Need help to get rid of backdoor Trojan - many thanks

[miekiemoes]

Hi,

Now only your Temporary Internet Files are hidden... This malware is acting weird and now I cannot see from that log if the infection is still present or not..

First of all, as you said previously, you wanted to know how to back up your mails in Outlook.
Here's a great tutorial: http://www.sitedeveloper.ws/tutorials/outlook.htm
Below is the one for Outlook express.
Before you backup your mails, delete the mails first you don't know and don't want to backup, because most probably you got infected via mail, so you'll have to make sure you don't backup that mail.

Then, * Clean your Cache and Cookies in IE:

• Close all instances of Outlook Express and Internet Explorer
• Go to Control Panel > Internet Options > General tab
• Under Browsing History, click "Delete".
• Click "Delete Files", "Delete cookies" and "Delete history"
• Click Close below.

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

• Go to Tools > Options.
• Click Privacy in the menu..
• Click the Clear now button below.. A new window will popup what to clear.
• Select all and click the Clear button again.
• Click OK to close the Options window

* Clean other Temporary files + Recycle bin

• Go to start > run and type: cleanmgr and click ok.
• Let it scan your system for files to remove.
• Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
• Press OK to remove them.

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

If the log is huge (since it also uses Catchme), also upload it.

[marieb]

Hi,

Have backed up Outlook Express (thanks for tutorial link) and followed all other instructions (except ones to do with Firefox, as I don't have it). Here is my Combofix log. HijackThis log to follow shortly in next post.

Many thanks.

ComboFix 07-06-18.2 - C:\Documents and Settings\Marie Belsten\Desktop\ComboFix.exe
"Marie Belsten" - 2007-06-22 11:52:28 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-22 to 2007-06-22 )))))))))))))))))))))))))))))))


2007-06-22 11:50 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-22 01:17 <DIR> d--hs---- C:\found.001
2007-06-21 08:05 <DIR> d--hs---- C:\found.000
2007-06-20 21:19 <DIR> d-------- C:\!KillBox
2007-06-20 14:32 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2007-06-20 14:32 9,006 --a------ C:\clean.bat
2007-06-20 14:32 86,528 --a------ C:\WINDOWS\system32\catchme.exe
2007-06-20 14:32 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-06-20 14:32 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-06-20 08:28 74 --a------ C:\WINDOWS\sysInf.dat
2007-06-19 19:44 <DIR> d-------- C:\DOCUME~1\MARIEB~1\.housecall6.6
2007-06-17 13:35 6 --a------ C:\WINDOWS\system32\ng60.bin
2007-06-17 12:51 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-06-17 12:23 <DIR> d-------- C:\WINDOWS\pss
2007-06-17 02:35 23,040 --a------ C:\WINDOWS\system32\sysdrv5.exe
2007-06-17 02:34 122,884 --a------ C:\WINDOWS\system32\sysdrv3.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-22 10:44:16 -------- d-----w C:\Program Files\Plaxo
2007-06-20 12:20:25 -------- d-----w C:\Program Files\Viewpoint
2007-06-04 23:18:03 -------- d-----w C:\Program Files\EAF
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-12 17:37:57 -------- d-----w C:\Program Files\SEP
2007-05-12 17:34:08 516,096 ------w C:\WINDOWS\Setup1.exe
2007-05-12 17:34:05 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-25 14:21:15 144,896 ------w C:\WINDOWS\system32\schannel.dll
2007-04-23 13:05:45 -------- d-----w C:\DOCUME~1\MARIEB~1\APPLIC~1\Sonic Foundry
2007-04-23 13:04:52 -------- d-----w C:\Program Files\Sonic Foundry
2007-04-23 13:04:10 -------- d-----w C:\Program Files\Sonic Foundry Setup
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 21:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 21:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-23 05:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 05:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 19:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 15:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 07:01 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-13 09:17 C:\WINDOWS\ALCWZRD.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-22 21:05]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-02-22 22:21]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-23 17:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-06 17:34]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-01 15:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 13:42]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-22 11:54:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-22 11:54:54

--- E O F ---

[marieb]

Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:03:47, on 22/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {2DB59DF5-544D-4A1C-8A74-1FD054950140} - (no file)
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://joharimusic.spaces.msn.com//P...d/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119566567671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165538907578
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - https://ukplay.toontown.com/download....27/ttinst.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://88.96.46.110:8000/activex/AMC.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup160.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Many thanks

[miekiemoes]

Hi,

The good news is, Catchme doesn't list any hidden files anymore.

