PDA

View Full Version : Win32/NSAnti removal (seems to be popular)



krucify87
2008-02-26, 19:53
hi,

im a newbie to this forum though i've read thru some of the other Win32/NSAnti topics...

what do i need to do to get this trojan out of my system?

would appreciate any step-by-step help.

thanks.

i've taken the liberty of downloading combofix. the logfile it produced is posted below:

ComboFix 08-02-25.3 - patrick 2008-02-27 1:47:23.2 - FAT32x86
Running from: J:\downloads\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

I:\WINDOWS\recover.reg
I:\WINDOWS\system32\MSVC60SVV.DLL

.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-27 01:44 . 2008-02-27 01:44 <DIR> d--hs---- I:\FOUND.005
2008-02-26 23:11 . 2008-02-26 23:11 <DIR> d--hs---- I:\FOUND.004
2008-02-26 22:45 . 2008-02-26 22:45 <DIR> d-------- I:\Program Files\Spyware Terminator
2008-02-26 22:45 . 2008-02-26 22:45 <DIR> d-------- I:\Documents and Settings\patrick\Application Data\Spyware Terminator
2008-02-26 22:45 . 2008-02-26 22:45 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-02-26 22:45 . 2008-02-26 22:45 138,752 --a------ I:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-02-26 21:21 . 2008-02-26 09:17 151,315 -r-hs---- I:\l2quk.exe
2008-02-26 21:21 . 2008-02-27 01:47 639 -r-hs---- I:\autorun.inf
2008-02-26 21:19 . 2008-02-26 21:19 <DIR> d--hs---- I:\FOUND.003
2008-02-26 21:11 . 2008-02-26 09:17 151,315 -r-hs---- I:\WINDOWS\system32\kxvo.exe
2008-02-26 21:11 . 2008-02-27 01:45 71,168 -r-hs---- I:\WINDOWS\system32\fool0.dll
2008-02-25 21:02 . 2008-02-25 21:02 520 --a------ I:\WINDOWS\netdet.ini
2008-02-25 15:39 . 2008-02-25 15:39 287 --a------ I:\WINDOWS\game.ini
2008-02-25 15:12 . 2008-02-25 15:12 <DIR> d-------- I:\Program Files\Activision
2008-02-25 14:44 . 2008-02-25 14:44 <DIR> d--hs---- I:\WINDOWS\ftpcache
2008-02-24 15:29 . 2008-02-24 15:29 <DIR> d-------- I:\Program Files\uTorrent
2008-02-24 15:28 . 2008-02-24 15:28 <DIR> d-------- I:\Documents and Settings\patrick\Application Data\uTorrent
2008-02-23 21:04 . 2008-02-23 21:04 <DIR> d-------- I:\Program Files\Alien Shooter
2008-02-23 20:48 . 2008-02-23 20:48 <DIR> d-------- I:\Program Files\ReflexiveArcade
2008-02-23 20:29 . 2008-02-23 20:29 <DIR> d-------- I:\Program Files\YzShadow
2008-02-23 20:29 . 2008-02-23 20:29 <DIR> d-------- I:\Program Files\WinRoll
2008-02-23 20:29 . 2008-02-23 20:29 <DIR> d-------- I:\Program Files\UberIcon
2008-02-23 20:29 . 2008-02-23 20:29 <DIR> d-------- I:\Program Files\Tiger System Preferences v2
2008-02-23 20:29 . 2008-02-23 20:29 <DIR> d-------- I:\Program Files\ObjectDock
2008-02-23 20:29 . 2008-02-23 20:29 <DIR> d-------- I:\Program Files\iColorFolder
2008-02-23 20:26 . 2004-08-03 16:56 218,624 --a------ I:\WINDOWS\system32\uxtheme.backup
2008-02-23 20:25 . 2008-02-23 20:25 <DIR> d--h----- I:\WINDOWS\FlyakiteOSX
2008-02-21 00:04 . 2008-02-21 00:05 29 --a------ I:\WINDOWS\Battle.ini
2008-02-20 23:35 . 2008-02-20 23:50 16 --a------ I:\WINDOWS\popcinfo.dat
2008-02-19 21:01 . 2008-02-19 21:01 <DIR> d-------- I:\Program Files\Common Files\Adobe Systems Shared
2008-02-19 21:01 . 2008-02-19 21:01 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-02-12 20:55 . 2000-12-08 21:59 122,880 --a------ I:\WINDOWS\UnGins.exe
2008-02-10 13:57 . 2008-02-10 13:57 <DIR> d-------- I:\Program Files\Chicken Invaders
2008-02-09 10:43 . 2008-02-09 10:43 <DIR> d-------- I:\Program Files\Macromedia
2008-02-09 10:43 . 2008-02-09 10:43 <DIR> d-------- I:\Program Files\Common Files\Macromedia
2008-02-05 22:05 . 2008-02-05 22:05 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\WildTangent
2008-02-03 18:39 . 2008-02-03 18:39 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-02-03 18:38 . 2008-02-03 18:38 <DIR> d-------- I:\Program Files\Luxor 3
2008-01-31 21:53 . 2007-07-19 18:14 3,727,720 --a------ I:\WINDOWS\system32\d3dx9_35.dll
2008-01-31 21:53 . 2007-04-04 18:53 81,768 --a------ I:\WINDOWS\system32\xinput1_3.dll
2008-01-31 21:44 . 2008-01-31 21:44 <DIR> d-------- I:\WINDOWS\Downloaded Installations
2008-01-31 21:44 . 2008-01-31 21:44 <DIR> d-------- I:\Program Files\D-Tools
2008-01-31 21:44 . 2004-08-22 16:31 155,136 --a------ I:\WINDOWS\system32\drivers\d347bus.sys
2008-01-31 21:44 . 2004-08-22 16:31 5,248 --a------ I:\WINDOWS\system32\drivers\d347prt.sys
2008-01-30 09:59 . 2008-01-30 09:59 <DIR> d--hs---- I:\FOUND.002
2008-01-26 14:38 . 2008-01-26 14:38 <DIR> d-------- I:\Program Files\Feeding Frenzy
2008-01-26 14:36 . 2008-01-26 14:36 <DIR> d-------- I:\Program Files\GameHouse

