4911 12.05.2006 potentially unwanted program Adware-SearchColours
Microsoft 1.1804 12.05.2006 no virus found
NOD32v2 1903 12.05.2006 Win32/Adware.Toolbar.SearchColours
Norman 5.80.02 12.05.2006 W32/Virtumonde.SR
Panda 9.0.0.4 12.05.2006 Application/VSToolbar
Prevx1 V2 12.06.2006 no virus found
Sophos 4.12.0 12.05.2006 no virus found
Sunbelt 2.2.907.0 11.30.2006 VIPRE.Suspicious
TheHacker 6.0.3.129 12.05.2006 Adware/Agent.at
UNA 1.83 12.05.2006 Adware.Agent.C0AA
VBA32 3.11.1 12.05.2006 AdWare.Win32.Searchcolor.a
VirusBuster 4.3.15:9 12.05.2006 Adware.SearchColors.A

Aditional Information
File size: 110612 bytes
MD5: 5143f343d04f5f84dd38bde1af9d1d96
SHA1: cefad508a70bee2cb4ca9e5d631f1b7bc458edcf
packers: PECRYPT
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

STATUS: FINISHED
Complete scanning result of "iebcrqex.exe", received in VirusTotal at 12.05.2006, 23:54:04 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.49 12.05.2006 ADSPY/VSAddinDLL.A
Authentium 4.93.8 12.05.2006 no virus found
Avast 4.7.892.0 12.05.2006 no virus found
AVG 386 12.05.2006 Adware Generic.RUQ
BitDefender 7.2 12.05.2006 Adware.Agent.AT
CAT-QuickHeal 8.00 12.05.2006 Adware.Virtumonde.sr (Not a Virus)
ClamAV devel-20060426 12.05.2006 no virus found
DrWeb 4.33 12.05.2006 no virus found
eSafe 7.0.14.0 12.03.2006 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.77 12.05.2006 no virus found
eTrust-Vet 30.3.3232 12.05.2006 no virus found
Ewido 4.0 12.05.2006 no virus found
Fortinet 2.82.0.0 12.05.2006 suspicious
F-Prot 3.16f 12.05.2006 no virus found
F-Prot4 4.2.1.29 12.05.2006 no virus found
Ikarus T3.1.0.26 12.05.2006 no virus found
Kaspersky 4.0.2.24 12.05.2006 not-a-virus:AdWare.Win32.Agent.at
McAfee 4911 12.05.2006 potentially unwanted program Adware-SearchColours
Microsoft 1.1804 12.05.2006 no virus found
NOD32v2 1903 12.05.2006 Win32/Adware.Toolbar.SearchColours
Norman 5.80.02 12.05.2006 W32/Virtumonde.SR
Panda 9.0.0.4 12.05.2006 Application/VSToolbar
Prevx1 V2 12.06.2006 no virus found
Sophos 4.12.0 12.05.2006 no virus found
Sunbelt 2.2.907.0 11.30.2006 VIPRE.Suspicious
TheHacker 6.0.3.129 12.05.2006 Adware/Agent.at
UNA 1.83 12.05.2006 Adware.Agent.C0AA
VBA32 3.11.1 12.05.2006 AdWare.Win32.Searchcolor.a
VirusBuster 4.3.15:9 12.05.2006 Adware.SearchColors.A

Aditional Information
File size: 110612 bytes
MD5: 5143f343d04f5f84dd38bde1af9d1d96
SHA1: cefad508a70bee2cb4ca9e5d631f1b7bc458edcf
packers: PECRYPT
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

BitDefender Online Scanner


Scan report generated at: Wed, Dec 06, 2006 - 11:20:28



Scan path: C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;





Statistics
Time

01:02:45

Files

706775

Folders

7572

Boot Sectors

3

Archives

2822

Packed Files

128334

Results
Identified Viruses

2

Infected Files

3

Suspect Files

0

Warnings

0

Disinfected

0

Deleted Files

3

Engines Info
Virus Definitions

325070

Engine build

AVCORE v1.0 (build 2368) (i386) (Nov 16 2006 11:31:19)

