View Full Version : Internet Explorer x4, CPU 100%, web-site redirecting
Hi,
My computer is causing me a headache lately; here is the chronology:
1. low on virtual memory (started couple of months ago)
2. having problems with ending programs when shutting down since 10 days ago: have to manually "end" DDE Server Window and iexplorer.exe - up to 4 times
3. CPU goes to 100% more and more often, especially when a web-page is open more than 5 minutes (msn.com). Task Manager shows 3 -4 iexplorer.exe programs running at the same time although only one window is open
4. and since yesterday, most links from Google-search get redirected to some video-webpage
I followed your instructions "before posting", used Spybot, and here is HJTI log ( Fælles filer = common files ) :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:42 PM, on 8/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Programmer\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programmer\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmer\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmer\Analog Devices\SoundMAX\Smax4.exe
C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe
C:\Programmer\Fælles filer\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\vsnp2uvc.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\Programmer\Windows Media Player\WMPNSCFG.exe
C:\Programmer\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Skype\Plugin Manager\skypePM.exe
C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F2 - REG:system.ini: Shell=explorer.exe "C:\Programmer\Common Files\System\svchost.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5860E001-1190-3001-0799-ca3230262a11} - C:\Programmer\Common Files\System\fldr_help.acm
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Programmer\Fælles filer\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\FÆLLES~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Programmer\Fælles filer\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programmer\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Programmer\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Programmer\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmer\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Programmer\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QCWLICON] C:\Programmer\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Programmer\Fælles filer\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programmer\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Programmer\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programmer\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Programmer\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: update.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: update.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmer\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Opdatér ThinkPad-programmer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programmer\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120475938252
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181576064626
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.euchannels.net/UKooPlayer.ocx
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FÆLLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programmer\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Programmer\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Programmer\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmer\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\FÆLLES~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
--
End of file - 15108 bytes
Thanks
Hi
Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Hi Blade1,
Following is a new log from HijackThis and ComboFix. After ComboFix rebooted the computer, I got a message from Spybot - S&D that malicious software cmd.exe was found (and destroyed).
Thank you so much for all your help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:30, on 2008-08-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Programmer\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programmer\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmer\IBM\Updater\jre\bin\javaw.exe
C:\Programmer\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe
C:\Programmer\Fælles filer\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\vsnp2uvc.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\Programmer\Windows Media Player\WMPNSCFG.exe
C:\Programmer\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Programmer\Skype\Plugin Manager\skypePM.exe
C:\Programmer\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5860E001-1190-3001-0799-ca3230262a11} - C:\Programmer\Common Files\System\fldr_help.acm
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Programmer\Fælles filer\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\FÆLLES~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Programmer\Fælles filer\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programmer\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Programmer\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Programmer\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Programmer\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QCWLICON] C:\Programmer\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Programmer\Fælles filer\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programmer\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Programmer\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programmer\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Programmer\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: update.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: update.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmer\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Opdatér ThinkPad-programmer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programmer\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120475938252
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181576064626
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.euchannels.net/UKooPlayer.ocx
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FÆLLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programmer\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Programmer\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Programmer\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmer\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\FÆLLES~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
--
End of file - 13874 bytes
ComboFix 08-08-29.01 - The St 2008-08-29 22:02:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1030.18.185 [GMT 2:00]
Running from: C:\Documents and Settings\The St\Skrivebord\ComboFix.exe
Command switches used :: C:\Documents and Settings\The St\Skrivebord\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\#SharedObjects\R2B5QRTZ\bin.clearspring.com
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\#SharedObjects\R2B5QRTZ\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\#SharedObjects\R2B5QRTZ\interclick.com
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\#SharedObjects\R2B5QRTZ\interclick.com\ud.sol
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\The St\Cookies\the sturms@adchb.accenture[2].txt
C:\Documents and Settings\The St\Cookies\the st@www.pixmania[2].txt
C:\Documents and Settings\The St\Cookies\the_st@ads.monitor[1].txt
C:\Documents and Settings\The St\Cookies\the_st@hb.autodesk[1].txt
C:\Documents and Settings\The St\Cookies\the_st@indextools[2].txt
C:\Documents and Settings\The St\Cookies\the_st@keph.iskon[2].txt
C:\Documents and Settings\The St\Cookies\the_st@news.uk.msn[2].txt
C:\Documents and Settings\The St\Cookies\the_st@qp3.eplugs[1].txt
C:\Documents and Settings\The St\Cookies\the_st@rejseplanen[1].txt
C:\Documents and Settings\The St\Cookies\the_st@revsci[1].txt
C:\Documents and Settings\The St\Cookies\the_st@stl.p.a1.traceworks[2].txt
C:\Documents and Settings\The St\Cookies\the_st@www.krak[2].txt
C:\setup.exe
C:\WINDOWS\Downloaded Program Files\Temp
.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.
2008-08-27 20:21 . 2008-08-27 20:21 <DIR> d-------- C:\Programmer\Trend Micro
2008-08-27 20:21 . 2008-08-27 20:21 812,344 --a------ C:\HJTInstall.exe
2008-08-27 18:28 . 2008-08-27 18:37 <DIR> d-------- C:\Programmer\Spybot - Search & Destroy
2008-08-27 18:28 . 2008-08-27 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-27 18:22 . 2008-08-27 18:22 15,083,520 --a------ C:\spybotsd160.exe
2008-08-27 18:14 . 2008-08-27 18:15 129,143,904 --a------ C:\xpsp1a_da_x86.exe
2008-08-27 18:00 . 2008-08-27 18:00 2,028,640 --a------ C:\sp1aexpress_usa.exe
2008-08-26 14:02 . 2008-08-26 14:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-26 14:00 . 2008-08-26 14:01 19,153,264 --a------ C:\aaw2008.exe
2008-08-19 20:22 . 2008-08-27 18:40 <DIR> d-------- C:\Documents and Settings\The St\Application Data\System Tweaker
2008-08-15 03:27 . 2008-05-01 16:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-09 14:23 . 2008-08-09 14:23 <DIR> d-------- C:\Programmer\Common Files
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 20:11 --------- d-----w C:\Programmer\Fælles filer\Symantec Shared
2008-08-29 19:34 --------- d-----w C:\Documents and Settings\The St\Application Data\Skype
2008-08-29 19:33 --------- d-----w C:\Documents and Settings\The St\Application Data\skypePM
2008-08-25 19:32 --------- d-----w C:\Programmer\Java
2008-08-19 18:21 --------- d-----w C:\Programmer\Uniblue
2008-08-05 16:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-30 15:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 15:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 15:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-07-04 06:09 --------- d-----w C:\Programmer\Fælles filer\Skype
2008-07-01 05:45 --------- d-----w C:\Programmer\Norton 360
2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:24 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 08:33 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-23 09:19 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:19 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:42 246,784 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:42 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 18:00 272,256 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 12:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 12:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-05-14 15:10 23,528 ----a-w C:\Documents and Settings\The St\Application Data\GDIPFONTCACHEV1.DAT
2008-03-06 07:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-07-31 15:18 327 ---ha-w C:\Documents and Settings\I\hpothb07.dat
2007-02-27 16:18 337 ---ha-w C:\Documents and Settings\The St\hpothb07.dat
2007-02-27 16:15 191 ---ha-w C:\Documents and Settings\The St\Application Data\hpothb07.dat
2006-01-19 12:52 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2006-01-16 09:16 0 ---ha-w C:\Documents and Settings\F\hpothb07.dat
2006-01-16 09:16 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2005-10-08 09:07 226,584 ----a-w C:\Programmer\jre-1_5_0_04-windows-i586-p-iftw.exe
2005-09-24 15:37 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
Hi
Looks like you posted only a partial ComboFix log. Could you post the complete one, please?
HI,
here it comes again, that's all that is in the file.
If it is not complete, should I run ComboFix again?
One think that I find interesting are entries under the date 07-18-2008. We were on holiday with no access to the internet, so the computer was off all the time.
Thank you again for your help.
