PDA

View Full Version : Agobot-ku Worm



Garry
2007-01-12, 14:01
Hi, When I looked over the Spybot S&D system start-up window I noticed an entery with the key: HK_LM:Runonce.EX & the filename: System32.exe. The discription window said the entry was added by the AGOBOT-KU WORM. My anti-virus software did not detect the worm though. Could you please tell me how to remove this worm if I have it? The system start-up window also detected an entery with the Key:HK_CU:Run and the value: ctfmon.exe. The discription window said this was a parasite related to hijacking to slawsearch.com. My anti-virus software did not detect this parasite either. As you can probably tell, I don't know much about computers or programing (I think I will start learning know though). I would greatly appreciate any help you could give me.

Shaba
2007-01-12, 17:41
Hi Garry

Use this (http://downloads.malwareremoval.com/hijackthis_sfx.exe) link to get HijackThis.
Save it to your desktop and then double-click to run it.
It will install the program in c:\program files\HijackThis.
Browse to that location with windows explorer, and double click on the HijackThis.exe program to run. Choose the 'Do a system scan and save a logfile'
That will allow you to save the log to the desktop (or some other place) and leave open a notepad file with the HijackThis log in it.

Now post your HijackThis log into this topic.

Garry
2007-01-13, 00:45
Thanks for your help Shaba. Here is a copy of the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:22:43 PM, on 1/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\program files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=2c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: KODAK Software Updater.lnk.disabled
O4 - Global Startup: MiniMavis.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=2c00&LC=0409 (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\Aim\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.14/WinSSWebAgent.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

Shaba
2007-01-13, 12:01
Hi

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Send:

- a fresh HijackThis log
- kaspersky report

Garry
2007-01-13, 23:49
Hi,

I am sorry I didn’t mention it in my initial post; but I already ran a Kaspersky online scan. I ran the scan on Friday, before I contacted you. Kaspersky said it was their most up to date anti-virus database. I believe it had 243,000 some odd viruses recorded in it. I don’t think it said it was an extended database though. I selected my computer as the target of the scan. The scan did not find any viruses; so I did not save a copy of the scan results. However, if you want me to, I will be happy to run the scan again. Before running the Kaspersky scan I performed a deep scan (I think it took about 9 hours) with a-squared anti-malware (the free version) by EMSI software. That scan found what it classified as a Heuristic Dialer; but the file name is C: \ program files\ Compaq\ Digital Dashboard\ syncClk.exe so I think it is Compaq software, and not a real threat. However, I quarantined it for now anyway. I think the scan also found a data miner (which I deleted). In addition, it found 103 tracking cookies. I would send you a copy of the log but I don’t have one, it doesn’t store logs or results like Spybot S&D does.

Garry
2007-01-14, 04:23
Hi,

I decided to run a new scan. The scan report says object is locked and last action was skipped for all files scaned. Is this normal or did it skip all of the files?

KASPERSKY ONLINE SCANNER REPORT
Saturday, January 13, 2007 8:42:40 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/01/2007
Kaspersky Anti-Virus database records: 258228


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 106354
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the scan process 02:54:01

Infected Object Name Virus Name Last Action
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\SchedLog.Txt Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01102007-172311.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Support.com\profiles\Garrret Trehy Jr\triggers.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Garrret Trehy Jr\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Garrret Trehy Jr\Local Settings\Temp\~DFF18C.tmp Object is locked skipped

C:\Documents and Settings\Garrret Trehy Jr\Local Settings\Temp\~DFF193.tmp Object is locked skipped

C:\Documents and Settings\Garrret Trehy Jr\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Garrret Trehy Jr\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Garrret Trehy Jr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Garrret Trehy Jr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Garrret Trehy Jr\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{61A2791C-4DCD-410D-9C1B-D6203F53430E} Object is locked skipped

C:\Documents and Settings\Garrret Trehy Jr\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Garrret Trehy Jr\ntuser.dat Object is locked skipped

C:\System Volume Information\_restore{B24D3942-B8D2-487A-ADAA-2906A8061C2A}\RP374\change.log Object is locked skipped

Scan process completed.