Scan plugins

14

Archive plugins

38

Unpack plugins

6

E-mail plugins

6

System plugins

1

Scan Settings
First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes

Scanned File
Status
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP144\A0038339.bat
Infected with: Trojan.Zlob.AM
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP144\A0038339.bat
Disinfection failed
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP144\A0038339.bat
Deleted
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP146\A0039015.exe
Infected with: Trojan.Downloader.PurityScan.AR
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP146\A0039015.exe
Disinfection failed
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP146\A0039015.exe
Deleted
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP151\A0039628.bat
Infected with: Trojan.Zlob.AM
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP151\A0039628.bat
Disinfection failed
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP151\A0039628.bat
Deleted




Logfile of HijackThis v1.99.1
Scan saved at 1:15:24 PM, on 6/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Portrait Displays\forteManager\dtsslsrv.exe
C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobD ispatch.exe
C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Portrait Displays\forteManager\DTSRVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\SiteAdvisor\4608\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\Hijack that.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir..._PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Apple Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1158042549062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1162439764859
O17 - HKLM\System\CCS\Services\Tcpip\..\{10D3004C-C244-4ABE-BC62-25B141215C4A}: NameServer = 192.168.1.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{55541309-B1C4-44FC-8792-E2A93F3E4AE8}: NameServer = 139.134.5.51 139.134.2.190
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\forteManager\dtsslsrv.exe
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk Inc - C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobD ispatch.exe
O23 - Service: Autodesk EDM Server - - C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\forteManager\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSSQL$AUTODESKVAULT - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe" -sAUTODESKVAULT (file missing)
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\4608\SAService.exe
O23 - Service: SQLAgent$AUTODESKVAULT - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlagent.EXE" -i AUTODESKVAULT (file missing)
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

Thnaks for that..



Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
  
• Please double-click Killbox.exe to run it.
  
• Select
  • "Delete on Reboot
  • Then click on either the "All Files" button if there is more than 1 item to Delete.
• Please copy the file path(s) below to the clipboard by highlighting ALL of them and pressing CTRL + C
  
  C:\WINDOWS\system32\tytgrhpj.exe
  C:\WINDOWS\system32\jpwwbdjd.exe
  C:\WINDOWS\system32\kblrhrbc.exe
  C:\WINDOWS\system32\iebcrqex.exe
  C:\WINDOWS\system32\wnsintsu.exe
  
  
• Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  
• Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.


Now the rest of those files I had posted about are probably bad also but probably is the key word here, so they need to be scanned also so we can be sure they are bad and we can run them thru the killbox

FILES to be scanned

C:\WINDOWS\system32\acvqsreg.exe
C:\WINDOWS\system32\bkuiuaqm.exe
C:\WINDOWS\system32\fstgqlxw.exe
C:\WINDOWS\system32\rvsxvwym.exe
C:\WINDOWS\system32\rkewjxeq.exe
C:\WINDOWS\system32\hfffmevx.exe
C:\WINDOWS\system32\pvqlhbrx.exe
C:\WINDOWS\system32\qrvoydnd.exe
C:\WINDOWS\system32\sxbbwqkf.exe
C:\WINDOWS\system32\kjmvfqmo.exe
C:\WINDOWS\system32\afgqotio.exe
C:\WINDOWS\system32\uvjgxsgh.exe
C:\WINDOWS\system32\dkjulumy.exe
C:\WINDOWS\system32\qorpsfda.exe
C:\WINDOWS\system32\iykwhbkc.exe
C:\WINDOWS\system32\vmrfirtr.exe
C:\WINDOWS\system32\obwcwpxn.exe
C:\WINDOWS\system32\gttcadbf.exe

Compare the results with those already scanned and if very similar run them thru the killbox following instructions above, killbox should be able to kill them all at the sametime.

Thanks.

Gday Neal. Sorry for the delay in returning this message. I ran all those files through the scan as you requested. They all returned the same results, so I used Killbox on all of them. Things seem to have settled down on this computer. I then ran the following in the order shown. Seems like cleaning out the restore points might be a good idea, but I'd like your opinion first.

1. Spy-bot - Nothing found.
2. Ad-Aware SE - See log.
3. Trend-Micro PC-cillin Internet Security 2007 - Nothing found.
4. VundoFix - Nothing found.
5. AVG (safe mode) - See log.
6. Smitfraud (safe mode) - See log.
7. Combofix - see log.
8. Silent Runner - see log.
9. Hijack This - see log.
10. Hijack This Startup List - see log.