ComboFix 08-08-29.01 - The St 2008-08-29 22:02:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1030.18.185 [GMT 2:00]
Running from: C:\Documents and Settings\The Sturms\Skrivebord\ComboFix.exe
Command switches used :: C:\Documents and Settings\The Sturms\Skrivebord\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\#SharedObjects\R2B5QRTZ\bin.clearspring.com
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\#SharedObjects\R2B5QRTZ\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\#SharedObjects\R2B5QRTZ\interclick.com
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\#SharedObjects\R2B5QRTZ\interclick.com\ud.sol
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\The St\Cookies\the st@adchb.accenture[2].txt
C:\Documents and Settings\The St\Cookies\the st@www.pixmania[2].txt
C:\Documents and Settings\The St\Cookies\the_st@ads.monitor[1].txt
C:\Documents and Settings\The St\Cookies\the_st@hb.autodesk[1].txt
C:\Documents and Settings\The St\Cookies\the_st@indextools[2].txt
C:\Documents and Settings\The St\Cookies\the_st@keph.iskon[2].txt
C:\Documents and Settings\The St\Cookies\the_st@news.uk.msn[2].txt
C:\Documents and Settings\The St\Cookies\the_st@qp3.eplugs[1].txt
C:\Documents and Settings\The St\Cookies\the_st@rejseplanen[1].txt
C:\Documents and Settings\The St\Cookies\the_st@revsci[1].txt
C:\Documents and Settings\The St\Cookies\the_st@stl.p.a1.traceworks[2].txt
C:\Documents and Settings\The St\Cookies\the_st@www.krak[2].txt
C:\setup.exe
C:\WINDOWS\Downloaded Program Files\Temp
.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.
2008-08-27 20:21 . 2008-08-27 20:21 <DIR> d-------- C:\Programmer\Trend Micro
2008-08-27 20:21 . 2008-08-27 20:21 812,344 --a------ C:\HJTInstall.exe
2008-08-27 18:28 . 2008-08-27 18:37 <DIR> d-------- C:\Programmer\Spybot - Search & Destroy
2008-08-27 18:28 . 2008-08-27 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-27 18:22 . 2008-08-27 18:22 15,083,520 --a------ C:\spybotsd160.exe
2008-08-27 18:14 . 2008-08-27 18:15 129,143,904 --a------ C:\xpsp1a_da_x86.exe
2008-08-27 18:00 . 2008-08-27 18:00 2,028,640 --a------ C:\sp1aexpress_usa.exe
2008-08-26 14:02 . 2008-08-26 14:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-26 14:00 . 2008-08-26 14:01 19,153,264 --a------ C:\aaw2008.exe
2008-08-19 20:22 . 2008-08-27 18:40 <DIR> d-------- C:\Documents and Settings\The St\Application Data\System Tweaker
2008-08-15 03:27 . 2008-05-01 16:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-09 14:23 . 2008-08-09 14:23 <DIR> d-------- C:\Programmer\Common Files
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 20:11 --------- d-----w C:\Programmer\Fælles filer\Symantec Shared
2008-08-29 19:34 --------- d-----w C:\Documents and Settings\The St\Application Data\Skype
2008-08-29 19:33 --------- d-----w C:\Documents and Settings\The St\Application Data\skypePM
2008-08-25 19:32 --------- d-----w C:\Programmer\Java
2008-08-19 18:21 --------- d-----w C:\Programmer\Uniblue
2008-08-05 16:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-30 15:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 15:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 15:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-07-04 06:09 --------- d-----w C:\Programmer\Fælles filer\Skype
2008-07-01 05:45 --------- d-----w C:\Programmer\Norton 360
2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:24 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 08:33 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-23 09:19 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:19 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:42 246,784 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:42 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 18:00 272,256 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 12:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 12:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-05-14 15:10 23,528 ----a-w C:\Documents and Settings\The St\Application Data\GDIPFONTCACHEV1.DAT
2008-03-06 07:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-07-31 15:18 327 ---ha-w C:\Documents and Settings\I\hpothb07.dat
2007-02-27 16:18 337 ---ha-w C:\Documents and Settings\The St\hpothb07.dat
2007-02-27 16:15 191 ---ha-w C:\Documents and Settings\The St\Application Data\hpothb07.dat
2006-01-19 12:52 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2006-01-16 09:16 0 ---ha-w C:\Documents and Settings\F\hpothb07.dat
2006-01-16 09:16 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2005-10-08 09:07 226,584 ----a-w C:\Programmer\jre-1_5_0_04-windows-i586-p-iftw.exe
2005-09-24 15:37 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
Hi
Run ComboFix again. However, this time make sure Spybot's TeaTimer is disabled (instructions in one of my previous posts above).
I hope I did a better job this time:
Thank you for looking into it.
ComboFix 08-08-29.01 - The St 2008-08-30 19:33:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1030.18.167 [GMT 2:00]
Running from: C:\Documents and Settings\The St\Skrivebord\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\#SharedObjects\R2B5QRTZ\bin.clearspring.com
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\#SharedObjects\R2B5QRTZ\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\#SharedObjects\R2B5QRTZ\interclick.com
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\#SharedObjects\R2B5QRTZ\interclick.com\ud.sol
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\The St\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\The St\Cookies\the st@adchb.accenture[2].txt
C:\Documents and Settings\The St\Cookies\the st@www.pixmania[2].txt
C:\Documents and Settings\The St\Cookies\the_st@ads.monitor[1].txt
C:\Documents and Settings\The St\Cookies\the_st@hb.autodesk[1].txt
C:\Documents and Settings\The St\Cookies\the_st@indextools[2].txt
C:\Documents and Settings\The St\Cookies\the_st@keph.iskon[2].txt
C:\Documents and Settings\The St\Cookies\the_st@news.uk.msn[2].txt
C:\Documents and Settings\The St\Cookies\the_st@qp3.eplugs[1].txt
C:\Documents and Settings\The St\Cookies\the_st@rejseplanen[1].txt
C:\Documents and Settings\The St\Cookies\the_st@revsci[1].txt
C:\Documents and Settings\The St\Cookies\the_st@stl.p.a1.traceworks[2].txt
C:\Documents and Settings\The St\Cookies\the_st@www.krak[2].txt
C:\setup.exe
C:\WINDOWS\Downloaded Program Files\Temp
.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.