Here is a fresh HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:02:44 PM, on 1/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\program files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=2c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: KODAK Software Updater.lnk.disabled
O4 - Global Startup: MiniMavis.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=2c00&LC=0409 (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\Aim\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.14/WinSSWebAgent.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

Garry
2007-01-14, 09:36
Hi Shaba,

Is there a way to scan the files that were not scaned by the Kaspersky online scanner (the locked objects)? The files that the SpyBot S&D Startup Tool describes as viruses both have system 32 in the file name. :

(key) HK_LM:RunOnce
Current filename:

Database status: Not required - virus, spyware, malware or other resource hog
Value:
Filename: system32.exe

Description
Added by the _AGOBOT-KU_ WORM! Note - has a blank entry under the Startup Item/Name field

Source: Paul Collins Startup list
____________________




(key) HK_CU:Run
(value) ctfmon.exe
(command line) C:\WINDOWS\system32\ctfmon.exe

Current filename: C:\WINDOWS\system32\ctfmon.exe

Database status: Not required - virus, spyware, malware or other resource hog
Value: ctfmon.exe
Filename: ctfmon32.exe

Description
_CoolWebSearch_ parasite related - hijacking to Slawsearch.com

Source: Paul Collins Startup list
____________________

Although, I didn’t see system32exe or C:\WINDOWS\system32\ctfmon.exe listed on the scan reports list of locked objects.

Shaba
2007-01-14, 12:00
Hi

Locked objects are those which are in use and those which are locked in kaspersky report aren't viruses.

This is a false positive, see (http://www.liutilities.com/products/wintaskspro/processlibrary/ctfmon/):

(key) HK_CU:Run
(value) ctfmon.exe
(command line) C:\WINDOWS\system32\ctfmon.exe

Current filename: C:\WINDOWS\system32\ctfmon.exe

For that another, let's do this:

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Garry
2007-01-15, 13:27
Hello Shaba,

I took your link to the Uniblue Process Library, and took a link there to get the SpyEraser download. SpyEraser found some threats; but none of them seemed to have the process file ctfmon.exe associated with them. I couldn’t fix any of the problems with out buying SpyEraser. So I decided to look around, I found RegCure (the link was "Fix Ctfmon.exe" but I couldn't post it here) at http://www.pc-optimize.com/exe_errors.htm?gclid=CJ3w7bum4okCFSoIFQodbEulKw but I figured I better ask you if you are familiar with this sight first. Do you think I should trust it; or do you have another suggestion? When I tried to download combofix.exe a dialog window popped up that said: “Tool name error!! Please do not rename the tool. Kindly rename it back to ComboFix.exe” (the only difference I could see in the two names was that the C & F were capitalized) I went to bleepingcomputer.com and searched for ComboFix.exe in their database but did not find anything. So I decided to look in the virus encyclopedias of various anti-virus companies. Sophos was the only company I found with the W32/Agobot-Ku virus in its encyclopedia and their web sight says all of their anti-virus software checks for it. Kaspersky labs calls the virus Backdoor.Win32.Agobot., but their web sight says “currently there is no description available for this program” and it did not say for certain that it still scans for it. So I decided to download Sophos anti-virus (free 30 day trial) and run a scan. It did not find Agobot-Ku. So I guess I don’t have it. Right? Maybe my old anti-virus software deleted it (three people use this computer and I recently changed anti-virus software and uninstalled my old one; so I can’t check the log). I never looked at the SpyBot S&D System start up window until this past Thursday. So do you think I should just delete HK_LM:RunOnce from the SpyBot S&D System start up window and not worry about it or should I do more checking?

Shaba
2007-01-15, 18:08
Hi

RegCure and SpyEraser aren't familiar to me, sorry.

Well, we'll try then winpfind:

Download WinPFind3U.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.

In the Files Created Within group click 30 days
In the Files Modified Within group select 30 days
In the File String Search group select Non-Microsoft

Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

Garry
2007-01-15, 19:08
Hi,

When I tried to send the report I was told "The text that you have entered is too long (28061 characters). Please shorten it to 20000 characters long." So I will try sending it in 2 parts.
Here is part 1 of the WinPFind report:

WinPFind3 logfile created on: 1/15/2007 11:28:11 AM
WinPFind3U by OldTimer - Version 1.0.10 Folder = C:\Documents and Settings\Garrret Trehy Jr\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

326192 Kb Total Physical Memory | 120908 Kb Available Physical Memory | 37.07% Memory free
791480 Kb Paging File | 532584 Kb Available in Paging File | 67.29% Paging File free
Paging file location(s): C:\pagefile.sys 480 960;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 57169344 Kb Total Space | 40096032 Kb Free Space | 70.14% Space Free
Drive D: | 2861960 Kb Total Space | 1833500 Kb Free Space | 64.06% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded


[Processes - Non-Microsoft Only]
almon.exe -> %ProgramFiles%\Sophos\AutoUpdate\ALMon.exe -> Sophos Plc [Ver = 3.8.49.127 | Size = 245760 bytes | Modified Date = 10/12/2006 12:32:52 PM | Attr = ]
alsvc.exe -> %ProgramFiles%\Sophos\AutoUpdate\ALsvc.exe -> Sophos Plc [Ver = 3.7.18.121 | Size = 163840 bytes | Modified Date = 10/12/2006 12:34:32 PM | Attr = ]
avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 343552 bytes | Modified Date = 1/8/2007 4:25:44 PM | Attr = ]
avgcc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.418 | Size = 406016 bytes | Modified Date = 1/8/2007 4:25:44 PM | Attr = ]
avgupsvc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 1/8/2007 4:25:48 PM | Attr = ]
bttnserv.exe -> %ProgramFiles%\Compaq\Easy Access Button Support\BttnServ.exe -> Compaq Computer Corporation [Ver = 4.00.061 | Size = 106496 bytes | Modified Date = 12/18/1999 4:33:14 AM | Attr = ]
cpqeadm.exe -> %ProgramFiles%\Compaq\Easy Access Button Support\CPQEADM.exe -> Compaq Computer Corporation [Ver = 6.00.006 | Size = 413696 bytes | Modified Date = 4/7/2000 9:14:02 PM | Attr = ]
eausbkbd.exe -> %ProgramFiles%\Compaq\Easy Access Button Support\EAUSBKBD.exe -> Compaq Computer Corporation [Ver = 6.00.096 | Size = 73728 bytes | Modified Date = 4/5/2000 2:36:16 PM | Attr = ]
pctspk.exe -> %System32%\pctspk.exe -> PCtel, Inc. [Ver = 4.00 | Size = 86016 bytes | Modified Date = 8/17/2001 10:36:54 PM | Attr = ]
savadminservice.exe -> %ProgramFiles%\Sophos\Sophos Anti-Virus\SAVAdminService.exe -> Sophos Plc [Ver = 1.0.0.1060 | Size = 69632 bytes | Modified Date = 10/4/2006 11:43:06 AM | Attr = ]
savservice.exe -> %ProgramFiles%\Sophos\Sophos Anti-Virus\SavService.exe -> Sophos Plc [Ver = 1.0.0.1060 | Size = 86016 bytes | Modified Date = 10/4/2006 11:43:28 AM | Attr = ]
teatimer.exe -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe -> Safer Networking Limited [Ver = 1, 4, 0, 2 | Size = 1415824 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr = ]
tgcmd.exe -> %ProgramFiles%\Support.com\bin\tgcmd.exe -> BellSouth [Ver = 5,6,1019,0 | Size = 1855488 bytes | Modified Date = 8/31/2005 2:16:24 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.10.0 | Size = 306176 bytes | Modified Date = 1/12/2007 4:20:26 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 343552 bytes | Modified Date = 1/8/2007 4:25:44 PM | Attr = ]
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 1/8/2007 4:25:48 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 12:00:00 PM | Attr = ]
(KodakCCS) Kodak Camera Connection Software [Win32_Own | On_Demand | Stopped] -> %System32%\drivers\KodakCCS.exe -> File not found
(Pctspk) PCTEL Speaker Phone [Win32_Own | Auto | Running] -> %System32%\pctspk.exe -> PCtel, Inc. [Ver = 4.00 | Size = 86016 bytes | Modified Date = 8/17/2001 10:36:54 PM | Attr = ]
(SAVAdminService) Sophos Anti-Virus status reporter [Win32_Own | Unknown | Running] -> -> File not found
(SAVService) Sophos Anti-Virus [Win32_Own | Unknown | Running] -> -> File not found
(Sophos AutoUpdate Service) Sophos AutoUpdate Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Sophos\AutoUpdate\ALsvc.exe -> Sophos Plc [Ver = 3.7.18.121 | Size = 163840 bytes | Modified Date = 10/12/2006 12:34:32 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVG7_CC -> %ProgramFiles%\Grisoft\AVG Free\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.418 | Size = 406016 bytes | Modified Date = 1/8/2007 4:25:44 PM | Attr = ]
CPQEASYACC -> %ProgramFiles%\Compaq\Easy Access Button Support\CPQEADM.exe -> Compaq Computer Corporation [Ver = 6.00.006 | Size = 413696 bytes | Modified Date = 4/7/2000 9:14:02 PM | Attr = ]
tgcmd -> %ProgramFiles%\Support.com\BellSouth\hcenter.exe -> BellSouth [Ver = 6,1,35,0 | Size = 1277952 bytes | Modified Date = 7/25/2004 3:45:18 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SpybotSD TeaTimer -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe -> Safer Networking Limited [Ver = 1, 4, 0, 2 | Size = 1415824 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\AutoUpdate Monitor.lnk -> %ProgramFiles%\Sophos\AutoUpdate\ALMon.exe -> Sophos Plc [Ver = 3.8.49.127 | Size = 245760 bytes | Modified Date = 10/12/2006 12:32:52 PM | Attr = ]
-> %AllUsersStartup%\Kodak EasyShare software.lnk -> File not found
-> %AllUsersStartup%\KODAK Software Updater.lnk -> File not found
-> %AllUsersStartup%\MiniMavis.lnk -> File not found
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
Control_RunDLL -> -> File not found
< Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\\ScanWithAntiVirus -> 2 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
< Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\CDRAutoRun ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\ -> ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\\Windows Update Menu Text -> Product Updates ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Infodelivery\ -> ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Infodelivery\CompletedModifications\ -> ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Infodelivery\CompletedModifications\\ChannelDefault -> 29676184 ->
< Desktop Components > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\
0 -> [Key] ->
0 -> FriendlyName = My Current Home Page ->
0 -> Source = About:Home ->
0 -> SubscribedURL = About:Home ->
< HOSTS File > -> C:\WINDOWS\System32\drivers\etc\Hosts
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Bar -> http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409 ->
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Default_Page_URL -> http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=2c00&s=consumer&LC=0409 ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html ->
HKCU: Search Page -> http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com ->
HKCU: Start Page -> http://www.msn.com/ ->
HKCU: SearchAssistant -> http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409 ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< Trusted Sites > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
aol.com [ - ] -> ->
free_aol.com [ - ] -> ->
free_aol.com [http] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> %ProgramFiles%\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL [Yahoo! Companion BHO] -> File not found
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\ACROBAT 6.0\Reader\ActiveX\ACROIEHELPER.DLL [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 6.0.1.2003110300 | Size = 54248 bytes | Modified Date = 11/3/2003 2:17:44 PM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} [HKLM] -> %ProgramFiles%\Canon\Easy-WebPrint\Toolband.dll [Easy-WebPrint] -> [Ver = 2, 5, 0, 25 | Size = 405504 bytes | Modified Date = 4/16/2004 7:43:12 PM | Attr = ]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL [Yahoo! Companion] -> File not found
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL [Yahoo! Companion] -> File not found
< Internet Explorer CmdMapping [HKCU] > ->