Ad-Aware SE

ArchiveData(auto-quarantine- 2006-12-11 17-57-50.bckp)
Referencefile : SE1R137 06.12.2006
================================================== ====

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=IECache Entry : Cookie:ron@realmedia.com/
obj[1]=IECache Entry : C:\Documents and Settings\Carol\Cookies\carol@atdmt[2].txt
obj[2]=IECache Entry : C:\Documents and Settings\Carol\Cookies\carol@realmedia[1].txt

AVG

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:55:50 PM 11/12/2006

+ Scan result:



C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP144\A0038348.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP144\A0038349.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP144\A0038350.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP144\A0038351.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP144\A0038352.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP144\A0038354.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP144\A0038459.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP144\A0038465.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP144\A0038487.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP144\A0038496.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP181\A0080968.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP181\A0080970.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP181\A0080977.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082238.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082240.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082241.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082242.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082243.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082244.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082245.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082246.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082247.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082248.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082249.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082250.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082251.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082252.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082253.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082254.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082255.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082256.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082257.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082258.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082259.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082260.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP183\A0082261.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082452.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082453.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082454.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082455.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082456.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082457.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082458.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082459.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082460.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082461.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082462.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082463.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082464.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082465.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082466.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082467.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082468.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082469.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082470.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082471.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082472.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP186\A0082473.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BBE525DC-4577-4EA1-A72E-81789037FC50}\RP181\A0080782.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

Smitfraud

SmitFraudFix v2.128

Scan done at 1858.37, Mon 11/12/2006
Run from C:\Documents and Settings\Ron\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ron


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ron\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Ron\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

ComboFix

Ron - 06-12-11 19:03:24.54 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Program Files\Combofix"

((((((((((((((((((((((((((((((( Files Created from 2006-11-11 to 2006-12-11 ))))))))))))))))))))))))))))))))))