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 12:29 2,138,368 ----a-w I:\WINDOWS\system32\ntoskrnl.exe
2008-02-23 12:29 2,014,208 ----a-w I:\WINDOWS\system32\ntkrnlpa.exe
2008-02-23 12:26 218,624 ----a-w I:\WINDOWS\system32\uxtheme.dll
2008-01-16 08:53 --------- d-----w I:\Program Files\Flash Movie Player
2008-01-15 06:12 73,216 ----a-w I:\WINDOWS\ST6UNST.EXE
2008-01-12 05:25 --------- d-----w I:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-01-12 05:25 --------- d-----w I:\Documents and Settings\All Users\Application Data\NVIDIA
2008-01-12 05:05 --------- d-----w I:\Program Files\Call of Duty
2008-01-11 15:35 --------- d-----w I:\Program Files\HomeKeylogger
2008-01-11 07:03 --------- d-----w I:\Documents and Settings\patrick\Application Data\Cakewalk
2007-12-29 05:15 32 ----a-w I:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-29 05:15 --------- d-----w I:\Documents and Settings\patrick\Application Data\skypePM
2007-12-28 19:45 --------- d-----w I:\Program Files\Skype
2007-12-28 19:45 --------- d-----w I:\Program Files\Common Files\Skype
2007-12-28 19:45 --------- d-----w I:\Documents and Settings\patrick\Application Data\Skype
2007-12-28 19:45 --------- d-----w I:\Documents and Settings\All Users\Application Data\Skype
2007-12-26 14:14 --------- d-----w I:\Program Files\mIRC
2003-01-12 04:41 3,392 ----a-w I:\WINDOWS\inf\OTHER\cmiainfo.sys
.

------- Sigcheck -------

fb77859d24d31cb3ca43177cf0ebddce I:\WINDOWS\system32\user32.dll
----a-w 576,512 2004-08-03 08:56:48 I:\WINDOWS\system32\user32.dll
----a-w 576,512 2004-08-03 08:56:48 I:\WINDOWS\system32\dllcache\user32.dll
----a-w 577,024 2004-08-03 08:56:48 I:\WINDOWS\FlyakiteOSX\Backup\user32.dll

d866a8e7ce1c2f09c2c4276f9a615c0a I:\WINDOWS\system32\wininet.dll
----a-w 677,376 2004-08-03 08:56:48 I:\WINDOWS\system32\wininet.dll
----a-w 677,376 2004-08-03 08:56:48 I:\WINDOWS\system32\dllcache\wininet.dll
----a-w 656,384 2004-08-03 08:56:48 I:\WINDOWS\FlyakiteOSX\Backup\wininet.dll

969f998bbedbfd55f1fcc094fa4da886 I:\WINDOWS\system32\ntkrnlpa.exe
----a-w 2,014,208 2008-02-23 12:29:22 I:\WINDOWS\system32\ntkrnlpa.exe
----a-w 2,056,832 2004-08-03 09:05:44 I:\WINDOWS\FlyakiteOSX\Backup\ntkrnlpa.exe

fea005a44fb744a31be860f6e8bf8ab6 I:\WINDOWS\system32\ntoskrnl.exe
----a-w 2,138,368 2008-02-23 12:29:22 I:\WINDOWS\system32\ntoskrnl.exe
----a-w 2,180,992 2004-08-03 07:20:00 I:\WINDOWS\FlyakiteOSX\Backup\ntoskrnl.exe