Garry
2007-01-15, 19:10
Here is part 2:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
{06FE5D02-8F11-11d2-804F-00105A133818} -> 8195 - &Find Pages Linking to this URL ->
{06FE5D03-8F11-11d2-804F-00105A133818} -> 8196 - Find Other Pages on this &Host ->
{06FE5D04-8F11-11d2-804F-00105A133818} -> 8197 - AV Home ->
{06FE5D05-8F11-11d2-804F-00105A133818} -> 8194 - AV &Translate ->
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> 8199 - Reg Data - Value does not exist ->
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -> 8198 - Reg Data - Value does not exist ->
{FB5F1910-F110-11d2-BB9E-00C04F795683} -> 8193 - Windows Messenger ->
NextId -> 8200 ->
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{06FE5D02-8F11-11d2-804F-00105A133818} [HKLM] -> Reg Data - Key not found [MenuText: &Find Pages Linking to this URL] -> File not found
{06FE5D03-8F11-11d2-804F-00105A133818} [HKLM] -> Reg Data - Key not found [MenuText: Find Other Pages on this &Host] -> File not found
{06FE5D04-8F11-11d2-804F-00105A133818} [HKLM] -> Reg Data - Key not found [MenuText: AV Home] -> File not found
{06FE5D05-8F11-11d2-804F-00105A133818} -> http:\search.presario.net\scripts\redirectors\presario\srchredir.dll [ButtonText: Translate] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -> %ProgramFiles%\Netscape\Communicator\Program\AIM\aim.exe [ButtonText: AIM] -> America Online, Inc. [Ver = 5.9.3797 | Size = 67160 bytes | Modified Date = 6/2/2005 1:34:34 AM | Attr = ]
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
E&xport to Microsoft Excel -> -> File not found
Easy-WebPrint Add To Print List -> %ProgramFiles%\CANON\EASY-WEBPRINT\Resource.dll\RC_AddToList.htm -> File not found
Easy-WebPrint High Speed Print -> %ProgramFiles%\CANON\EASY-WEBPRINT\Resource.dll\RC_HSPrint.htm -> File not found
Easy-WebPrint Preview -> %ProgramFiles%\CANON\EASY-WEBPRINT\Resource.dll\RC_Preview.htm -> File not found
Easy-WebPrint Print -> %ProgramFiles%\CANON\EASY-WEBPRINT\Resource.dll\RC_Print.htm -> File not found
< Internet Explorer Plugins [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\
.spop -> %ProgramFiles%\Internet Explorer\PLUGINS\NPDocBox.dll [Reg Data - Value does not exist] -> Intertrust Technologies, Inc. [Ver = 1.0.0.32 | Size = 270336 bytes | Modified Date = 8/1/2001 5:05:42 PM | Attr = ]
< Approved Shell Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} [HKLM] -> Reg Data - Key not found [Autoplay for SlideShow] -> File not found
{0DF44EAA-FF21-4412-828E-260A8728E7F1} [HKLM] -> Reg Data - Key not found [Taskbar and Start Menu] -> File not found
{42071714-76d4-11d1-8b24-00a0c9068ff3} [HKLM] -> deskpan.dll [Display Panning CPL Extension] -> File not found
{5905D5DE-79B4-4149-AE02-9847C2A328ED} [HKLM] -> Reg Data - Key not found [SendToPhoneShl extension] -> File not found
{764BF0E1-F219-11ce-972D-00AA00A14F56} [HKLM] -> Reg Data - Key not found [Shell extensions for file compression] -> File not found
{7A9D77BD-5403-11d2-8785-2E0420524153} [HKLM] -> Reg Data - Key not found [User Accounts] -> File not found
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} [HKLM] -> Reg Data - Key not found [Encryption Context Menu] -> File not found
{88895560-9AA2-1069-930E-00AA0030EBC8} [HKLM] -> %System32%\hticons.dll [HyperTerminal Icon Ext] -> Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 44544 bytes | Modified Date = 8/4/2004 12:00:00 PM | Attr = ]
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Shell Extension] -> GRISOFT, s.r.o. [Ver = 7.5.0.409 | Size = 50688 bytes | Modified Date = 1/8/2007 4:25:46 PM | Attr = ]
{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Find Extension] -> GRISOFT, s.r.o. [Ver = 7.5.0.409 | Size = 50688 bytes | Modified Date = 1/8/2007 4:25:46 PM | Attr = ]
{A155339D-CCCD-4714-85EB-3754B804C9DF} [HKLM] -> %ProgramFiles%\a-squared Free\a2freecontmenu.dll [a-squared Free Context Menu Shell Extension] -> Emsi Software GmbH [Ver = 2.0.0.48 | Size = 508928 bytes | Modified Date = 7/18/2006 12:32:50 PM | Attr = ]
{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D} [HKLM] -> %ProgramFiles%\Sophos\Sophos Anti-Virus\SavShellExt.dll [Sophos Anti-Virus Shell Extension] -> Sophos Plc [Ver = 1.0.0.1060 | Size = 307200 bytes | Modified Date = 10/4/2006 11:45:08 AM | Attr = ]
{acb4a560-3606-11d3-aef4-00104bd0f92d} [HKLM] -> %CommonProgramFiles%\Kodak\ifscore\KodakShX.dll [KodakShellExtension] -> Eastman Kodak Company [Ver = 2.0.2300.3 | Size = 183296 bytes | Modified Date = 3/31/2005 7:53:42 AM | Attr = ]
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} [HKLM] -> %ProgramFiles%\Real\REALPLAYER\rpshell.dll [Shell Extensions for RealOne Player] -> RealNetworks, Inc. [Ver = 1.0.1.1946 | Size = 49198 bytes | Modified Date = 12/5/2004 10:55:02 PM | Attr = ]
< ContextMenuHandlers - * [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Shell Extension] -> GRISOFT, s.r.o. [Ver = 7.5.0.409 | Size = 50688 bytes | Modified Date = 1/8/2007 4:25:46 PM | Attr = ]
{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D} [HKLM] -> %ProgramFiles%\Sophos\Sophos Anti-Virus\SavShellExt.dll [SavShellExt] -> Sophos Plc [Ver = 1.0.0.1060 | Size = 307200 bytes | Modified Date = 10/4/2006 11:45:08 AM | Attr = ]
{E0D79304-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Modified Date = 12/17/2004 9:00:00 AM | Attr = ]
< ContextMenuHandlers - AllFilesystemObjects [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
{A155339D-CCCD-4714-85EB-3754B804C9DF} [HKLM] -> %ProgramFiles%\a-squared Free\a2freecontmenu.dll [a2FreeContMenu] -> Emsi Software GmbH [Ver = 2.0.0.48 | Size = 508928 bytes | Modified Date = 7/18/2006 12:32:50 PM | Attr = ]
< ContextMenuHandlers - Directory [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\
{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D} [HKLM] -> %ProgramFiles%\Sophos\Sophos Anti-Virus\SavShellExt.dll [SavShellExt] -> Sophos Plc [Ver = 1.0.0.1060 | Size = 307200 bytes | Modified Date = 10/4/2006 11:45:08 AM | Attr = ]
{E0D79304-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Modified Date = 12/17/2004 9:00:00 AM | Attr = ]
< ContextMenuHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\
{A155339D-CCCD-4714-85EB-3754B804C9DF} [HKLM] -> %ProgramFiles%\a-squared Free\a2freecontmenu.dll [a2FreeContMenu] -> Emsi Software GmbH [Ver = 2.0.0.48 | Size = 508928 bytes | Modified Date = 7/18/2006 12:32:50 PM | Attr = ]
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Shell Extension] -> GRISOFT, s.r.o. [Ver = 7.5.0.409 | Size = 50688 bytes | Modified Date = 1/8/2007 4:25:46 PM | Attr = ]
{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D} [HKLM] -> %ProgramFiles%\Sophos\Sophos Anti-Virus\SavShellExt.dll [SavShellExt] -> Sophos Plc [Ver = 1.0.0.1060 | Size = 307200 bytes | Modified Date = 10/4/2006 11:45:08 AM | Attr = ]
{E0D79304-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Modified Date = 12/17/2004 9:00:00 AM | Attr = ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{27F0F333-56B0-4CF0-AA26-90123A480005} -> (Realtek RTL8139 Family PCI Fast Ethernet NIC) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
vnd.ms.radio -> %System32%\msdxm.ocx -> [Ver = | Size = 844314 bytes | Modified Date = 8/4/2004 12:00:00 PM | Attr = ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{13EC55CF-D993-475B-9ACA-F4A384957956} -> Controller Class - CodeBase = https://www.windowsonecare.com/install/cli/1.1.1067.14/WinSSWebAgent.CAB ->
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab ->
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab ->
{193C772A-87BE-4B19-A7BB-445B226FE9A1} -> ewidoOnlineScan Control - CodeBase = http://downloads.ewido.net/ewidoOnlineScan.cab ->
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -> Office Update Installation Engine - CodeBase = http://office.microsoft.com/officeupdate/content/opuc2.cab ->
{41F17733-B041-4099-A042-B518BB6A408C} -> - CodeBase = http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe ->
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} -> MSN Photo Upload Tool - CodeBase = http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab ->
{9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} -> HPObjectInstaller Class - CodeBase = http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab ->
{9F1C11AA-197B-4942-BA54-47A8489BB47F} -> - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38383.677974537 ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab ->
DirectAnimation Java Classes -> - CodeBase = file://c:\windows\SYSTEM\dajava.cab ->
Internet Explorer Classes for Java -> - CodeBase = file://c:\windows\SYSTEM\iejava.cab ->
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->