2006-12-11 18:56 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2006-12-11 13:58 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2006-12-11 13:56 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2006-12-11 13:56 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2006-12-09 07:09 <DIR> d-------- C:\WINDOWS\system32\DRM
2006-12-09 00:09 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2006-12-09 00:09 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2006-12-09 00:09 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2006-12-08 10:31 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2006-12-08 10:31 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-08 10:31 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-08 10:31 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-08 10:31 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-07 22:05 <DIR> d-------- C:\!KillBox
2006-12-06 09:38 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2006-12-05 22:10 <DIR> d-------- C:\SiteAdvisor
2006-12-04 23:25 <DIR> dr-h----- C:\Documents and Settings\Ron\Recent
2006-11-30 22:02 <DIR> d-------- C:\Program Files\SiteAdvisor
2006-11-30 22:02 <DIR> d-------- C:\Documents and Settings\Ron\Application Data\SiteAdvisor
2006-11-30 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2006-11-30 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2006-11-30 21:43 <DIR> d-------- C:\Program Files\Site Advisor
2006-11-29 13:25 <DIR> d-------- C:\Program Files\Combofix
2006-11-28 09:38 3,138 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-28 09:27 <DIR> d-------- C:\VundoFix Backups
2006-11-27 09:43 <DIR> d-------- C:\Program Files\CCleaner
2006-11-26 14:11 <DIR> d-------- C:\Program Files\SilentRunner
2006-11-24 14:43 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-24 14:04 <DIR> d-------- C:\Program Files\Grisoft
2006-11-23 13:28 <DIR> d-------- C:\Documents and Settings\Ron\Application Data\Lavasoft
2006-11-23 13:11 <DIR> d-------- C:\Program Files\AdAwareSE
2006-11-23 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-23 12:11 <DIR> d-------- C:\Program Files\Spybot
2006-11-16 09:55 31,248 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2006-11-16 09:55 197,648 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2006-11-16 09:55 1,051,456 --a------ C:\WINDOWS\system32\drivers\VsapiNT.sys
2006-11-16 07:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2006-12-11 14:35 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-11 13:58 -------- d-------- C:\Program Files\Windows Media Player
2006-12-11 10:33 -------- d---s---- C:\Documents and Settings\Ron\Application Data\Microsoft
2006-12-08 21:55 -------- d-------- C:\Program Files\Hijackthis
2006-12-05 08:45 -------- d-------- C:\Program Files\MSN
2006-12-04 09:37 -------- d-------- C:\Program Files\BBasics1
2006-11-29 13:39 -------- d-------- C:\Program Files\Common Files
2006-11-16 07:08 -------- d-------- C:\Program Files\Trend Micro
2006-11-14 09:51 -------- d-------- C:\Program Files\Apple Software Update
2006-11-13 16:32 1866240 --a------ C:\WINDOWS\system32\mstscax.dll
2006-11-07 18:36 600576 --a------ C:\WINDOWS\system32\mstsc.exe
2006-11-06 11:35 531568 --a------ C:\WINDOWS\system32\RmActivate_isv.exe
2006-11-06 11:35 523376 --a------ C:\WINDOWS\system32\RmActivate.exe
2006-11-06 11:35 519280 --a------ C:\WINDOWS\system32\SecProc_isv.dll
2006-11-06 11:35 518768 --a------ C:\WINDOWS\system32\SecProc.dll
2006-11-06 11:35 358000 --a------ C:\WINDOWS\system32\RmActivate_ssp.exe
2006-11-06 11:35 354416 --a------ C:\WINDOWS\system32\RmActivate_ssp_isv.exe
2006-11-06 11:35 323696 --a------ C:\WINDOWS\system32\msdrm.dll
2006-11-06 11:35 192624 --a------ C:\WINDOWS\system32\SecProc_ssp_isv.dll
2006-11-06 11:35 192624 --a------ C:\WINDOWS\system32\SecProc_ssp.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-03 22:01 -------- d-------- C:\Documents and Settings\Ron\Application Data\Goodsol
2006-11-03 02:19 -------- d-------- C:\Program Files\Bonjour
2006-11-03 02:13 -------- d-------- C:\Program Files\Internet Explorer
2006-11-01 09:28 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-01 09:22 -------- d-------- C:\Program Files\NetAccelerator
2006-10-31 22:02 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-31 15:48 -------- d-------- C:\Program Files\Java
2006-10-31 11:04 -------- d-------- C:\Program Files\Nero
2006-10-27 15:09 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-27 15:09 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-27 15:09 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-27 15:09 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-27 15:09 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-27 15:09 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-27 15:09 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-27 02:44 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-27 02:44 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-27 02:44 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-27 02:44 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-27 02:44 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-27 02:44 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-27 02:44 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-27 02:44 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-27 02:44 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-27 02:42 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-26 11:36 -------- d-------- C:\Program Files\OfficeUpdate11
2006-10-23 20:40 -------- d-------- C:\Program Files\Autodesk
2006-10-23 20:28 -------- d-------- C:\Documents and Settings\Ron\Application Data\SolidDynamics
2006-10-23 20:06 -------- d-------- C:\Program Files\Common Files\Autodesk
2006-10-23 19:58 -------- d-------- C:\Program Files\Microsoft Office
2006-10-23 19:58 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-10-23 19:58 -------- d-------- C:\Program Files\Common Files\Autodesk Shared
2006-10-23 19:58 -------- d-------- C:\Program Files\AnswerWorks 4.0
2006-10-23 14:42 -------- d-------- C:\Program Files\Apple Quicktime
2006-10-18 21:58 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 21:58 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2006-10-18 21:47 99840 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-10-18 21:47 937984 --a------ C:\WINDOWS\system32\WMNetMgr.dll
2006-10-18 21:47 8231936 --a------ C:\WINDOWS\system32\wmploc.dll
2006-10-18 21:47 767488 --------- C:\WINDOWS\system32\WMVSENCD.dll
2006-10-18 21:47 757248 --a------ C:\WINDOWS\system32\WMADMOD.dll
2006-10-18 21:47 7168 --a------ C:\WINDOWS\system32\asferror.dll
2006-10-18 21:47 656896 --------- C:\WINDOWS\system32\WMVXENCD.dll
2006-10-18 21:47 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 21:47 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 21:47 613376 --------- C:\WINDOWS\system32\wmpmde.dll