Check and fix next leftover in HijackThis:

O2 - BHO: (no name) - {2DB59DF5-544D-4A1C-8A74-1FD054950140} - (no file)

There are still some files I want to analyze, so do next:

* Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\system32\spmsg2.dll
C:\WINDOWS\system32\sysdrv5.exe
C:\WINDOWS\system32\sysdrv3.exe

Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.

Also, do next.. Please download this tool > http://www.kztechs.com/sreng/sreng2.zip

1. Extract it to Desktop & double click SREng.exe to run it

2. Select 'Smart Scan' & click on the [Scan] button

3. When finished, click on the [Save Reports] button & save the log to Desktop

4. Post the log in your next reply

[marieb]

Hi, have sent the Suspicious File Packer cab file to you via Bleeping Computers as requested.

Here is the SREng log (in 2 posts):

[CODE]

2007-06-22,13:27:40

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
All Boot Items (Including Registry, Startup Folders, Services and so on)
Browser Add-ons
Runing Processes (Including process model information)
File Associations
Winsock Provider
Autorun.Inf
HOSTS File


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<PlaxoUpdate><C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a> [Plaxo, Inc.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<High Definition Audio Property Page Shortcut><HDAudPropShortcut.exe> [(Verified)Microsoft Windows XP Publisher]
<SoundMan><SOUNDMAN.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<AlcWzrd><ALCWZRD.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<ATIPTA><C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe> [ATI Technologies, Inc.]
<ATICCC><"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime> [N/A]
<AVG7_CC><C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP> [GRISOFT, s.r.o.]
<SunJavaUpdateSched><"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"> [(Verified)"Sun Microsystems, Inc."]
<TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot> [RealNetworks, Inc.]
<RoxioDragToDisc><"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"> [Roxio]
<QuickTime Task><"C:\Program Files\QuickTime\qttask.exe" -atboottime> [Apple Computer, Inc.]
<iTunesHelper><"C:\Program Files\iTunes\iTunesHelper.exe"> [(Verified)"Apple Computer, Inc."]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
<WinlogonNotify: WgaLogon><WgaLogon.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
<IE7 Uninstall Stub><C:\WINDOWS\system32\ieudinit.exe> [Microsoft Corporation]

==================================
Startup Folders
[Adobe Gamma Loader]
<C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk --> C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [Adobe Systems, Inc.]><N>
[Adobe Reader Speed Launch]
<C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk --> C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [Adobe Systems Incorporated]><N>
[ATI CATALYST System Tray]
<C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk --> C:\PROGRA~1\ATITEC~1\ATI.ACE\CLI.exe [ATI Technologies Inc.]><N>
[Sonic CinePlayer Quick Launch]
<C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk --> C:\PROGRA~1\COMMON~1\SONICS~1\CineTray.exe [Sonic Solutions]><N>
[Office Startup]
<C:\Documents and Settings\Marie Belsten\Start Menu\Programs\Startup\Office Startup.lnk --> C:\PROGRA~1\MICROS~2\Office\OSA.EXE [N/A]><N>

==================================
Services
[Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
<C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[ATI Smart / ATI Smart][Stopped/Auto Start]
<C:\WINDOWS\system32\ati2sgag.exe><>
[AVG7 Alert Manager Server / Avg7Alrt][Running/Auto Start]
<C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe><GRISOFT, s.r.o.>
[AVG7 Update Service / Avg7UpdSvc][Running/Auto Start]
<C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe><GRISOFT, s.r.o.>
[AVG E-mail Scanner / AVGEMS][Running/Auto Start]
<C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe><GRISOFT, s.r.o.>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
<"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"><Macrovision Corporation>
[iPod Service / iPod Service][Running/Manual Start]
<"C:\Program Files\iPod\bin\iPodService.exe"><Apple Computer, Inc.>
[SmartLinkService / SLService][Running/Auto Start]
<slserv.exe><Smart Link>
[Broadcom Wireless LAN Tray Service / wltrysvc][Running/Auto Start]
<C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe><N/A>