2008-08-27 20:21 . 2008-08-27 20:21 <DIR> d-------- C:\Programmer\Trend Micro
2008-08-27 20:21 . 2008-08-27 20:21 812,344 --a------ C:\HJTInstall.exe
2008-08-27 18:28 . 2008-08-27 18:37 <DIR> d-------- C:\Programmer\Spybot - Search & Destroy
2008-08-27 18:28 . 2008-08-27 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-27 18:22 . 2008-08-27 18:22 15,083,520 --a------ C:\spybotsd160.exe
2008-08-27 18:14 . 2008-08-27 18:15 129,143,904 --a------ C:\xpsp1a_da_x86.exe
2008-08-27 18:00 . 2008-08-27 18:00 2,028,640 --a------ C:\sp1aexpress_usa.exe
2008-08-26 14:02 . 2008-08-26 14:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-26 14:00 . 2008-08-26 14:01 19,153,264 --a------ C:\aaw2008.exe
2008-08-19 20:22 . 2008-08-27 18:40 <DIR> d-------- C:\Documents and Settings\The St\Application Data\System Tweaker
2008-08-15 03:27 . 2008-05-01 16:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-09 14:23 . 2008-08-09 14:23 <DIR> d-------- C:\Programmer\Common Files
2008-07-07 22:32 . 2008-07-07 22:32 253,952 --------- C:\WINDOWS\system32\dllcache\es.dll
2008-07-04 08:12 . 2008-07-04 08:12 48 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-07-04 08:09 . 2008-07-04 08:09 <DIR> d-------- C:\Programmer\Fælles filer\Skype
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-30 17:22 --------- d-----w C:\Documents and Settings\The St\Application Data\Skype
2008-08-30 17:21 --------- d-----w C:\Documents and Settings\The St\Application Data\skypePM
2008-08-30 17:17 --------- d-----w C:\Programmer\Fælles filer\Symantec Shared
2008-08-25 20:03 --------- d-----w C:\Documents and Settings\Gæst\Application Data\Symantec
2008-08-25 19:32 --------- d-----w C:\Programmer\Java
2008-08-19 18:21 --------- d-----w C:\Programmer\Uniblue
2008-08-05 16:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-30 15:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 15:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 15:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-01 05:45 --------- d-----w C:\Programmer\Norton 360
2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:24 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 08:33 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-23 09:19 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:19 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:42 246,784 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:42 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 18:00 272,256 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 12:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 12:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-05-14 15:10 23,528 ----a-w C:\Documents and Settings\The St\Application Data\GDIPFONTCACHEV1.DAT
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:16 1,291,776 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-04 19:21 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-06 07:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-07-31 15:18 327 ---ha-w C:\Documents and Settings\I\hpothb07.dat
2007-02-27 16:18 337 ---ha-w C:\Documents and Settings\The St\hpothb07.dat
2007-02-27 16:15 191 ---ha-w C:\Documents and Settings\The St\Application Data\hpothb07.dat
2006-01-19 12:52 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2006-01-16 09:16 0 ---ha-w C:\Documents and Settings\F\hpothb07.dat
2006-01-16 09:16 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2005-10-08 09:07 226,584 ----a-w C:\Programmer\jre-1_5_0_04-windows-i586-p-iftw.exe
2005-09-24 15:37 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5860E001-1190-3001-0799-ca3230262a11}]
2008-08-09 14:23 56832 -rahs---- C:\Programmer\Common Files\System\fldr_help.acm
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 10:34 576352 --a------ C:\Programmer\Fælles filer\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 10:34 576352 --a------ C:\Programmer\Fælles filer\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 10:34 576352 --a------ C:\Programmer\Fælles filer\Symantec Shared\Backup\buShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-27 03:53 15360]
"ibmmessages"="C:\Programmer\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 12:10 442368]
"msnmsgr"="C:\Programmer\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"Skype"="C:\Programmer\Skype\Phone\Skype.exe" [2008-05-30 15:54 21718312]
"WMPNSCFG"="C:\Programmer\Windows Media Player\WMPNSCFG.exe" [2006-11-15 10:30 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Programmer\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 11:17 110592]
"SynTPEnh"="C:\Programmer\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 11:17 512000]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 10:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 09:59 126976]
"TPKMAPHELPER"="C:\Programmer\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 04:39 897024]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-04-04 12:43 94208]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-03-23 02:11 217088]
"UC_Start"="C:\Programmer\IBM\Updater\\ucstartup.exe" [2004-06-26 01:39 36864]
"UpdateManager"="C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" [2003-08-19 11:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 11:05 127035]
"ibmmessages"="C:\Programmer\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-06 12:10 442368]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2004-03-19 22:12 90112]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"SoundMAXPnP"="C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 10:52 1368064]
"PRONoMgrWired"="C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 16:08 86016]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 01:38 110592]
"BMMLREF"="C:\Programmer\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 01:38 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 01:38 396288]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 01:38 208896]
"QCWLICON"="C:\Programmer\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 03:07 86016]
"QuickTime Task"="C:\Programmer\QuickTime\qttask.exe" [2005-09-14 19:42 77824]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ArcSoft Connection Service"="C:\Programmer\Fælles filer\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-07-03 17:48 64000]
"Adobe Reader Speed Launcher"="C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"snp2uvc"="C:\WINDOWS\vsnp2uvc.exe" [2007-03-12 19:49 569344]
"ccApp"="C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe" [2008-02-18 21:37 51048]
"osCheck"="C:\Programmer\Norton 360\osCheck.exe" [2008-02-26 16:50 988512]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 09:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"TpShocks"="TpShocks.exe" [2005-04-05 15:14 106496 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2004-11-12 01:07 40960 C:\WINDOWS\system32\TP4EX.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-27 03:53 110592 C:\WINDOWS\system32\bthprops.cpl]
"TrackPointSrv"="tp4serv.exe" [2003-11-13 13:12 94208 C:\WINDOWS\system32\tp4serv.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-27 03:53 15360]
C:\Documents and Settings\The St\Menuen Start\Programmer\Start\
update.exe [2008-08-09 14:23:35 25600]
C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-06 12:36:46 24576]
hp psc 1000 series.lnk - C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 01:17:18 147456]
hpoddt01.exe.lnk - C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Microsoft Office.lnk - C:\Programmer\Microsoft Office\Office10\OSA.EXE [2001-02-12 19:01:04 83360]
update.exe [2008-08-09 14:23:35 25600]
WinZip Quick Pick.lnk - C:\Programmer\WinZip\WZQKPICK.EXE [2005-10-08 11:44:25 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 99 (0x63)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 03:07 262144 C:\WINDOWS\system32\QConGina.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-12 20:11 24576 C:\WINDOWS\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\java.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmer\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Programmer\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmer\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmer\\MSN Messenger\\livecall.exe"=
"C:\\Programmer\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Programmer\\Skype\\Phone\\Skype.exe"=
R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-01-14 12:20]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 03:07]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 03:07]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2004-05-14 12:59]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 01:38]
R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2004-09-24 03:39]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe [2008-02-18 21:37]
S3 ARCSOFTVIRTUALCAPTURE;Magic-i Virtual Driver;C:\WINDOWS\system32\DRIVERS\ArcSoftVirtualCapture.sys [2006-12-07 16:56]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 03:07]
S3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys [2003-11-13 13:12]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2008-08-30 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Programmer\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
2008-08-30 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1183216587.job
- C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]
2008-08-30 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1191860047.job
- C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]
2008-08-26 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
- C:\Programmer\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-02-20 11:49]
2008-03-24 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
- C:\Programmer\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-02-20 11:49]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Uniblue SpeedUpMyPC - (no file)
.
------- Supplementary Scan -------
.
O8 -: &Windows Live Search - C:\Programmer\Windows Live Toolbar\msntb.dll/search.htm
O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 -: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - hxxp://www.euchannels.net/UKooPlayer.ocx
C:\WINDOWS\Downloaded Program Files\UKooPlayer.ocx
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-30 19:37:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-08-30 19:40:52
ComboFix-quarantined-files.txt 2008-08-30 17:40:42
Pre-Run: 12,224,880,640 byte ledig
Post-Run: 12,283,842,560 byte ledig
269 --- E O F --- 2008-08-18 20:27:51
Hi
Yes, looks better now :)
Start hjt, do a system scan, check (if found):
O4 - Startup: update.exe
O4 - Global Startup: update.exe
Close browsers and fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Documents and Settings\The St\Menuen Start\Programmer\Start\update.exe
C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\update.exe
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) (scan whole 'my computer'). Post back its report, a fresh hjt log and above meantioned ComboFix resultant log.
Hi,
Here they are:
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 31, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 31, 2008 07:10:59
Records in database: 1171719
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Files scanned: 65929
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:02:45
File name / Threat name / Threats count
C:\Documents and Settings\The St\Application Data\Sun\Java\Deployment\cache\6.0\31\3c91455f-7345ac79 Infected: Trojan-Downloader.Java.OpenStream.ac 1
The selected area was scanned.
-------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:37 AM, on 8/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Programmer\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programmer\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmer\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\IBM\Updater\jre\bin\javaw.exe
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe
C:\Programmer\Fælles filer\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\Programmer\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Programmer\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\FÆLLES~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Programmer\internet explorer\iexplore.exe
C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\The Sturms\Lokale indstillinger\temp\jkos-The Sturms\binaries\ScanningProcess.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5860E001-1190-3001-0799-ca3230262a11} - C:\Programmer\Common Files\System\fldr_help.acm
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Programmer\Fælles filer\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\FÆLLES~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Programmer\Fælles filer\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programmer\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Programmer\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Programmer\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Programmer\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QCWLICON] C:\Programmer\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Programmer\Fælles filer\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programmer\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Programmer\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programmer\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmer\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Opdatér ThinkPad-programmer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programmer\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120475938252
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181576064626
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.euchannels.net/UKooPlayer.ocx
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FÆLLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programmer\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Programmer\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Programmer\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmer\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\FÆLLES~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
--
End of file - 13640 bytes
have a problem posting ComboFix log:
maximum execution time of 30 seconds exceeded
will keep trying
here it comes
ComboFix 08-08-29.01 - The St 2008-08-31 7:57:14.3 - NTFSx86
Running from: C:\Documents and Settings\The St\Skrivebord\ComboFix.exe
Command switches used :: C:\Documents and Settings\The St\Skrivebord\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\update.exe
C:\Documents and Settings\The St\Menuen Start\Programmer\Start\update.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-31 )))))))))))))))))))))))))))))))
.