2006-10-18 21:47 603648 --a------ C:\WINDOWS\system32\WMSPDMOD.dll
2006-10-18 21:47 542720 --a------ C:\WINDOWS\system32\blackbox.dll
2006-10-18 21:47 535040 --------- C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 21:47 429056 --a------ C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 21:47 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\WMVADVE.DLL
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\WMVADVD.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wdfapi.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\MPG4DMOD.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\MP4SDMOD.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\MP43DMOD.dll
2006-10-18 21:47 38400 --------- C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 21:47 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-10-18 21:47 35840 --a------ C:\WINDOWS\system32\wpdconns.dll
2006-10-18 21:47 356352 --a------ C:\WINDOWS\system32\wpdsp.dll
2006-10-18 21:47 348672 --a------ C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 21:47 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 21:47 321536 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-10-18 21:47 317440 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-10-18 21:47 314880 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-10-18 21:47 295936 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 21:47 284160 --------- C:\WINDOWS\system32\PortableDeviceApi.dll
2006-10-18 21:47 276992 --a------ C:\WINDOWS\system32\audiodev.dll
2006-10-18 21:47 27136 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 21:47 2603008 --------- C:\WINDOWS\system32\WpdShext.dll
2006-10-18 21:47 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-10-18 21:47 259072 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-10-18 21:47 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-10-18 21:47 242688 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-10-18 21:47 229376 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-10-18 21:47 227328 --a------ C:\WINDOWS\system32\wmerror.dll
2006-10-18 21:47 222208 --a------ C:\WINDOWS\system32\WMASF.dll
2006-10-18 21:47 212992 --------- C:\WINDOWS\system32\MFPLAT.dll
2006-10-18 21:47 211456 --a------ C:\WINDOWS\system32\qasf.dll
2006-10-18 21:47 204288 --a------ C:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 21:47 199168 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-10-18 21:47 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-10-18 21:47 175616 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-10-18 21:47 166912 --------- C:\WINDOWS\system32\PortableDeviceTypes.dll
2006-10-18 21:47 1661440 --a------ C:\WINDOWS\system32\wmpencen.dll
2006-10-18 21:47 1574912 --------- C:\WINDOWS\system32\WMVENCOD.dll
2006-10-18 21:47 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-10-18 21:47 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 21:47 1543680 --------- C:\WINDOWS\system32\WMVDECOD.dll
2006-10-18 21:47 1382912 --------- C:\WINDOWS\system32\WMVSDECD.dll
2006-10-18 21:47 133632 --------- C:\WINDOWS\system32\WPDShServiceObj.dll
2006-10-18 21:47 1329152 --a------ C:\WINDOWS\system32\WMSPDMOE.dll
2006-10-18 21:47 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-10-18 21:47 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-10-18 21:47 11264 --a------ C:\WINDOWS\system32\LAPRXY.dll
2006-10-18 21:47 1117696 --a------ C:\WINDOWS\system32\WMADMOE.dll
2006-10-18 21:47 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.d ll
2006-10-18 20:03 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-10-18 20:00 38528 --a------ C:\WINDOWS\system32\drivers\wpdusb.sys
2006-10-18 20:00 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-18 14:59 -------- d-------- C:\Program Files\WinRAR
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-16 17:54 -------- d-------- C:\Program Files\Google Talk
2006-10-16 17:54 -------- d-------- C:\Program Files\Google
2006-10-13 23:05 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 23:05 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 23:05 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 20:53 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-12 08:02 -------- d-------- C:\Program Files\Common Files\Kodak
2006-10-12 03:05 58880 --a------ C:\WINDOWS\system32\pnrpnsp.dll
2006-10-12 03:05 553984 --a------ C:\WINDOWS\system32\p2psvc.dll
2006-10-12 03:05 313344 --a------ C:\WINDOWS\system32\p2pgraph.dll
2006-10-12 03:05 153088 --a------ C:\WINDOWS\system32\p2p.dll
2006-10-12 03:05 115712 --a------ C:\WINDOWS\system32\p2pnetsh.dll
2006-10-12 03:05 104960 --a------ C:\WINDOWS\system32\p2pgasvc.dll
2006-10-11 12:52 -------- d-------- C:\Documents and Settings\Ron\Application Data\Sun
2006-10-02 15:28 312128 --------- C:\WINDOWS\system32\msdelta.dll
2006-09-28 20:13 95344 --------- C:\WINDOWS\system32\WUDFCoinstaller.dll
2006-09-28 18:56 55808 --------- C:\WINDOWS\system32\WudfSvc.dll
2006-09-28 18:56 316416 --------- C:\WINDOWS\system32\WUDFx.dll
2006-09-28 18:56 165376 --------- C:\WINDOWS\system32\WudfPlatform.dll
2006-09-28 18:56 146432 --------- C:\WINDOWS\system32\WudfHost.exe
2006-09-25 17:58 23856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-09-18 11:33 2249 --a------ C:\Documents and Settings\Ron\Application Data\AdobeDLM.log
2006-09-18 11:33 0 --a------ C:\Documents and Settings\Ron\Application Data\dm.ini
2006-09-13 15:31 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 06:27 62 --ahs---- C:\Documents and Settings\Ron\Application Data\desktop.ini
2006-09-11 21:13 0 -rahs---- C:\MSDOS.SYS
2006-09-11 21:13 0 -rahs---- C:\IO.SYS
2006-09-11 21:13 0 --a------ C:\CONFIG.SYS
2006-09-11 21:13 0 --a------ C:\AUTOEXEC.BAT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.ex e"
"OE"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\TMAS_OE\\TMAS_OEMon.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"RTHDCPL"="RTHDCPL.EXE"
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINT LGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT \\TINTSETP.EXE /IMEName"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG .EXE\" /Spoil /RemAdvDef /Migration32"
"EPSON Stylus Photo R310 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W3 2X86\\3\\E_S4I3F2.EXE /P30 \"EPSON Stylus Photo R310 Series\" /O6 \"USB001\" /M \"Stylus Photo R310\""
"DT Task"="C:\\Program Files\\Portrait Displays\\forteManager\\DTHtml.exe -startup_folder"
"QuickTime Task"="\"C:\\Program Files\\Apple Quicktime\\qttask.exe\" -atboottime"
"pccguide.exe"="C:\\PROGRA~1\\TRENDM~1\\INTERN~2\\ pccguide.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe"
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\4608\\SiteAdv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000006