[Files - Created Wihin 30 days]
AVG7QT.DAT -> %SystemDrive%\AVG7QT.DAT -> [Ver = | Size = 12288463 bytes | Created Date = 1/8/2007 4:29:37 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 334090240 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = HS]
boot.ini.comodofirewall -> %SystemDrive%\boot.ini.comodofirewall -> [Ver = | Size = 221 bytes | Created Date = 1/8/2007 7:31:31 PM | Attr = ]
SophosBootTasks.exe -> %System32%\SophosBootTasks.exe -> Sophos Plc [Ver = 1.0.0.1017 | Size = 15872 bytes | Created Date = 1/15/2007 12:28:55 AM | Attr = ]
avg7core.sys -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.429 | Size = 816672 bytes | Created Date = 1/8/2007 4:25:47 PM | Attr = ]
avg7rsw.sys -> %System32%\drivers\avg7rsw.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,340 | Size = 4224 bytes | Created Date = 1/8/2007 4:25:51 PM | Attr = ]
avg7rsxp.sys -> %System32%\drivers\avg7rsxp.sys -> GRISOFT, s.r.o. [Ver = 7,1,0,398 | Size = 28416 bytes | Created Date = 1/8/2007 4:25:52 PM | Attr = ]
avgmfx86.sys -> %System32%\drivers\avgmfx86.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.416 | Size = 18240 bytes | Created Date = 1/8/2007 4:25:53 PM | Attr = ]
avgclean.sys -> %System32%\drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 1/8/2007 4:25:53 PM | Attr = ]
savonaccessfilter.sys -> %System32%\drivers\savonaccessfilter.sys -> Sophos plc [Ver = 3.6.0.222 | Size = 24064 bytes | Created Date = 1/15/2007 12:25:28 AM | Attr = ]
savonaccesscontrol.sys -> %System32%\drivers\savonaccesscontrol.sys -> Sophos plc [Ver = 3.6.0.222 | Size = 80128 bytes | Created Date = 1/15/2007 12:25:28 AM | Attr = ]

[Files - Modified Wihin 30 days]
AVG7QT.DAT -> %SystemDrive%\AVG7QT.DAT -> [Ver = | Size = 12288463 bytes | Modified Date = 1/8/2007 4:29:42 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 334090240 bytes | Modified Date = 1/15/2007 9:12:32 AM | Attr = HS]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 220 bytes | Modified Date = 1/8/2007 7:31:32 PM | Attr = HS]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 1/15/2007 9:12:36 AM | Attr = S]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1355 bytes | Modified Date = 1/8/2007 8:40:08 PM | Attr = ]
SYSTEM.INI -> %SystemRoot%\SYSTEM.INI -> [Ver = | Size = 571 bytes | Modified Date = 1/12/2007 5:04:28 AM | Attr = ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 116 bytes | Modified Date = 1/3/2007 7:43:32 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 13726 bytes | Modified Date = 1/15/2007 10:46:26 AM | Attr = ]
avg7core.sys -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.429 | Size = 816672 bytes | Modified Date = 1/8/2007 4:25:48 PM | Attr = ]
avg7rsw.sys -> %System32%\drivers\avg7rsw.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,340 | Size = 4224 bytes | Modified Date = 1/8/2007 4:25:52 PM | Attr = ]
avg7rsxp.sys -> %System32%\drivers\avg7rsxp.sys -> GRISOFT, s.r.o. [Ver = 7,1,0,398 | Size = 28416 bytes | Modified Date = 1/8/2007 4:25:54 PM | Attr = ]
avgmfx86.sys -> %System32%\drivers\avgmfx86.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.416 | Size = 18240 bytes | Modified Date = 1/8/2007 4:25:54 PM | Attr = ]
avgclean.sys -> %System32%\drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Modified Date = 1/8/2007 4:25:54 PM | Attr = ]