==================================
Drivers
[abp480n5 / abp480n5][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\ABP480N5.SYS><Microsoft Corporation>
[adpu160m / adpu160m][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\adpu160m.sys><Microsoft Corporation>
[AEGIS Protocol (IEEE 802.1x) v3.2.0.3 / AegisP][Running/Auto Start]
<system32\DRIVERS\AegisP.sys><Meetinghouse Data Communications>
[Aha154x / Aha154x][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\aha154x.sys><Microsoft Corporation>
[aic78u2 / aic78u2][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\aic78u2.sys><Microsoft Corporation>
[aic78xx / aic78xx][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\aic78xx.sys><Microsoft Corporation>
[AliIde / AliIde][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\aliide.sys><Acer Laboratories Inc.>
[AMD AGP Bus Filter Driver / amdagp][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\amdagp.sys><Advanced Micro Devices, Inc.>
[ASAPIW2K / ASAPIW2K][Running/Manual Start]
<System32\Drivers\ASAPIW2K.sys><Pinnacle Systems GmbH>
[asc / asc][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\asc.sys><Advanced System Products, Inc.>
[asc3350p / asc3350p][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\asc3350p.sys><Microsoft Corporation>
[asc3550 / asc3550][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\asc3550.sys><Advanced System Products, Inc.>
[ati2mtag / ati2mtag][Running/Manual Start]
<system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[AVG7 Kernel / Avg7Core][Running/System Start]
<\SystemRoot\System32\Drivers\avg7core.sys><GRISOFT, s.r.o.>
[AVG7 Wrap Driver / Avg7RsW][Running/System Start]
<\SystemRoot\System32\Drivers\avg7rsw.sys><GRISOFT, s.r.o.>
[AVG7 Resident Driver XP / Avg7RsXP][Running/System Start]
<\SystemRoot\System32\Drivers\avg7rsxp.sys><GRISOFT, s.r.o.>
[AVG7 Clean Driver / AvgClean][Running/System Start]
<\SystemRoot\System32\Drivers\avgclean.sys><GRISOFT, s.r.o.>
[AVG Network Redirector / AvgTdi][Running/Auto Start]
<\SystemRoot\System32\Drivers\avgtdi.sys><GRISOFT, s.r.o.>
[cd20xrnt / cd20xrnt][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\cd20xrnt.sys><Microsoft Corporation>
[cdrdrv / cdrdrv][Running/Manual Start]
<System32\Drivers\Cdrdrv.sys><Pinnacle Systems GmbH>
[CmdIde / CmdIde][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\cmdide.sys><CMD Technology, Inc.>
[dac2w2k / dac2w2k][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\dac2w2k.sys><Mylex Corporation>
[Team MFP Comm Driver / DgiVecp][Running/Auto Start]
<System32\Drivers\DgiVecp.sys><DeviceGuys, Inc.>
[dpti2o / dpti2o][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\dpti2o.sys><Microsoft Corporation>
[Intel(R) PRO Adapter Driver / E100B][Stopped/Manual Start]
<system32\DRIVERS\e100b325.sys><Intel Corporation>
[GEAR CDRom Filter / GEARAspiWDM][Running/Manual Start]
<SYSTEM32\DRIVERS\GEARAspiWDM.sys><GEAR Software Inc.>
[Microsoft UAA Function Driver for High Definition Audio Service / HdAudAddService][Stopped/Manual Start]
<system32\drivers\HdAudio.sys><Windows (R) Server 2003 DDK provider>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start]
<system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[hpn / hpn][Stopped/Boot Start]
<\SystemRoot\system32\DRIVERS\hpn.sys><N/A>
[ini910u / ini910u][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\ini910u.sys><Microsoft Corporation>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService][Running/Manual Start]
<system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[mraid35x / mraid35x][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\mraid35x.sys><American Megatrends Inc.>
[Mtlmnt5 / Mtlmnt5][Running/Manual Start]
<system32\DRIVERS\Mtlmnt5.sys><Smart Link>
[Mtlstrm / Mtlstrm][Stopped/Manual Start]
<system32\DRIVERS\Mtlstrm.sys><Smart Link>
[NtMtlFax / NtMtlFax][Stopped/Manual Start]
<system32\DRIVERS\NtMtlFax.sys><Smart Link>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PxHelp20 / PxHelp20][Running/Boot Start]
<\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[ql1080 / ql1080][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\ql1080.sys><QLogic Corporation>
[Ql10wnt / Ql10wnt][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\ql10wnt.sys><Microsoft Corporation>
[ql12160 / ql12160][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\ql12160.sys><QLogic Corporation>
[ql1280 / ql1280][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\ql1280.sys><QLogic Corporation>
[RecAgent / RecAgent][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\RecAgent.sys><Smart Link>
[Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver / RTL8023][Stopped/Manual Start]
<system32\DRIVERS\Rtlnic51.sys><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
[SIS AGP Bus Filter / sisagp][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\sisagp.sys><Silicon Integrated Systems Corporation>
[Smart Link 56K Modem Driver / Slntamr][Running/Manual Start]
<system32\DRIVERS\slntamr.sys><Smart Link>
[SlNtHal / SlNtHal][Stopped/Manual Start]
<system32\DRIVERS\Slnthal.sys><Smart Link>
[SlWdmSup / SlWdmSup][Running/Manual Start]
<system32\DRIVERS\SlWdmSup.sys><Smart Link>
[Sparrow / Sparrow][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\sparrow.sys><Adaptec, Inc.>
[STEC3 / STEC3][Running/Auto Start]
<\??\C:\WINDOWS\system32\STEC3.sys><AntiCracking>
[symc810 / symc810][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\symc810.sys><Symbios Logic Inc.>
[symc8xx / symc8xx][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\symc8xx.sys><LSI Logic>
[sym_hi / sym_hi][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\sym_hi.sys><LSI Logic>
[sym_u3 / sym_u3][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\sym_u3.sys><LSI Logic>
[TosIde / TosIde][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\toside.sys><Microsoft Corporation>
[ultra / ultra][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\ultra.sys><Promise Technology, Inc.>
[ViaIde / ViaIde][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\viaide.sys><Microsoft Corporation>
[VOBID / VOBID][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\vobid.sys><Pinnacle Systems>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
<system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>