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EX E"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EX E"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\polic ies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-12-11 19:04:35.06

SilentRunners

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"OE" = ""C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"" ["Trend Micro Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"NvMediaCenter" = "RunDLL32.exe NvMCTray.dll,NvTaskbarInit" [MS]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"EPSON Stylus Photo R310 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3 F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"" ["SEIKO EPSON CORPORATION"]
"DT Task" = "C:\Program Files\Portrait Displays\forteManager\DTHtml.exe -startup_folder" ["Portrait Displays, Inc"]
"QuickTime Task" = ""C:\Program Files\Apple Quicktime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"pccguide.exe" = "C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe" ["Trend Micro Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" ["Sun Microsystems, Inc."]
"SiteAdvisor" = "C:\Program Files\SiteAdvisor\4608\SiteAdv.exe" ["McAfee, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{089FD14D-132B-48FC-8861-0048AE113215}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\4608\SiteAdv.dll" ["McAfee, Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\Spybot\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{654D0431-C930-43C4-B8DA-9AA01BA5B486}" = "PDI GUI Engine COM Obj"
-> {HKLM...CLSID} = "PDI GUI Engine COM Obj"
\InProcServer32\(Default) = "C:\Program Files\Portrait Displays\forteManager\HtmlEngine.dll" ["Portrait Displays, Inc"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{9999A076-A9E2-4C99-8A2B-632FC9429223}" = "Bonjour"
-> {HKLM...CLSID} = "Bonjour"
\InProcServer32\(Default) = "C:\Program Files\Bonjour\ExplorerPlugin.dll" ["Apple Computer, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
-> {HKLM...CLSID} = "ACTHUMBNAIL"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"
-> {HKLM...CLSID} = "AcSignIcon"
\InProcServer32\(Default) = "C:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> {HKLM...CLSID} = "VBPropSheet"
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security 2007\VBProp.dll" ["Trend Micro Inc."]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
-> {HKLM...CLSID} = "TMD Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security 2007\Tmdshell.dll" ["Trend Micro Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
Autodesk.DWF.ContextMenu\(Default) = "{6C18531F-CA85-45F7-8278-FF33CF0A5964}"
-> {HKLM...CLSID} = "DWFShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk shared\dwf common\DWFShellExtension.dll" ["Autodesk, Inc."]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
InventorMenu\(Default) = "{6FDE7A70-351B-11d6-988B-0010B57A8BB7}"
-> {HKLM...CLSID} = "Autodesk Inventor® Part Document"
\InProcServer32\(Default) = "C:\Program Files\Autodesk\Inventor 11\Bin\DT.dll" ["Autodesk, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Default executables:
--------------------

HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"
<<!>> HKCU\Software\Classes\AutoCADScriptFile\shell\open \command\(Default) = ""C:\WINDOWS\system32\NOTEPAD.EXE" "%1"" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Ron" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\Ron\Start Menu\Programs\Startup
"AutoCAD Startup Accelerator" -> shortcut to: "C:\Program Files\Common Files\Autodesk Shared\acstart17.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0BF43445-2F28-4351-9252-17FE6E806AA0}" = "McAfee SiteAdvisor"
-> {HKLM...CLSID} = "McAfee SiteAdvisor"
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\4608\SiteAdv.dll" ["McAfee, Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{9999A076-A9E2-4C99-8A2B-632FC9429223}\(Default) = "Bonjour"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Bonjour\ExplorerPlugin.dll" ["Apple Computer, Inc."]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]