[File String Scan - Non-Microsoft Only]
Thawte Consulting , USERTRUST , -> %CommonProgramFiles%\mozilla.org\GRE\1.7.2_2004080415\nssckbi.dll -> [Ver = | Size = 183664 bytes | Modified Date = 8/4/2004 4:41:00 PM | Attr = ]
PEC2 , WSUD , -> %CommonProgramFiles%\SpeechEngines\Microsoft\SR61\1033\AF031033.AM -> [Ver = | Size = 7048576 bytes | Modified Date = 11/22/2002 1:27:36 AM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/4/2004 12:00:00 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/4/2004 12:00:00 PM | Attr = ]
PEC2 , -> %System32%\Dwapilib.tlb -> [Ver = | Size = 197171 bytes | Modified Date = 2/14/1997 11:24:14 PM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 8/4/2004 4:00:00 AM | Attr = ]
UPX! , FSG! , PEC2 , aspack , -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.429 | Size = 816672 bytes | Modified Date = 1/8/2007 4:25:48 PM | Attr = ]

< End of report >

Shaba
2007-01-15, 19:40
I see nothing bad there but let's check this:

Create a Startup List
Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Check off the 2 boxes next to the Box that says "Generate StartupList log"
Copy and past the StartupList from the notepad into your next post

Garry
2007-01-15, 20:44
Hi,

Here is Part 1 of the Startup List:

StartupList report, 1/15/2007, 1:31:39 PM
StartupList version: 1.52.2
Started from : C:\program files\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.5730.0011)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\program files\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Garrret Trehy Jr\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Kodak EasyShare software.lnk.disabled
KODAK Software Updater.lnk.disabled
MiniMavis.lnk.disabled
AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CPQEASYACC = C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
tgcmd = "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Garry
2007-01-15, 20:45
Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL (file missing) - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Synchronize Time.job
Check E-mail.job
Maintenance-Defragment programs.job
Maintenance-Disk cleanup.job
Uniblue SpyEraser.job
MP Scheduled Scan.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://c:\windows\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://c:\windows\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Controller Class]
InProcServer32 = C:\WINDOWS\system32\WINSSWEBAGENT.DLL
CODEBASE = https://www.windowsonecare.com/install/cli/1.1.1067.14/WinSSWebAgent.CAB

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab

[ewidoOnlineScan Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLL
CODEBASE = http://downloads.ewido.net/ewidoOnlineScan.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\OPUC.DLL
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc2.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab

[HPObjectInstaller Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HPCOMMUNICATION.DLL
CODEBASE = http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38383.677974537

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
ESS Allegro Audio Driver (WDM): system32\drivers\es198x.sys (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
CmdIde: system32\DRIVERS\cmdide.sys (system)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: system32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
i81x: system32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: system32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: system32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: system32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: system32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: system32\DRIVERS\wVchNTxx.sys (manual start)
iAimFP5: system32\DRIVERS\wADV07nt.sys (manual start)
iAimFP6: system32\DRIVERS\wADV08nt.sys (manual start)
iAimFP7: system32\DRIVERS\wADV09nt.sys (manual start)
iAimTV0: system32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: system32\DRIVERS\wATV02NT.sys (manual start)
iAimTV3: system32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: system32\DRIVERS\wCh7xxNT.sys (manual start)
iAimTV5: system32\DRIVERS\wATV10nt.sys (manual start)
iAimTV6: system32\DRIVERS\wATV06nt.sys (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
IntelIde: system32\DRIVERS\intelide.sys (system)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Kodak Camera Connection Software: %SystemRoot%\system32\drivers\KodakCCS.exe (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Intel PentiumIII Processor Driver: system32\DRIVERS\p3.sys (system)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCTEL Speaker Phone: %SystemRoot%\system32\pctspk.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
PCTEL Serial Device Driver for PCI: system32\DRIVERS\ptserlp.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: system32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Sophos Anti-Virus status reporter: "c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe" (autostart)
SAVOnAccess Control: system32\DRIVERS\savonaccesscontrol.sys (system)
SAVOnAccess Filter: system32\DRIVERS\savonaccessfilter.sys (system)
Sophos Anti-Virus: "c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe" (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sophos AutoUpdate Service: "c:\Program Files\Sophos\AutoUpdate\ALsvc.exe" (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{335D1AE0-A21E-4CA7-861A-714EE1ADDA44} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
XP Vmodem: system32\DRIVERS\vmodem.sys (system)
XP Vpctcom: system32\DRIVERS\vpctcom.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
XP Vvoice: system32\DRIVERS\vvoice.sys (system)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Defender: "C:\Program Files\Windows Defender\MsMpEng.exe" (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 33,832 bytes
Report generated in 0.681 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Are the items that say registry not found bad?

Shaba
2007-01-15, 20:53
Hi

No, they're not.

That RunOnce key doesn't even exixt according to that report.

So, I think that some kind of false positive :)

Garry
2007-01-16, 07:27
Thank you Shaba,

I guess the entery:

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

That is listed about 2/5 of the way down on page 2 Is different, right (I know I don’t know what I am talking about)?
What about C:\Windows\system32\ctfmon.exe ( what SpyBot S&D calls a hijacking parasite)? Did you see that anywhere? I saw:
--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------
Also listed about 2/5 of the way down on page 2. Is this a problem?

Shaba
2007-01-16, 15:15
Hi

For ctfmon.exe, see this link (http://www.liutilities.com/products/wintaskspro/processlibrary/ctfmon/)

So it's legit, related to Microsoft Office :)

Garry
2007-01-19, 14:23
Hi Shaba,

I scanned my registry with both Registry Mechanic (by PC Tools) and Registry Booster (by Uniblue). Neither one of these two programs detected a problem related to ctfmon.exe. So, I guess this was also a false-positive (I hope). Thanks, again, for all your help.

Shaba
2007-01-19, 18:48
Hi

Ok, I think same too :)

Shaba
2007-01-24, 20:18
This Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.