2008-08-31 07:57 . 2008-08-31 07:57 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-08-27 20:21 . 2008-08-27 20:21 <DIR> d-------- C:\Programmer\Trend Micro
2008-08-27 20:21 . 2008-08-27 20:21 812,344 --a------ C:\HJTInstall.exe
2008-08-27 18:28 . 2008-08-27 18:37 <DIR> d-------- C:\Programmer\Spybot - Search & Destroy
2008-08-27 18:28 . 2008-08-27 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-27 18:22 . 2008-08-27 18:22 15,083,520 --a------ C:\spybotsd160.exe
2008-08-27 18:14 . 2008-08-27 18:15 129,143,904 --a------ C:\xpsp1a_da_x86.exe
2008-08-27 18:00 . 2008-08-27 18:00 2,028,640 --a------ C:\sp1aexpress_usa.exe
2008-08-26 14:02 . 2008-08-26 14:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-26 14:00 . 2008-08-26 14:01 19,153,264 --a------ C:\aaw2008.exe
2008-08-19 20:22 . 2008-08-27 18:40 <DIR> d-------- C:\Documents and Settings\The St\Application Data\System Tweaker
2008-08-15 03:27 . 2008-05-01 16:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-09 14:23 . 2008-08-09 14:23 <DIR> d-------- C:\Programmer\Common Files
2008-07-07 22:32 . 2008-07-07 22:32 253,952 --------- C:\WINDOWS\system32\dllcache\es.dll
2008-07-04 08:12 . 2008-07-04 08:12 48 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-07-04 08:09 . 2008-07-04 08:09 <DIR> d-------- C:\Programmer\Fælles filer\Skype
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 06:01 --------- d-----w C:\Documents and Settings\The St\Application Data\skypePM
2008-08-31 06:01 --------- d-----w C:\Documents and Settings\The St\Application Data\Skype
2008-08-31 05:55 --------- d-----w C:\Programmer\Fælles filer\Symantec Shared
2008-08-25 20:03 --------- d-----w C:\Documents and Settings\Gæst\Application Data\Symantec
2008-08-25 19:32 --------- d-----w C:\Programmer\Java
2008-08-19 18:21 --------- d-----w C:\Programmer\Uniblue
2008-08-05 16:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-30 15:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 15:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 15:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-01 05:45 --------- d-----w C:\Programmer\Norton 360
2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:24 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 08:33 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-23 09:19 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:19 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:42 246,784 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:42 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 18:00 272,256 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 12:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 12:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-05-14 15:10 23,528 ----a-w C:\Documents and Settings\The St\Application Data\GDIPFONTCACHEV1.DAT
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:16 1,291,776 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-04 19:21 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-06 07:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-07-31 15:18 327 ---ha-w C:\Documents and Settings\I\hpothb07.dat
2007-02-27 16:18 337 ---ha-w C:\Documents and Settings\The St\hpothb07.dat
2007-02-27 16:15 191 ---ha-w C:\Documents and Settings\The St\Application Data\hpothb07.dat
2006-01-19 12:52 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2006-01-16 09:16 0 ---ha-w C:\Documents and Settings\F\hpothb07.dat
2006-01-16 09:16 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2005-10-08 09:07 226,584 ----a-w C:\Programmer\jre-1_5_0_04-windows-i586-p-iftw.exe
2005-09-24 15:37 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
.
((((((((((((((((((((((((((((( snapshot@2008-08-30_19.40.19.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-31 05:16:37 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5860E001-1190-3001-0799-ca3230262a11}]
2008-08-09 14:23 56832 -rahs---- C:\Programmer\Common Files\System\fldr_help.acm
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 10:34 576352 --a------ C:\Programmer\Fælles filer\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 10:34 576352 --a------ C:\Programmer\Fælles filer\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 10:34 576352 --a------ C:\Programmer\Fælles filer\Symantec Shared\Backup\buShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-27 03:53 15360]
"ibmmessages"="C:\Programmer\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 12:10 442368]
"msnmsgr"="C:\Programmer\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"Skype"="C:\Programmer\Skype\Phone\Skype.exe" [2008-05-30 15:54 21718312]
"WMPNSCFG"="C:\Programmer\Windows Media Player\WMPNSCFG.exe" [2006-11-15 10:30 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Programmer\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 11:17 110592]
"SynTPEnh"="C:\Programmer\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 11:17 512000]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 10:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 09:59 126976]
"TPKMAPHELPER"="C:\Programmer\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 04:39 897024]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-04-04 12:43 94208]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-03-23 02:11 217088]
"UC_Start"="C:\Programmer\IBM\Updater\\ucstartup.exe" [2004-06-26 01:39 36864]
"UpdateManager"="C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" [2003-08-19 11:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 11:05 127035]
"ibmmessages"="C:\Programmer\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-06 12:10 442368]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2004-03-19 22:12 90112]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"SoundMAXPnP"="C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 10:52 1368064]
"PRONoMgrWired"="C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 16:08 86016]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 01:38 110592]
"BMMLREF"="C:\Programmer\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 01:38 20480]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 01:38 396288]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 01:38 208896]
"QCWLICON"="C:\Programmer\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 03:07 86016]
"QuickTime Task"="C:\Programmer\QuickTime\qttask.exe" [2005-09-14 19:42 77824]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ArcSoft Connection Service"="C:\Programmer\Fælles filer\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-07-03 17:48 64000]
"Adobe Reader Speed Launcher"="C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"snp2uvc"="C:\WINDOWS\vsnp2uvc.exe" [2007-03-12 19:49 569344]
"ccApp"="C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe" [2008-02-18 21:37 51048]
"osCheck"="C:\Programmer\Norton 360\osCheck.exe" [2008-02-26 16:50 988512]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 09:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"TpShocks"="TpShocks.exe" [2005-04-05 15:14 106496 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2004-11-12 01:07 40960 C:\WINDOWS\system32\TP4EX.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-27 03:53 110592 C:\WINDOWS\system32\bthprops.cpl]
"TrackPointSrv"="tp4serv.exe" [2003-11-13 13:12 94208 C:\WINDOWS\system32\tp4serv.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-27 03:53 15360]
C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-06 12:36:46 24576]
hp psc 1000 series.lnk - C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 01:17:18 147456]
hpoddt01.exe.lnk - C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Microsoft Office.lnk - C:\Programmer\Microsoft Office\Office10\OSA.EXE [2001-02-12 19:01:04 83360]
WinZip Quick Pick.lnk - C:\Programmer\WinZip\WZQKPICK.EXE [2005-10-08 11:44:25 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 99 (0x63)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 03:07 262144 C:\WINDOWS\system32\QConGina.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-12 20:11 24576 C:\WINDOWS\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\java.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmer\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Programmer\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmer\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmer\\MSN Messenger\\livecall.exe"=
"C:\\Programmer\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Programmer\\Skype\\Phone\\Skype.exe"=
R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-01-14 12:20]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 03:07]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 03:07]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2004-05-14 12:59]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 01:38]
R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2004-09-24 03:39]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe [2008-02-18 21:37]
R3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 ARCSOFTVIRTUALCAPTURE;Magic-i Virtual Driver;C:\WINDOWS\system32\DRIVERS\ArcSoftVirtualCapture.sys [2006-12-07 16:56]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 03:07]
S3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys [2003-11-13 13:12]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2008-08-31 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Programmer\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
2008-08-30 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1183216587.job
- C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]
2008-08-30 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1191860047.job
- C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]
2008-08-26 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
- C:\Programmer\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-02-20 11:49]
2008-03-24 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
- C:\Programmer\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-02-20 11:49]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-31 08:01:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
in a few parts
part #2
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\agp440]
"ImagePath"="\SystemRoot\System32\DRIVERS\agp440.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\agpCPQ]
"ImagePath"="\SystemRoot\System32\DRIVERS\agpCPQ.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Aha154x]
"ImagePath"="\SystemRoot\System32\DRIVERS\aha154x.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\aic78u2]
"ImagePath"="\SystemRoot\System32\DRIVERS\aic78u2.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\aic78xx]
"ImagePath"="\SystemRoot\System32\DRIVERS\aic78xx.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Alerter]
"ServiceDll"="%SystemRoot%\system32\alrsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ALG]
"ImagePath"="%SystemRoot%\System32\alg.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\AliIde]
"ImagePath"="\SystemRoot\System32\DRIVERS\aliide.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\alim1541]
"ImagePath"="\SystemRoot\System32\DRIVERS\alim1541.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\amdagp]
"ImagePath"="\SystemRoot\System32\DRIVERS\amdagp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\amsint]
"ImagePath"="\SystemRoot\System32\DRIVERS\amsint.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ANC]
"ImagePath"="System32\drivers\ANC.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\AppMgmt]
"ServiceDll"="%SystemRoot%\System32\appmgmts.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ARCSOFTVIRTUALCAPTURE]
"ImagePath"="system32\DRIVERS\ArcSoftVirtualCapture.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Arp1394]
"ImagePath"="System32\DRIVERS\arp1394.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\asc]
"ImagePath"="\SystemRoot\System32\DRIVERS\asc.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\asc3350p]
"ImagePath"="\SystemRoot\System32\DRIVERS\asc3350p.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\asc3550]
"ImagePath"="\SystemRoot\System32\DRIVERS\asc3550.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ASP.NET]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ASP.NET_1.1.4322]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ASP.NET_2.0.50727]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Aspi32]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\aspnet_state]
"ImagePath"="%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\AsyncMac]
"ImagePath"="system32\DRIVERS\asyncmac.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\atapi]
"ImagePath"="System32\DRIVERS\atapi.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Atdisk]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Atmarpc]
"ImagePath"="System32\DRIVERS\atmarpc.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\AudioSrv]
"ServiceDll"="%SystemRoot%\System32\audiosrv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\audstub]
"ImagePath"="System32\DRIVERS\audstub.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Automatic LiveUpdate Scheduler]
"ImagePath"="C:\Programmer\Symantec\LiveUpdate\AluSchedulerSvc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\BattC]
"MofImagePath"="System32\Drivers\battc.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Beep]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\BITS]
"ServiceDll"="%systemroot%\system32\qmgr.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Browser]
"ServiceDll"="%SystemRoot%\System32\browser.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\BthEnum]
"ImagePath"="system32\DRIVERS\BthEnum.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\BthPan]
"ImagePath"="system32\DRIVERS\bthpan.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\BTHPORT]
"ImagePath"="System32\Drivers\BTHport.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\BthServ]
"ServiceDll"="%SystemRoot%\System32\bthserv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\BTHUSB]
"ImagePath"="System32\Drivers\BTHUSB.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\cbidf]
"ImagePath"="\SystemRoot\System32\DRIVERS\cbidf2k.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\cbidf2k]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\CCDECODE]
"ImagePath"="system32\DRIVERS\CCDECODE.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ccEvtMgr]
"ImagePath"="\"C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe\" /h ccCommon"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ccSetMgr]
"ImagePath"="\"C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe\" /h ccCommon"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\cd20xrnt]
"ImagePath"="\SystemRoot\System32\DRIVERS\cd20xrnt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Cdaudio]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Cdfs]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Cdrom]
"ImagePath"="System32\DRIVERS\cdrom.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Changer]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\CiSvc]
"ImagePath"="%SystemRoot%\system32\cisvc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ClipSrv]
"ImagePath"="%SystemRoot%\system32\clipsrv.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\clr_optimization_v2.0.50727_32]
"ImagePath"="C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\CLTNetCnService]
"ImagePath"="\"C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe\" /h ccCommon"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\CmBatt]
"ImagePath"="System32\DRIVERS\CmBatt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\CmdIde]
"ImagePath"="\SystemRoot\System32\DRIVERS\cmdide.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\COH_Mon]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\comHost]
"ImagePath"="\"C:\Programmer\Fælles filer\Symantec Shared\VAScanner\comHost.exe\""
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Compbatt]
"ImagePath"="System32\DRIVERS\compbatt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\COMSysApp]
"ImagePath"="C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ContentFilter]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ContentIndex]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\CO_Mon]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\CO_Mon.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Cpqarray]
"ImagePath"="\SystemRoot\System32\DRIVERS\cpqarray.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\CryptSvc]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\dac2w2k]
"ImagePath"="\SystemRoot\System32\DRIVERS\dac2w2k.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\dac960nt]
"ImagePath"="\SystemRoot\System32\DRIVERS\dac960nt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\DcomLaunch]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Dhcp]
"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Disk]
"ImagePath"="System32\DRIVERS\disk.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\dmadmin]
"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\dmboot]
"ImagePath"="System32\drivers\dmboot.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\dmio]
"ImagePath"="System32\drivers\dmio.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\dmload]
"ImagePath"="System32\drivers\dmload.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\dmserver]
"ServiceDll"="%SystemRoot%\System32\dmserver.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\DMusic]
"ImagePath"="system32\drivers\DMusic.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Dnscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\dpti2o]
"ImagePath"="\SystemRoot\System32\DRIVERS\dpti2o.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\drmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\drvmcdb]
"ImagePath"="system32\drivers\drvmcdb.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\drvncdb]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\drvnddm]
"ImagePath"="system32\drivers\drvnddm.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\E1000]
"ImagePath"="System32\DRIVERS\e1000325.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\E100B]
"ImagePath"="System32\DRIVERS\e100b325.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\eeCtrl]
"ImagePath"="\??\C:\Programmer\Fælles filer\Symantec Shared\EENGINE\eeCtrl.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\EraserUtilRebootDrv]
"ImagePath"="\??\C:\Programmer\Fælles filer\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ERSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\EventSystem]
"ServiceDll"="C:\WINDOWS\System32\es.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\EvtEng]
"ImagePath"="C:\Programmer\Intel\Wireless\Bin\EvtEng.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Fastfat]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Fdc]
"ImagePath"="System32\DRIVERS\fdc.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Fips]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Flpydisk]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\FltMgr]
"ImagePath"="system32\drivers\fltmgr.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\FontCache3.0.0.0]
"ImagePath"="c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Fs_Rec]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Ftdisk]
"ImagePath"="System32\DRIVERS\ftdisk.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\GEARAspiWDM]
"ImagePath"="System32\Drivers\GEARAspiWDM.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Gpc]
"ImagePath"="System32\DRIVERS\msgpc.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\HidUsb]
"ImagePath"="system32\DRIVERS\hidusb.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\hpn]
"ImagePath"="\SystemRoot\System32\DRIVERS\hpn.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\HPZid412]
"ImagePath"="system32\DRIVERS\HPZid412.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\HPZipr12]
"ImagePath"="system32\DRIVERS\HPZipr12.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\HPZius12]
"ImagePath"="system32\DRIVERS\HPZius12.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\HSFHWICH]
"ImagePath"="system32\DRIVERS\HSFHWICH.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\HSF_DP]
"ImagePath"="system32\DRIVERS\HSF_DP.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\i2omgmt]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\i2omp]
"ImagePath"="\SystemRoot\System32\DRIVERS\i2omp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\i8042prt]
"ImagePath"="System32\DRIVERS\i8042prt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ialm]
"ImagePath"="System32\DRIVERS\ialmnt5.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\IBM Rapid Restore Ultra Service]
"ImagePath"="\"C:\Programmer\IBM\IBM Rapid Restore Ultra\rrpcsb.exe\""
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ibmfilter]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\ibmfilter.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\IBMPMDRV]
"ImagePath"="System32\DRIVERS\ibmpmdrv.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\IBMPMSVC]
"ImagePath"="%SystemRoot%\system32\ibmpmsvc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\IBMTPCHK]
"ImagePath"="System32\drivers\IBMBLDID.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\idsvc]
"ImagePath"="\"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe\""
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ILADFtmi]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Imapi]