{7F9DB11C-E358-4CA6-A83D-ACC663939424}\
"ButtonText" = "Bonjour"

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [file not found]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Asset Management Daemon, Asset Management Daemon, "C:\Program Files\Portrait Displays\forteManager\dtsslsrv.exe" [null data]
Autodesk Data Management Job Dispatch, Autodesk Data Management Job Dispatch, ""C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobD ispatch.exe"" [null data]
Autodesk EDM Server, Autodesk EDM Server, ""C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe"" [null data]
Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
MSSQL$AUTODESKVAULT, MSSQL$AUTODESKVAULT, ""C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe" -sAUTODESKVAULT" [MS]
MSSQL$MICROSOFTSMLBIZ, MSSQL$MICROSOFTSMLBIZ, ""C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Portrait Displays Display Tune Service, DTSRVC, "C:\Program Files\Portrait Displays\forteManager\DTSRVC.exe" [null data]
SiteAdvisor Service, SiteAdvisor Service, "C:\Program Files\SiteAdvisor\4608\SAService.exe" [null data]
Trend Micro Central Control Component, PcCtlCom, "C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe" ["Trend Micro Inc."]
Trend Micro Personal Firewall, TmPfw, "C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe" ["Trend Micro Inc."]
Trend Micro Protection Against Spyware , PcScnSrv, ""C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe"" ["Trend Micro Inc."]
Trend Micro Proxy Service, tmproxy, "C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe" ["Trend Micro Inc."]
Trend Micro Real-time Service, Tmntsrv, "C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe" ["Trend Micro Inc."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PDFCreator\Driver = "pdfcmnnt.dll" [null data]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 50 seconds.
---------- (total run time: 89 seconds)

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 7:15:25 PM, on 11/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Portrait Displays\forteManager\dtsslsrv.exe
C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobD ispatch.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Portrait Displays\forteManager\DTSRVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\SiteAdvisor\4608\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\Program Files\Hijackthis\Hijack that.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Apple Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1158042549062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1162439764859
O17 - HKLM\System\CCS\Services\Tcpip\..\{10D3004C-C244-4ABE-BC62-25B141215C4A}: NameServer = 192.168.1.10
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\forteManager\dtsslsrv.exe
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk Inc - C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobD ispatch.exe
O23 - Service: Autodesk EDM Server - - C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\forteManager\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSSQL$AUTODESKVAULT - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe" -sAUTODESKVAULT (file missing)
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\4608\SAService.exe
O23 - Service: SQLAgent$AUTODESKVAULT - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlagent.EXE" -i AUTODESKVAULT (file missing)
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

HijackThis Startup List

StartupList report, 11/12/2006, 7:16:26 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijackthis\Hijack that.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.5730.0011)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Portrait Displays\forteManager\dtsslsrv.exe
C:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobD ispatch.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Portrait Displays\forteManager\DTSRVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\SiteAdvisor\4608\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\Program Files\Hijackthis\Hijack that.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Ron\Start Menu\Programs\Startup]
AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

KBD = C:\HP\KBD\KBD.EXE
RTHDCPL = RTHDCPL.EXE
nwiz = nwiz.exe /install
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
PHIME2002ASync = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
NvMediaCenter = RunDLL32.exe NvMCTray.dll,NvTaskbarInit
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
EPSON Stylus Photo R310 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F 2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"
DT Task = C:\Program Files\Portrait Displays\forteManager\DTHtml.exe -startup_folder
QuickTime Task = "C:\Program Files\Apple Quicktime\qttask.exe" -atboottime
pccguide.exe = C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
SiteAdvisor = C:\Program Files\SiteAdvisor\4608\SiteAdv.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
OE = "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\com mand

(Default) = "C:\WINDOWS\system32\NOTEPAD.EXE" "%1"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll - {089FD14D-132B-48FC-8861-0048AE113215}
(no name) - C:\PROGRA~1\Spybot\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://eu-housecall.trendmicro-europ...vex/hcImpl.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeup...tent/opuc3.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsu...?1158042549062

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsof...?1162439764859

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 7,001 bytes
Report generated in 0.016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only