==================================
Browser Add-ons
[Java Plug-in 1.6.0_01]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll, Sun Microsystems, Inc.>
[]
{e2e2dd38-d088-4134-82b7-f2ba38496583} <%windir%\Network Diagnostic\xpnetdiag.exe, N/A>
[Messenger]
{FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[Microsoft Office Template and Media Control]
{02BCC737-B171-4746-94C9-0D8A0B2C0089} <C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL, >
[QuickTime Object]
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} <C:\Program Files\QuickTime\QTPlugin.ocx, Apple Computer, Inc.>
[PlxInstall Class]
{08BEF711-06DA-48B2-9534-802ECAA2E4F9} <C:\WINDOWS\Downloaded Program Files\PlaxoInstall.dll, Plaxo Inc.>
[Shockwave ActiveX Control]
{166B1BCA-3F9C-11CF-8075-444553540000} <C:\WINDOWS\system32\macromed\Director\SwDir.dll, Macromedia, Inc.>
[Windows Genuine Advantage Validation Tool]
{17492023-C23A-453E-A040-C7C580BBF700} <C:\WINDOWS\system32\legitcheckcontrol.dll, Microsoft Corporation>
[MSN Photo Upload Tool]
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} <C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll, Microsoft® Corporation>
[WUWebControl Class]
{6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[MUWebControl Class]
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} <C:\WINDOWS\system32\muweb.dll, Microsoft Corporation>
[WScanCtl Class]
{7B297BFD-85E4-4092-B2AF-16A91B2EA103} <C:\WINDOWS\Downloaded Program Files\webscan.dll, CA>
[Java Plug-in 1.6.0_01]
{8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll, Sun Microsystems, Inc.>
[MessengerStatsClient Class]
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} <C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll, Microsoft Corporation>
[MsnMessengerSetupDownloadControl Class]
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} <C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx, Microsoft Corporation>
[Toontown Installer ActiveX Control]
{C02226EB-A5D7-4B1F-BD7E-635E46C2288D} <C:\WINDOWS\Downloaded Program Files\ttinst.dll, Walt Disney Co.>
[Java Plug-in 1.5.0_04]
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_06]
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_09]
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.6.0_01]
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.6.0_01]
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll, Sun Microsystems, Inc.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[AxisMediaControlEmb Class]
{DE625294-70E6-45ED-B895-CFFA13AEB044} <C:\Program Files\Axis Communications\AXIS Media Control Embedded\AxisMediaControlEmb.dll, Axis Communications>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>

==================================
Running Processes
[PID: 724][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 772][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 804][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\Ati2evxx.dll] [ATI Technologies Inc., 6.14.10.4113]
[C:\WINDOWS\system32\WgaLogon.dll] [Microsoft Corporation, 1.7.0018.5]
[C:\WINDOWS\System32\BCMLogon.dll] [Broadcom Corporation, 3.100.40.4]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 856][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 868][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1048][C:\WINDOWS\system32\Ati2evxx.exe] [ATI Technologies Inc., 6.14.10.4113]
[C:\WINDOWS\system32\Ati2edxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2496]
[PID: 1068][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1148][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1248][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\wups2.dll] [Microsoft Corporation, 7.0.6000.374 (winmain(wmbla).070416-2057)]
[PID: 1352][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1512][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1708][C:\WINDOWS\System32\wltrysvc.exe] [N/A, ]
[PID: 1720][C:\WINDOWS\System32\bcmwltry.exe] [BT Voyager Corporation, 3.100.40.4]
[C:\WINDOWS\System32\AegisE5.dll] [Meetinghouse Data Communications, 3, 0, 2, 29]
[C:\WINDOWS\System32\wltrynt.dll] [Broadcom Corporation, 3.100.40.4]
[PID: 1832][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
[C:\WINDOWS\system32\clpa1lmk.dll] [Samsung Electronics., 1.1.1.0]
[C:\WINDOWS\System32\spool\PRTPROCS\W32X86\filterpipelineprintproc.dll] [Microsoft Corporation, 6.0.5824.16384 (winmain(wmbla).060911-0725)]
[PID: 1892][C:\WINDOWS\system32\Ati2evxx.exe] [ATI Technologies Inc., 6.14.10.4113]
[C:\WINDOWS\system32\Ati2edxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2496]

[marieb]

[PID: 1960][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll] [Adobe Systems, Inc., 7.0.0.0]
[C:\WINDOWS\system32\msadp32.acm] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 496][C:\WINDOWS\SOUNDMAN.EXE] [Realtek Semiconductor Corp., 1, 0, 0, 14]
[PID: 420][C:\WINDOWS\ALCWZRD.EXE] [RealTek Semicoductor Corp., 1.1.0.14]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 588][C:\Program Files\ATI Technologies\ATI.ACE\cli.exe] [ATI Technologies Inc., 1.1.1879.40242]
[C:\WINDOWS\system32\mscoree.dll] [Microsoft Corporation, 2.0.50727.42 (RTM.050727-4200)]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll] [Microsoft Corporation, 1.1.4322.2032]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\fusion.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\windows\microsoft.net\framework\v1.1.4322\mscorlib.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_7786467d\mscorlib.dll] [N/A, ]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll] [Microsoft Corporation, 1.1.4322.573]
[c:\program files\ati technologies\ati.ace\log.foundation.dll] [ATI Technologies Inc., 1.1.1879.39991]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MSCORJIT.DLL] [Microsoft Corporation, 1.1.4322.2032]
[c:\program files\ati technologies\ati.ace\cli.foundation.dll] [ATI Technologies Inc., 1.1.1879.39992]
[c:\program files\ati technologies\ati.ace\log.foundation.service.dll] [ATI Technologies Inc., 1.1.1879.40236]
[c:\program files\ati technologies\ati.ace\log.foundation.shared.dll] [ATI Technologies Inc., 1.1.1879.40001]
[c:\windows\assembly\gac\system.runtime.remoting\1.0.5000.0__b77a5c561934e089\system.runtime.remoting.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_3398a8d7\system.dll] [N/A, ]
[c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_8ee29ade\system.windows.forms.dll] [N/A, ]
[c:\program files\ati technologies\ati.ace\cli.foundation.xmanifestation.dll] [ATI Technologies Inc., 1.1.1879.40159]
[c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_3fbef339\system.xml.dll] [N/A, ]
[c:\program files\ati technologies\ati.ace\cli.component.runtime.dll] [ATI Technologies Inc., 1.1.1879.40237]
[c:\program files\ati technologies\ati.ace\aem.foundation.dll] [ATI Technologies Inc., 1.1.1879.39992]
[c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\windows\assembly\gac\accessibility\1.0.5000.0__b03f5f7f11d50a3a\accessibility.dll] [Microsoft Corporation, 1.1.4322.573]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
[c:\program files\ati technologies\ati.ace\cli.caste.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40003]
[c:\program files\ati technologies\ati.ace\cli.component.runtime.shared.dll] [ATI Technologies Inc., 1.1.1879.40000]
[c:\program files\ati technologies\ati.ace\cli.caste.graphics.runtime.shared.dll] [ATI Technologies Inc., 1.1.1879.39999]
[c:\program files\ati technologies\ati.ace\cli.caste.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.39993]
[c:\program files\ati technologies\ati.ace\dem.foundation.dll] [ATI Technologies Inc., 1.1.1879.39992]
[c:\program files\ati technologies\ati.ace\dem.graphics.displaysmanager.shared.dll] [ATI Technologies Inc., 1.1.1879.39992]
[c:\program files\ati technologies\ati.ace\dem.graphics.demosinfo.dll] [ATI Technologies Inc., 1.1.1879.39999]
[c:\program files\ati technologies\ati.ace\dem.graphics.demosadapterinfo.dll] [ATI Technologies Inc., 1.1.1879.39993]
[c:\program files\ati technologies\ati.ace\dem.graphics.dematiadapterinfo.dll] [ATI Technologies Inc., 1.1.1879.39993]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdriversettings.dll] [ATI Technologies Inc., 1.1.1879.39993]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\perfcounter.dll] [Microsoft Corporation, 1.1.4322.2032]
[C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_perf.dll] [Microsoft Corporation, 2.0.50727.42 (RTM.050727-4200)]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\windows\assembly\gac\system.web\1.0.5000.0__b03f5f7f11d50a3a\system.web.dll] [Microsoft Corporation, 1.1.4322.2037]
[c:\program files\ati technologies\ati.ace\atidemgr.dll] [ATI Technologies Inc., 1.1.1879.40159]
[c:\program files\ati technologies\ati.ace\dem.graphics.demosmodeinfo.dll] [ATI Technologies Inc., 1.1.1879.40000]
[c:\program files\ati technologies\ati.ace\dem.graphics.dematidisplaysmanagersettings.dll] [ATI Technologies Inc., 1.1.1879.39993]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdisplayscoloursettings.dll] [ATI Technologies Inc., 1.1.1879.40000]
[c:\program files\ati technologies\ati.ace\dem.graphics.demvideooverlaysettings.dll] [ATI Technologies Inc., 1.1.1879.40020]
[c:\program files\ati technologies\ati.ace\dem.graphics.demsmartgartsettings.dll] [ATI Technologies Inc., 1.1.1879.40020]
[c:\program files\ati technologies\ati.ace\dem.graphics.demumaframebuffersettings.dll] [ATI Technologies Inc., 1.1.1879.40020]
[c:\program files\ati technologies\ati.ace\dem.graphics.dempowerplaysettings.dll] [ATI Technologies Inc., 1.1.1879.40018]
[c:\program files\ati technologies\ati.ace\dem.graphics.demoverdrivesettings.dll] [ATI Technologies Inc., 1.1.1879.40018]
[c:\program files\ati technologies\ati.ace\dem.graphics.demoverdrive3settings.dll] [ATI Technologies Inc., 1.1.1879.40001]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdisplaysmanageroptionssettings.dll] [ATI Technologies Inc., 1.1.1879.40021]
[c:\program files\ati technologies\ati.ace\dem.graphics.workstationsettings.dll] [ATI Technologies Inc., 1.1.1879.40021]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdevicecommonsettings.dll] [ATI Technologies Inc., 1.1.1879.40019]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdevicecrtsettings.dll] [ATI Technologies Inc., 1.1.1879.40018]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdevicecomponentvideosettings.dll] [ATI Technologies Inc., 1.1.1879.39993]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdevicetvsettings.dll] [ATI Technologies Inc., 1.1.1879.40019]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdevicedfpsettings.dll] [ATI Technologies Inc., 1.1.1879.40018]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdevicelcdsettings.dll] [ATI Technologies Inc., 1.1.1879.40018]
[c:\program files\ati technologies\ati.ace\dem.graphics.demvpurecoverinfo.dll] [ATI Technologies Inc., 1.1.1879.40019]
[c:\program files\ati technologies\ati.ace\dem.graphics.mmoverlaysettings.dll] [ATI Technologies Inc., 1.1.1879.40017]
[c:\program files\ati technologies\ati.ace\dem.graphics.mmdeintlacingsettings.dll] [ATI Technologies Inc., 1.1.1879.40018]
[c:\program files\ati technologies\ati.ace\dem.graphics.demvideotheatermodesettings.dll] [ATI Technologies Inc., 1.1.1879.40007]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdevicetv2settings.dll] [ATI Technologies Inc., 1.1.1879.40021]
[c:\windows\assembly\gac\system.management\1.0.5000.0__b03f5f7f11d50a3a\system.management.dll] [Microsoft Corporation, 1.1.4322.2032]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\WMINet_Utils.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\program files\ati technologies\ati.ace\cli.aspect.radeon3d.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40190]
[c:\program files\ati technologies\ati.ace\cli.aspect.radeon3dlegacy.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40190]
[c:\program files\ati technologies\ati.ace\cli.aspect.radeon3dlegacy.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40001]
[c:\program files\ati technologies\ati.ace\cli.aspect.displayscolour.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40019]
[c:\program files\ati technologies\ati.ace\cli.aspect.displayscolour.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.39999]
[c:\program files\ati technologies\ati.ace\cli.aspect.videooverlay.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40067]
[c:\program files\ati technologies\ati.ace\cli.aspect.videooverlay.graphics.runtime.shared.dll] [ATI Technologies Inc., 1.1.1879.40021]
[c:\program files\ati technologies\ati.ace\dem.graphics.videooverlay.shared.dll] [ATI Technologies Inc., 1.1.1879.40000]
[c:\program files\ati technologies\ati.ace\cli.aspect.smartgart.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40115]
[c:\program files\ati technologies\ati.ace\cli.aspect.vpurecover.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40115]
[c:\program files\ati technologies\ati.ace\cli.aspect.vpurecover.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40019]
[c:\program files\ati technologies\ati.ace\cli.aspect.workstationconfig.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40109]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicecrt.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40078]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicelcd.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40159]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicecv.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40171]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicecv.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40000]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicetv.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40236]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicedfp.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40236]
[c:\program files\ati technologies\ati.ace\cli.aspect.overdrive3.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40160]
[c:\program files\ati technologies\ati.ace\cli.aspect.overdrive3.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40018]
[c:\program files\ati technologies\ati.ace\cli.aspect.overdrive2.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40054]
[c:\program files\ati technologies\ati.ace\cli.aspect.powerplay3.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40055]
[c:\program files\ati technologies\ati.ace\cli.aspect.powerplay3.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40000]
[c:\program files\ati technologies\ati.ace\cli.aspect.displaysoptions.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40138]
[c:\program files\ati technologies\ati.ace\cli.aspect.integratedumaframebuffer.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40077]
[c:\program files\ati technologies\ati.ace\cli.aspect.infocentre.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40022]
[c:\program files\ati technologies\ati.ace\cli.aspect.infocentre.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40021]
[c:\program files\ati technologies\ati.ace\cli.aspect.radeon3d.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40007]
[c:\program files\ati technologies\ati.ace\cli.aspect.videooverlay.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40020]
[c:\program files\ati technologies\ati.ace\cli.aspect.deviceproperty.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.39993]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicecrt.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40020]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicetv.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40001]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicedfp.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40001]
[c:\program files\ati technologies\ati.ace\cli.aspect.displaysoptions.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40019]
[c:\program files\ati technologies\ati.ace\apm.foundation.dll] [ATI Technologies Inc., 1.1.1879.40021]
[PID: 600][C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe] [GRISOFT, s.r.o., 7.5.0.460]
[C:\PROGRA~1\Grisoft\AVGFRE~1\AvgTMgr.dll] [GRISOFT, s.r.o., 7.5.0.458]
[C:\PROGRA~1\Grisoft\AVGFRE~1\AvgCtrl.dll] [GRISOFT, s.r.o., 7.5.0.458]
[C:\WINDOWS\system32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\PROGRA~1\Grisoft\AVGFRE~1\AvgAbout.dll] [GRISOFT, s.r.o., 7.5.0.458]
[C:\PROGRA~1\Grisoft\AVGFRE~1\AvgTest.dll] [GRISOFT, s.r.o., 7.5.0.458]
[C:\PROGRA~1\Grisoft\AVGFRE~1\AvgTRes.dll] [GRISOFT, s.r.o., 7.5.0.458]
[C:\PROGRA~1\Grisoft\AVGFRE~1\AvgSet.dll] [, ]
[C:\WINDOWS\system32\MFC71ENU.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\PROGRA~1\Grisoft\AVGFRE~1\avglog.dll] [GRISOFT, s.r.o., 7.5.0.429]
[C:\Program Files\Grisoft\AVG Free\avgcfg.dll] [GRISOFT, s.r.o., 7.5.0.460]
[C:\Program Files\Grisoft\AVG Free\avgklib.dll] [GRISOFT, s.r.o., 7.5.0.458]
[C:\Program Files\Grisoft\AVG Free\avglng.dll] [GRISOFT, s.r.o., 7.5.0.429]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
[C:\Program Files\Grisoft\AVG Free\avgf.dll] [N/A, ]
[C:\Program Files\Grisoft\AVG Free\AVGRES.DLL] [N/A, ]
[C:\Program Files\Grisoft\AVG Free\avgcckrn.dll] [GRISOFT, s.r.o., 7.5.0.460]
[C:\Program Files\Grisoft\AVG Free\avgvault.dll] [GRISOFT, s.r.o., 7.5.0.458]
[C:\Program Files\Grisoft\AVG Free\avgrep.dll] [GRISOFT, s.r.o., 7.5.0.448]
[C:\Program Files\Grisoft\AVG Free\avgunarc.dll] [GRISOFT, s.r.o., 7.5.0.449]
[C:\PROGRA~1\Grisoft\AVGFRE~1\avgemsui.dll] [GRISOFT, s.r.o., 7.5.0.458]
[C:\PROGRA~1\Grisoft\AVGFRE~1\avgemcps.dll] [GRISOFT, s.r.o., 7.5.0.420]
[PID: 764][C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe] [Sun Microsystems, Inc., 6.0.10.6]
[C:\Program Files\Java\jre1.6.0_01\bin\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[PID: 928][C:\Program Files\Common Files\Real\Update_OB\realsched.exe] [RealNetworks, Inc., 0.1.0.3292]
[PID: 920][C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe] [Roxio, 7.1.0.220 ]
[C:\WINDOWS\system32\CDRTC.DLL] [Roxio, 7.1.0.220 ]
[C:\WINDOWS\system32\cdral.DLL] [Roxio, 7.1.0.220 ]
[C:\Program Files\Common Files\Roxio Shared\DLLShared\apm.dll] [, 1, 0, 0, 1]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
[PID: 1188][C:\Program Files\QuickTime\qttask.exe] [Apple Computer, Inc., 7.1.3]
[PID: 1368][C:\Program Files\iTunes\iTunesHelper.exe] [Apple Computer, Inc., 7.0.2.16]
[C:\Program Files\iTunes\iTunesHelper.Resources\en.lproj\iTunesHelperLocalized.DLL] [Apple Computer, Inc., 7.0.2.16]
[C:\Program Files\iTunes\iTunesHelper.Resources\iTunesHelper.DLL] [Apple Computer, Inc., 7.0.2.16]
[PID: 1380][C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe] [Plaxo, Inc., 2.12.1.1]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
[PID: 2044][C:\Program Files\Common Files\Sonic Shared\CineTray.exe] [Sonic Solutions, 2.1.00.0041]
[C:\WINDOWS\system32\MFC70.DLL] [Microsoft Corporation, 7.00.9466.0]
[C:\WINDOWS\system32\MSVCR70.dll] [Microsoft Corporation, 7.00.9466.0]
[C:\WINDOWS\system32\MSVCP70.dll] [Microsoft Corporation, 7.00.9466.0]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
[PID: 180][C:\Program Files\Microsoft Office\Office\OSA.EXE] [N/A, ]
[C:\Program Files\Microsoft Office\Office\MSO97.DLL] [, ]
[C:\Program Files\Microsoft Office\Office\osaintl.dll] [Microsoft Corporation, 8.0]
[PID: 2964][C:\WINDOWS\system32\NOTEPAD.EXE] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
[PID: 3936][C:\Program Files\internet explorer\iexplore.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\msadp32.acm] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx] [Adobe Systems, Inc., 9,0,28,0]
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll] [Adobe Systems, Inc., 7.0.0.0]
[PID: 2012][C:\Documents and Settings\Marie Belsten\Desktop\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]

==================================
File Associations
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1 localhost

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================


[/CODE]

[miekiemoes]

As far as I can see, the SRENG log looks OK.

C:\WINDOWS\system32\spmsg2.dll is OK as well.
But.. the other two files are related with the malware you were dealing with, so delete next files:

C:\WINDOWS\system32\sysdrv5.exe
C:\WINDOWS\system32\sysdrv3.exe

Let me know afterwards how everything is behaving now..
It is good that you made a backup - you should do this once in a while, just in case you get reinfected again and your system won't boot etc etc...

[marieb]

Hi,

I have deleted those two files as advised. Everything seems to be running OK at the moment. Do you think I should still re-format my PC now?

Many, many thanks for all your time and help with this. I really do appreciate it!

[miekiemoes]

It looks like the malware should be gone now.... But as I said previously, especially with this variant of infection, you cannot trust this computer anymore for 100%.
If everything works OK and you don't notice any problems anymore, then leave it as it is.
As an extra addition, just to be sure, install Keyscrambler:
http://www.qfxsoftware.com/products.htm
This will give you extra protection while you do your online banking, because it encrypts your keystrokes. You may want to read this:
http://www.bleepingcomputer.com/secu...-keyscrambler/



Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!