"ImagePath"="System32\DRIVERS\imapi.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\inetaccs]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ini910u]
"ImagePath"="\SystemRoot\System32\DRIVERS\ini910u.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Inport]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\IntelIde]
"ImagePath"="\SystemRoot\System32\DRIVERS\intelide.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\intelppm]
"ImagePath"="System32\DRIVERS\intelppm.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ip6fw]
"ImagePath"="system32\drivers\ip6fw.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\IpFilterDriver]
"ImagePath"="System32\DRIVERS\ipfltdrv.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\IpInIp]
"ImagePath"="System32\DRIVERS\ipinip.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\IpNat]
"ImagePath"="System32\DRIVERS\ipnat.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\IPSec]
"ImagePath"="System32\DRIVERS\ipsec.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\irda]
"ImagePath"="System32\DRIVERS\irda.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\IRENUM]
"ImagePath"="System32\DRIVERS\irenum.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Irmon]
"ServiceDll"="%SystemRoot%\System32\irmon.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ISAPISearch]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\isapnp]
"ImagePath"="System32\DRIVERS\isapnp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Kbdclass]
"ImagePath"="System32\DRIVERS\kbdclass.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\KSecDD]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\lbrtfdc]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ldap]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\LicenseService]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\LiveUpdate]
"ImagePath"="C:\Programmer\Symantec\LiveUpdate\LuComServer_3_4.EXE"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\LiveUpdate Notice]
"ImagePath"="\"C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe\" /h ccCommon"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ltmodem5]
"ImagePath"="System32\DRIVERS\ltmdmnt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mdmxsdk]
"ImagePath"="system32\DRIVERS\mdmxsdk.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mnmdd]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mnmsrvc]
"ImagePath"="C:\WINDOWS\System32\mnmsrvc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Modem]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Mouclass]
"ImagePath"="System32\DRIVERS\mouclass.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mouhid]
"ImagePath"="system32\DRIVERS\mouhid.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MountMgr]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mraid35x]
"ImagePath"="\SystemRoot\System32\DRIVERS\mraid35x.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MRxDAV]
"ImagePath"="System32\DRIVERS\mrxdav.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MRxSmb]
"ImagePath"="System32\DRIVERS\mrxsmb.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MSDTC]
"ImagePath"="C:\WINDOWS\system32\msdtc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MSDTC Bridge 3.0.0.0]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Msfs]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MSIServer]
"ImagePath"="%systemroot%\system32\msiexec.exe /V"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mssmbios]
"ImagePath"="System32\DRIVERS\mssmbios.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MSTEE]
"ImagePath"="system32\drivers\MSTEE.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Mup]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NABTSFEC]
"ImagePath"="system32\DRIVERS\NABTSFEC.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NAVENG]
"ImagePath"="\??\C:\PROGRA~1\FÆLLES~1\SYMANT~1\VIRUSD~1\20080830.036\NAVENG.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NAVEX15]
"ImagePath"="\??\C:\PROGRA~1\FÆLLES~1\SYMANT~1\VIRUSD~1\20080830.036\NAVEX15.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NDIS]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NdisIP]
"ImagePath"="system32\DRIVERS\NdisIP.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NdisTapi]
"ImagePath"="System32\DRIVERS\ndistapi.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Ndisuio]
"ImagePath"="System32\DRIVERS\ndisuio.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NdisWan]
"ImagePath"="System32\DRIVERS\ndiswan.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NDProxy]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NetBIOS]
"ImagePath"="System32\DRIVERS\netbios.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NetBT]
"ImagePath"="System32\DRIVERS\netbt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NetSvc]
"ImagePath"="C:\Programmer\Intel\PROSetWired\NCS\Sync\NetSvc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NetTcpPortSharing]
"ImagePath"="\"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe\""
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NIC1394]
"ImagePath"="System32\DRIVERS\nic1394.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Npfs]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NSCIRDA]
"ImagePath"="System32\DRIVERS\nscirda.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Ntfs]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\System32\lsass.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Null]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NwlnkFlt]
"ImagePath"="System32\DRIVERS\nwlnkflt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\NwlnkFwd]
"ImagePath"="System32\DRIVERS\nwlnkfwd.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ohci1394]
"ImagePath"="System32\DRIVERS\ohci1394.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\P3]
"ImagePath"="System32\DRIVERS\p3.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Parport]
"ImagePath"="System32\DRIVERS\parport.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PartMgr]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ParVdm]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PCI]
"ImagePath"="System32\DRIVERS\pci.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PCIDump]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PCIIde]
"ImagePath"="System32\DRIVERS\pciide.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Pcmcia]
"ImagePath"="System32\DRIVERS\pcmcia.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PDCOMP]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PDFRAME]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PDRELI]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PDRFRAME]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\perc2]
"ImagePath"="\SystemRoot\System32\DRIVERS\perc2.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\perc2hib]
"ImagePath"="\SystemRoot\System32\DRIVERS\perc2hib.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PerfDisk]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PerfNet]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PerfOS]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PerfProc]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PMEM]
"ImagePath"="\??\C:\WINDOWS\SYSTEM32\Drivers\PMEMNT.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Pml Driver HPZ12]
"ImagePath"="C:\WINDOWS\system32\HPZipm12.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PptpMiniport]
"ImagePath"="System32\DRIVERS\raspptp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Processor]
"ImagePath"="System32\DRIVERS\processr.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\psadd]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\psadd.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PsaSrv]
"ImagePath"="C:\WINDOWS\system32\PsaSrv.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PSched]
"ImagePath"="System32\DRIVERS\psched.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Ptilink]
"ImagePath"="System32\DRIVERS\ptilink.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PxHelp20]
"ImagePath"="System32\Drivers\PxHelp20.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\QCNDISIF]
"ImagePath"="System32\drivers\qcndisif.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\QCONSVC]
"ImagePath"="System32\QCONSVC.EXE"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ql1080]
"ImagePath"="\SystemRoot\System32\DRIVERS\ql1080.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Ql10wnt]
"ImagePath"="\SystemRoot\System32\DRIVERS\ql10wnt.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ql12160]
"ImagePath"="\SystemRoot\System32\DRIVERS\ql12160.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ql1240]
"ImagePath"="\SystemRoot\System32\DRIVERS\ql1240.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ql1280]
"ImagePath"="\SystemRoot\System32\DRIVERS\ql1280.sys"
and Part #3
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\RasAcd]
"ImagePath"="System32\DRIVERS\rasacd.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Rasirda]
"ImagePath"="System32\DRIVERS\rasirda.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Rasl2tp]
"ImagePath"="System32\DRIVERS\rasl2tp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\RasPppoe]
"ImagePath"="System32\DRIVERS\raspppoe.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Raspti]
"ImagePath"="System32\DRIVERS\raspti.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Rdbss]
"ImagePath"="System32\DRIVERS\rdbss.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\RDPDD]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\rdpdr]
"ImagePath"="System32\DRIVERS\rdpdr.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\RDPNP]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\RDPWD]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\RDSessMgr]
"ImagePath"="C:\WINDOWS\system32\sessmgr.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\redbook]
"ImagePath"="System32\DRIVERS\redbook.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\RegSrvc]
"ImagePath"="C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\RFCOMM]
"ImagePath"="system32\DRIVERS\rfcomm.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\RpcLocator]
"ImagePath"="%SystemRoot%\System32\locator.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\RpcSs]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\RSVP]
"ImagePath"="%SystemRoot%\System32\rsvp.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\S24EventMonitor]
"ImagePath"="C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\s24trans]
"ImagePath"="system32\DRIVERS\s24trans.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\S3SSavage]
"ImagePath"="System32\DRIVERS\s3ssavm.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ScsiPort]
"ImagePath"="%SystemRoot%\system32\drivers\scsiport.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Secdrv]
"ImagePath"="System32\DRIVERS\secdrv.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\serenum]
"ImagePath"="System32\DRIVERS\serenum.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Serial]
"ImagePath"="System32\DRIVERS\serial.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ServiceModelEndpoint 3.0.0.0]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ServiceModelOperation 3.0.0.0]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ServiceModelService 3.0.0.0]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Sfloppy]
"ImagePath"="System32\DRIVERS\sfloppy.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ShockMgr]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Shockprf]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Simbad]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\sisagp]
"ImagePath"="\SystemRoot\System32\DRIVERS\sisagp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SLIP]
"ImagePath"="system32\DRIVERS\SLIP.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Smapint]
"ImagePath"="System32\drivers\Smapint.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SMSvcHost 3.0.0.0]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\smwdm]
"ImagePath"="system32\drivers\smwdm.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SNP2UVC]
"ImagePath"="system32\DRIVERS\snp2uvc.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SoundMAX Agent Service (default)]
"ImagePath"="C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Sparrow]
"ImagePath"="\SystemRoot\System32\DRIVERS\sparrow.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SPBBCDrv]
"ImagePath"="\??\C:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCDrv.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\sr]
"ImagePath"="System32\DRIVERS\sr.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\srservice]
"ServiceDll"="C:\WINDOWS\System32\srsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SRTSP]
"ImagePath"="System32\Drivers\SRTSP.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SRTSPL]
"ImagePath"="System32\Drivers\SRTSPL.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SRTSPX]
"ImagePath"="System32\Drivers\SRTSPX.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Srv]
"ImagePath"="System32\DRIVERS\srv.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\sscdbhk5]
"ImagePath"="system32\drivers\sscdbhk5.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ssrtln]
"ImagePath"="system32\drivers\ssrtln.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\streamip]
"ImagePath"="system32\DRIVERS\StreamIP.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\swenum]
"ImagePath"="System32\DRIVERS\swenum.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SwPrv]
"ImagePath"="C:\WINDOWS\System32\dllhost.exe /Processid:{7D102972-0BE3-45D1-8FBE-A5A76284128C}"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\swwd]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Symantec Core LC]
"ImagePath"="C:\PROGRA~1\FÆLLES~1\SYMANT~1\CCPD-LC\symlcsvc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\symc810]
"ImagePath"="\SystemRoot\System32\DRIVERS\symc810.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\symc8xx]
"ImagePath"="\SystemRoot\System32\DRIVERS\symc8xx.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SYMDNS]
"ImagePath"="\SystemRoot\System32\Drivers\SYMDNS.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SymEvent]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SYMFW]
"ImagePath"="\SystemRoot\System32\Drivers\SYMFW.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SYMIDS]
"ImagePath"="\SystemRoot\System32\Drivers\SYMIDS.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SYMIDSCO]
"ImagePath"="\??\C:\PROGRA~1\FÆLLES~1\SYMANT~1\SymcData\ipsdefs\20080828.001\SymIDSCo.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SymIM]
"ImagePath"="system32\DRIVERS\SymIM.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SymIMMP]
"ImagePath"="system32\DRIVERS\SymIM.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SYMNDIS]
"ImagePath"="\SystemRoot\System32\Drivers\SYMNDIS.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SYMREDRV]
"ImagePath"="\SystemRoot\System32\Drivers\SYMREDRV.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SYMTDI]
"ImagePath"="\SystemRoot\System32\Drivers\SYMTDI.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\sym_hi]
"ImagePath"="\SystemRoot\System32\DRIVERS\sym_hi.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\sym_u3]
"ImagePath"="\SystemRoot\System32\DRIVERS\sym_u3.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SynTP]
"ImagePath"="System32\DRIVERS\SynTP.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Tcpip]
"ImagePath"="System32\DRIVERS\tcpip.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TDPIPE]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TDSMAPI]
"ImagePath"="System32\drivers\TDSMAPI.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TDTCP]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TermDD]
"ImagePath"="System32\DRIVERS\termdd.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\tfsnboio]
"ImagePath"="system32\dla\tfsnboio.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\tfsncofs]
"ImagePath"="system32\dla\tfsncofs.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\tfsndrct]
"ImagePath"="system32\dla\tfsndrct.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\tfsndres]
"ImagePath"="system32\dla\tfsndres.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\tfsnifs]
"ImagePath"="system32\dla\tfsnifs.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\tfsnopio]
"ImagePath"="system32\dla\tfsnopio.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\tfsnpool]
"ImagePath"="system32\dla\tfsnpool.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\tfsnudf]
"ImagePath"="system32\dla\tfsnudf.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\tfsnudfa]
"ImagePath"="system32\dla\tfsnudfa.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TlntSvr]
"ImagePath"="C:\WINDOWS\System32\tlntsvr.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TosIde]
"ImagePath"="\SystemRoot\System32\DRIVERS\toside.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Tp4Track]
"ImagePath"="system32\DRIVERS\tp4track.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TPHDEXLGSVC]
"ImagePath"="System32\TPHDEXLG.EXE"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TPHKDRV]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TpKmpSVC]
"ImagePath"="C:\WINDOWS\system32\TpKmpSVC.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TPPWR]
"ImagePath"="System32\drivers\Tppwr.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TSDDD]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TSMAPIP]
"ImagePath"="System32\drivers\TSMAPIP.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\TwoTrack]
"ImagePath"="System32\DRIVERS\TwoTrack.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Udfs]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ultra]
"ImagePath"="\SystemRoot\System32\DRIVERS\ultra.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Update]
"ImagePath"="System32\DRIVERS\update.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\usbaudio]
"ImagePath"="system32\drivers\usbaudio.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\usbccgp]
"ImagePath"="system32\DRIVERS\usbccgp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\usbehci]
"ImagePath"="System32\DRIVERS\usbehci.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\usbhub]
"ImagePath"="System32\DRIVERS\usbhub.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\usbprint]
"ImagePath"="system32\DRIVERS\usbprint.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\usbscan]
"ImagePath"="system32\DRIVERS\usbscan.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\USBSTOR]
"ImagePath"="System32\DRIVERS\USBSTOR.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\usbuhci]
"ImagePath"="System32\DRIVERS\usbuhci.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\usbvideo]
"ImagePath"="System32\Drivers\usbvideo.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\usnjsvc]
"ImagePath"="\"C:\Programmer\MSN Messenger\usnsvc.exe\""
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\viaagp]
"ImagePath"="\SystemRoot\System32\DRIVERS\viaagp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ViaIde]
"ImagePath"="\SystemRoot\System32\DRIVERS\viaide.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\VolSnap]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\w22n51]
"ImagePath"="System32\DRIVERS\w22n51.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\w29n51]
"ImagePath"="system32\DRIVERS\w29n51.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\W32Time]
"ServiceDll"="%systemroot%\system32\w32time.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\W3SVC]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Wanarp]
"ImagePath"="System32\DRIVERS\wanarp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\WDICA]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\winachsf]
"ImagePath"="system32\DRIVERS\HSF_CNXT.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Windows Workflow Foundation 3.0.0.0]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Winsock]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Winsock - Google Desktop Search Backup Before First Install]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Winsock - Google Desktop Search Backup Before Last Install]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\WinSock2]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Winsock2 - Google Desktop Search Backup Before First Install]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Winsock2 - Google Desktop Search Backup Before Last Install]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\WinTrust]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\WmdmPmSN]
"ServiceDll"="C:\WINDOWS\system32\MsPMSNSv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\WmiApRpl]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\WmiApSrv]
"ImagePath"="C:\WINDOWS\System32\wbem\wmiapsrv.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\WMPNetworkSvc]
"ImagePath"="\"C:\Programmer\Windows Media Player\WMPNetwk.exe\""
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\WS2IFSL]
"ImagePath"="\SystemRoot\System32\drivers\ws2ifsl.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\WSTCODEC]
"ImagePath"="system32\DRIVERS\WSTCODEC.SYS"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\wuauserv]
"ServiceDll"="C:\WINDOWS\system32\wuauserv.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\WudfPf]
"ImagePath"="system32\DRIVERS\WudfPf.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\WudfRd]
"ImagePath"="system32\DRIVERS\wudfrd.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\WudfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{3026193E-67EF-489D-A59F-673E835647A1}]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{53C6686E-26CA-4BEC-A861-5948ACFA5CDB}]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{56D5EECF-221C-4C6F-B3DE-A2B65C6D27FF}]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{B26D5BA2-70FA-436B-AB45-3D251EB91F88}]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{B283945D-FBCB-40E5-8FD4-3094A7AB64B5}]
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{DCC3B0DB-5F8E-4770-A568-C42EFB63BFF2}]
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-08-31 8:05:27
ComboFix-quarantined-files.txt 2008-08-31 06:05:12
ComboFix2.txt 2008-08-30 17:40:53
Pre-Run: 15,268,356,096 byte ledig
Post-Run: 15,316,963,328 byte ledig
975 --- E O F --- 2008-08-18 20:27:51
Hi
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Please upload following file to http://www.virustotal.com and post back the results:
C:\Programmer\Common Files\System\fldr_help.acm
Virus Total says:
File fldr_help.acm received on 08.31.2008 11:50:12 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 6/35 (17.15%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 37 and 53 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.8.29.0 2008.08.29 -
AntiVir 7.8.1.23 2008.08.30 -
Authentium 5.1.0.4 2008.08.30 -
Avast 4.8.1195.0 2008.08.30 -
AVG 8.0.0.161 2008.08.30 -
BitDefender 7.2 2008.08.31 Trojan.Dropper.IRC.TKB
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.08.31 -
DrWeb 4.44.0.09170 2008.08.31 -
eSafe 7.0.17.0 2008.08.28 Suspicious File
eTrust-Vet 31.6.6057 2008.08.29 -
Ewido 4.0 2008.08.31 -
F-Prot 4.4.4.56 2008.08.30 -
Fortinet 3.14.0.0 2008.08.31 -
GData 19 2008.08.31 -
Ikarus T3.1.1.34.0 2008.08.31 Virus.Win32.BHO.PO
K7AntiVirus 7.10.433 2008.08.30 -
Kaspersky 7.0.0.125 2008.08.31 -
McAfee 5373 2008.08.29 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3401 2008.08.30 -
Norman 5.80.02 2008.08.29 -
Panda 9.0.0.4 2008.08.30 Suspicious file
PCTools 4.4.2.0 2008.08.30 -
Prevx1 V2 2008.08.31 Suspicious
Rising 20.59.61.00 2008.08.31 -
Sophos 4.33.0 2008.08.31 -
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.08.31 -
TheHacker 6.3.0.6.068 2008.08.30 -
TrendMicro 8.700.0.1004 2008.08.29 PAK_Generic.005
VBA32 3.12.8.4 2008.08.30 -
ViRobot 2008.8.30.1357 2008.08.30 -
VirusBuster 4.5.11.0 2008.08.30 -
Webwasher-Gateway 6.6.2 2008.08.30 -
Additional information
File size: 56832 bytes
MD5...: 665161f0aaaceebdf2807661170108af
SHA1..: fd64375624352cd88278f3cbb50c3bfb0469c76f
SHA256: 4b7f539815c900913b323d54052ff5e8c7586861920e8e3f21b8aa95c1571a0b
SHA512: 46ddb3586568fd84cb357a988f8f742437587b18bfb284c68740aad7f3782888
567129604e535560a60f0d39179098c542c566fbcdb0ffb75677a64a01a24369
PEiD..: -
TrID..: File type identification
Win32 EXE Yoda's Crypter (64.5%)
Win32 Executable Generic (20.7%)
Win16/32 Executable Delphi generic (5.0%)
Generic Win/DOS Executable (4.8%)
DOS Executable Generic (4.8%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x46480
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
MCU0 0x1000 0x29000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
MCU1 0x2a000 0xe000 0xd200 7.97 c449b6cad31c5a5f6b1988368e09474f
.rsrc 0x38000 0x1000 0x800 3.19 dc6c44e878d8f96d3cd15c72b1e44c75
( 6 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree
> advapi32.dll: RegFlushKey
> ole32.dll: IsEqualGUID
> oleaut32.dll: LoadTypeLib
> shell32.dll: ShellExecuteA
> user32.dll: CharNextA
( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=081A8C8E00AE1565DEF5002C9F7E1A00C7445A57
packers (F-Prot): UPX_LZMA
packers (Kaspersky): UPX
Hi
Start hjt, do a system scan, check:
O2 - BHO: (no name) - {5860E001-1190-3001-0799-ca3230262a11} - C:\Programmer\Common Files\System\fldr_help.acm
Close browsers and fix checked.
Delete C:\Programmer\Common Files\System\fldr_help.acm and C:\Documents and Settings\The St\Application Data\Sun\Java\Deployment\cache\6.0\31\3c91455f-7345ac79 files.
Reboot and post a fresh hjt log. How's the system running?
Hi again,
Computer seams faster :), and CPU is more normal (goes to 100% for a second, two), have had no problems with "redirecting" lately; when shutting down SMax4PNP has to be manualy terminated, as well as DDE Server Window... But I can live with that if you tell me everything else looks good
How bad the problem is/was? What about online accounts? have they been and are they safe? (within the "normal limits") Thanks
I was not able to delete C:\Programmer\Common Files\System\fldr_help.acm. Access denied.
Here is the lates hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:27 PM, on 8/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmer\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programmer\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmer\ThinkPad\Guiden UltraNav\UNavTray.EXE
C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe
C:\Programmer\Fælles filer\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\vsnp2uvc.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\Programmer\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\FÆLLES~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Programmer\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Programmer\Fælles filer\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\FÆLLES~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Programmer\Fælles filer\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programmer\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Programmer\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Programmer\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Programmer\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Programmer\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QCWLICON] C:\Programmer\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Programmer\Fælles filer\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programmer\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Programmer\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programmer\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmer\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Opdatér ThinkPad-programmer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programmer\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120475938252
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181576064626
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.euchannels.net/UKooPlayer.ocx
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FÆLLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programmer\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Programmer\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Programmer\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmer\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\FÆLLES~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
--
End of file - 13404 bytes
Hi
Try deleting C:\Programmer\Common Files\System\fldr_help.acm file in safe mode (http://www.computerhope.com/issues/chsafe.htm#02).
when shutting down SMax4PNP has to be manualy terminated, as well as DDE Server Window
To get rid of that SoundMAXPnP window you could fix following entry with hjt:
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
Then to that DDE Server Window..
Click Start, click Control Panel, click Performance and Maintenance, and then click Administrative Tools.
Double-click Computer Management, double-click Services and Applications, and then double-click Services.
In the Details pane, click Network DDE.
On the Action menu, click Properties.
On the General tab, in Startup type, select disable, and then click OK.
Your online accounts should be safe. :)
Hi
Try deleting C:\Programmer\Common Files\System\fldr_help.acm file in safe mode (http://www.computerhope.com/issues/chsafe.htm#02).
done
To get rid of that SoundMAXPnP window you could fix following entry with hjt:
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe ].
done
Then to that DDE Server Window..
.
.
On the General tab, in Startup type, select disable, and then click OK. It was disabled...so I just confirmed that
Is that everything?
All your time and help is appreciated more than I can tell...
Hi
Ok. Some users have found out that enabling Network DDE has helped in some cases.
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
We need to re hide system files. To do so, please follow the steps below:
Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab.
Put a check by
Hide file extensions for known file types.
Under the
Hidden files
folder, select
Show hidden files and folders.
Check
Hide protected operating system files.
Click Apply, and then click OK.
Let's remove ComboFix:
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop. (If you are still unsure on how to do this there is a little tutorial with pictures here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File))
@echo off
c:
cd\Documents and Settings\The St\Skrivebord
ComboFix /u
del %0
Double-click on fixes.bat file to execute it.
Uninstall old Adobe Reader and get the latest one here (http://www.filehippo.com/download_adobe_reader/)
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
all cheked and downloaded and installed as you recommended
And will update and update... There are some scary things out there. It so wonderful that there are also guys like you. Keep up great job. I am soooo grateful.
As far as I can tell, everything is working just fine now. After I restarted the computer (Adobe download), it took a while for IE to upload a web-page... but no problems afterwards.
I hope I'll have a definate positive answer on "how things are going" in a few days.
Your time and effort is very much appreciated. :)
You're welcome :)
I'll wait for your input.
Hi,
as promised, here is a quick update.
I was away for a week but family members say the computer is working just great (no high CPU usage for longer periods of time, shutting down is without problems, no multiple IE running in task manager, no redirecting from Google links) :bigthumb:
It still takes some time for IE to upload the very first web-page (home page is msn.com ), but every other after that is displayed much faster than before.
Thanks again for your time and great job.
Ok. Sounds like we're ready for archiving then :)
msn.com contains quite much stuff so it's no wonder it may take a bit to open up sometimes.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.