5de8ffe4acd3c0a3c0166a6129a12241 I:\WINDOWS\explorer.exe
----a-w 1,364,480 2004-08-03 08:56:50 I:\WINDOWS\explorer.exe
----a-w 1,364,480 2004-08-03 08:56:50 I:\WINDOWS\system32\dllcache\explorer.exe
----a-w 1,032,192 2004-08-03 08:56:50 I:\WINDOWS\FlyakiteOSX\Backup\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="I:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13 1591808]
"ctfmon.exe"="I:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:56 15360]
"Alt+Q Hotkey Tool"="I:\WINDOWS\Alt+Q Hotkey.exe" [2005-12-19 03:14 27648]
"UberIcon"="I:\Program Files\UberIcon\UberIcon Manager.exe" [2006-02-24 08:32 188416]
"Yz Shadow"="I:\Program Files\YzShadow\YzShadow.exe" [2006-02-24 10:51 172032]
"kxva"="I:\WINDOWS\system32\kxvo.exe" [2008-02-26 09:17 151315]
"Yahoo! Pager"="I:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-01 18:11 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"RemoteControl"="I:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10 56928]
"LanguageShortcut"="I:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"LGODDFU"="I:\Program Files\lg_fwupdate\fwupdate.exe" [2007-11-25 22:38 249856]
"NeroFilterCheck"="I:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SecurDisc"="I:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 15:55 1628208]
"InCD"="I:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 15:55 1057328]
"AVG7_CC"="I:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 22:38 579072]
"QuickTime Task"="I:\Program Files\QuickTime\qttask.exe" [2007-11-26 12:24 98304]
"TkBellExe"="I:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-26 12:36 185896]
"SunJavaUpdateSched"="I:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10 49263]
"Adobe Reader Speed Launcher"="I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NvCplDaemon"="I:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 I:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 98304 I:\WINDOWS\system32\nvmctray.dll]
"DAEMON Tools-1033"="I:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"System Files Updater"="I:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe" [2006-02-26 07:41 118485]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="I:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-26 01:52 219136]

I:\Documents and Settings\patrick\Start Menu\Programs\Startup\
Adobe Gamma.lnk - I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Stardock ObjectDock.lnk - I:\Program Files\ObjectDock\ObjectDock.exe [2005-07-15 06:13:06 1802309]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"I:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"I:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"I:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"I:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"I:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"I:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"I:\\Program Files\\mIRC\\mirc.exe"=
"I:\\Program Files\\Skype\\Phone\\Skype.exe"=
"I:\\Program Files\\uTorrent\\uTorrent.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa652f1-c4cc-11dc-b4eb-f46d4b55c9ac}]
\Shell\AutoRun\command - L:\xo8wr9.exe
\Shell\explore\Command - L:\xo8wr9.exe
\Shell\open\Command - L:\xo8wr9.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"I:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-27 01:49:38
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-27 1:50:23
ComboFix-quarantined-files.txt 2008-02-26 17:50:22

+_+_+_

hope someone can help..thanks a bunch. :)

krucify87
2008-02-27, 00:48
just got hijackthis.

below is the log it produced.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:50 AM, on 2/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
I:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
I:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
I:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
I:\Program Files\Common Files\LightScribe\LSSrvc.exe
I:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
I:\WINDOWS\system32\nvsvc32.exe
I:\Program Files\CyberLink\Shared Files\RichVideo.exe
I:\Program Files\Spyware Terminator\sp_rsser.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\system32\RunDll32.exe
I:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
I:\Program Files\lg_fwupdate\fwupdate.exe
I:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
I:\Program Files\Nero\Nero 7\InCD\InCD.exe
I:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
I:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
I:\WINDOWS\system32\wscntfy.exe
I:\Program Files\D-Tools\daemon.exe
I:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
I:\WINDOWS\system32\ctfmon.exe
I:\WINDOWS\Alt+Q Hotkey.exe
I:\Program Files\UberIcon\UberIcon Manager.exe
I:\Program Files\YzShadow\YzShadow.exe
I:\Program Files\ObjectDock\ObjectDock.exe
I:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
I:\Program Files\Winamp\winamp.exe
I:\Program Files\Mozilla Firefox\firefox.exe
I:\Program Files\internet explorer\iexplore.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - I:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - I:\WINDOWS\system32\ieso0.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - I:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RemoteControl] "I:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "I:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "I:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] I:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] I:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] I:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] I:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "I:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [System Files Updater] I:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe /S
O4 - HKCU\..\Run: [FreeRAM XP] "I:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Alt+Q Hotkey Tool] I:\WINDOWS\Alt+Q Hotkey.exe
O4 - HKCU\..\Run: [UberIcon] "I:\Program Files\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [Yz Shadow] I:\Program Files\YzShadow\YzShadow.exe
O4 - HKCU\..\Run: [kxva] I:\WINDOWS\system32\kxvo.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "I:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] I:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] I:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] I:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] I:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Stardock ObjectDock.lnk = I:\Program Files\ObjectDock\ObjectDock.exe
O4 - Startup: RK Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: FreshDownload - {3E8A8981-799A-4218-8340-505EC9760462} - I:\Program Files\FreshDevices\FreshDownload\fd.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{588048B7-2EC3-4A52-B026-F7E371422CD3}: NameServer = 210.14.16.5 210.14.16.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - I:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - I:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - I:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - I:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - I:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - I:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - I:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 7281 bytes

+_+_+_

thanks in advance :laugh: