Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Malware cause CPU usage to go to 100% in cycles

  1. #1
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default Malware cause CPU usage to go to 100% in cycles

    Hi,

    To however is going to help me here, just a word of thanks from me here before i start. You guys are wonderful.

    OK.. get to the problem.

    I have been having this problem of for about 2 weeks or so. The CPU usage is weird, with periodic peaks @ 100% usage by a process called "iexplore.exe". The peaks come like every 30 seconds or so. Under the Windows Task Manager the User of this process is "System". When I launched my Internet Explorer 7, another process with the same name "iexplore.exe" appears, but by User account which I have logged in to Windows.

    When I terminated the process "iexplorer.exe" started by System, the problem is gone. However, when I reboot, the problem will get back again.

    Scanned my comp with updated AVG Free edition in safe mode, but did not detect any virus.

    Scanned with online scanner Panda. The Report is as follows:

    ********************************************************

    Incident Status Location

    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\dy57f3ss.default\cookies.txt[.bs.serving-sys.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\dy57f3ss.default\cookies.txt[.serving-sys.com/]
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\dy57f3ss.default\cookies.txt[.hitbox.com/]
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\dy57f3ss.default\cookies.txt[.doubleclick.net/]
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\dy57f3ss.default\cookies.txt[.fastclick.net/]
    Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\dy57f3ss.default\cookies.txt[.tradedoubler.com/]
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\dy57f3ss.default\cookies.txt[.statcounter.com/]
    Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\dy57f3ss.default\cookies.txt[.adtech.de/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\dy57f3ss.default\cookies.txt[.atdmt.com/]
    Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\dy57f3ss.default\cookies.txt[statse.webtrendslive.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\dy57f3ss.default\cookies.txt[.go.com/]
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\dy57f3ss.default\cookies.txt[.mediaplex.com/]
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\dy57f3ss.default\cookies.txt[.ehg-dig.hitbox.com/]
    Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\dy57f3ss.default\cookies.txt[.valueclick.com/]
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.com.com/]
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.statcounter.com/]
    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.zedo.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.serving-sys.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.bs.serving-sys.com/]
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.2o7.net/]
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[ad.yieldmanager.com/]
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.doubleclick.net/]
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.mediaplex.com/]
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.fastclick.net/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.atdmt.com/]
    Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.adtech.de/]
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.hitbox.com/]
    Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.burstnet.com/]
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.casalemedia.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.go.com/]
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.ehg-dig.hitbox.com/]
    Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.anm.co.uk/]
    Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.questionmarket.com/]
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.tribalfusion.com/]
    Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.888.com/]
    Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[statse.webtrendslive.com/]
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.advertising.com/]
    Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.revenue.net/]
    Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.as-us.falkag.net/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.realmedia.com/]
    Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.bravenet.com/]
    Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.hotlog.ru/]
    Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.spylog.com/]

    **********************continuation in next post ************

  2. #2
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default Continuation***

    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.phg.hitbox.com/]
    Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.adviva.net/]
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Master\Application Data\Mozilla\Firefox\Profiles\99glmtf5.default\cookies.txt[.belnk.com/]
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Master\Cookies\master@casalemedia[1].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Master\Cookies\master@com[1].txt
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Master\Cookies\master@go[1].txt
    Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Master\Local Settings\Temporary Internet Files\Content.IE5\9EWMF91W\popup[1].htm
    Adware:Adware/Popuper Not disinfected C:\WINDOWS\system32\slpube03.dll

    *****************************************************

    Scanned with Spybot Search and Destroy in Safe mode and removed everything it detected.


    *****************************************************


    Here is my HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:05:35 PM, on 12/19/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\NUS-VPN\cvpnd.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\system32\TFNF5.exe
    C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\qttask.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Chameleon Clock\ChamClock.exe
    C:\Program Files\Toshiba\Windows Utilities\FNESSE32.EXE
    C:\Program Files\TurboNote\tbnote.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Documents and Settings\Master\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.sg/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TFncKy] C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Fn-esse.lnk = C:\Program Files\Toshiba\Windows Utilities\FNESSE32.EXE
    O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136329400116
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: winnqw32 - winnqw32.dll (file missing)
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\NUS-VPN\cvpnd.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: Ken32 Driver Service - Unknown owner - C:\WINDOWS\System32\SVCH0ST
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: SRS Labs License Service - SRS Labs - C:\Program Files\Common Files\SRS Labs Shared\Service\srslabslicenseservice.exe

    *********************************************************

    After doing all these, I still face the same problem with iexplore.exe after i reboot the computer.

    Regards,
    John

  3. #3
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi John

    C:\WINDOWS\system32\slpube03.dll < delete that file manualy

    Post a report from this tool if any FILES show
    F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
    Click the i accept button near the bottom of that page.
    click the first download button (version with grapichal user interface)
    Download/save (not open) and run blacklite click > scan then > next, next again then exit
    there will be a new txt near blacklite. post it please.
    Important: If any files show Do not rename them YET.....legitimate files can be listed.

    Download and run Silentrunners.Vbs post the log it creates please
    http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
    Wait until there is a All Done message !!, Then open and post the log next to it.
    Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  4. #4
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default

    Hi,

    I have manually deleted slpube03.dll in safe mode.

    Ran Backlight and here is the result:

    12/26/06 10:29:51 [Info]: BlackLight Engine 1.0.47 initialized
    12/26/06 10:29:51 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    12/26/06 10:29:51 [Note]: 7019 4
    12/26/06 10:29:51 [Note]: 7005 0
    12/26/06 10:29:55 [Note]: 7006 0
    12/26/06 10:29:55 [Note]: 7011 1384
    12/26/06 10:29:56 [Note]: 7026 0
    12/26/06 10:29:56 [Note]: 7026 0
    12/26/06 10:30:15 [Note]: FSRAW library version 1.7.1020
    12/26/06 10:41:37 [Note]: 2000 1012
    12/26/06 10:49:40 [Note]: 7007 0

    ****************************************************

    Ran the Silent Runners script and here is the result:

    "Silent Runners.vbs", revision 49, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
    "HomeAlarm" = "C:\Program Files\Chameleon Clock\ChamClock.exe" ["Softshape Dev."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
    "HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
    "00THotkey" = "C:\WINDOWS\System32\00THotkey.exe" ["TOSHIBA Corporation"]
    "000StTHK" = "000StTHK.exe" [null data]
    "TFNF5" = "TFNF5.exe" ["TOSHIBA Corp."]
    "SigmaTel StacMon" = "C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" ["SigmaTel Inc."]
    "Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
    "TFncKy" = "C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe" ["TOSHIBA Corporation"]
    "TouchED" = "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" ["TOSHIBA Corporation"]
    "PadTouch" = ""C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [file not found]
    "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
    "IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
    "MSPY2002" = "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
    "PHIME2002ASync" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
    "PHIME2002A" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
    "BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
    "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
    "QuickTime Task" = "C:\WINDOWS\system32\qttask.exe" [null data]
    "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
    "TPSMain" = "TPSMain.exe" ["TOSHIBA Corporation"]
    "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
    "KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
    "1A:Stardock TrayMonitor" = "(empty string)" [file not found]
    "(Default)" = "(empty string)" [file not found]
    "Sony Ericsson PC Suite" = ""C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions" ["Sony Ericsson Mobile Communications AB"]
    "RegistryMechanic" = "(empty string)" [file not found]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSVHelper Class"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
    {A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "IeCatch2 Class"
    \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" ["Amaze Soft"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{C4213067-97B3-4929-9B98-B5600FBBBA13}" = "TouchED"
    -> {HKLM...CLSID} = "TouchShellExt Class"
    \InProcServer32\(Default) = "C:\Program Files\TOSHIBA\TouchED\TouchED.dll" ["TOSHIBA Corporation"]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
    -> {HKLM...CLSID} = "Portable Media Devices Menu"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
    -> {HKLM...CLSID} = "Microsoft Office Outlook"
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
    -> {HKLM...CLSID} = "Outlook File Icon Extension"
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
    -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
    \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
    "{5360490C-92EB-4BDB-8203-313CC9082133}" = "Shell PublishingExt Extension"
    -> {HKLM...CLSID} = "Shell PublishingExt Class"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\slpube03.dll" [file not found]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
    -> {HKLM...CLSID} = "AVG7 Find Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    "{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"
    -> {HKLM...CLSID} = "Sony Ericsson File Manager"
    \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
    -> {HKLM...CLSID} = "My Sharing Folders"
    \InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    <<!>> "{93994DE8-8239-4655-B1D1-5F4E91300429}" = (no title provided)
    -> {HKLM...CLSID} = "DVDIdleShell Class"
    \InProcServer32\(Default) = "C:\PROGRA~1\DVDREG~1\DVDShell.dll" ["Fengtao Software Inc."]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
    <<!>> winnqw32\DLLName = "winnqw32.dll" [file not found]

    HKLM\Software\Classes\PROTOCOLS\Filter\
    <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

    HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
    -> {HKLM...CLSID} = "PDF Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


    Group Policies {GPedit.msc branch and setting}:
    -----------------------------------------------

    Note: detected settings may not have any effect.

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    "NoDrives" = (REG_DWORD) hex:0x00000000
    {unrecognized setting}

    "NoViewOnDrive" = (REG_DWORD) hex:0x00000000
    {unrecognized setting}

    "NoDesktopCleanupWizard" = (REG_DWORD) hex:0x00000001
    {unrecognized setting}

    "NoCDBurning" = (REG_DWORD) hex:0x00000001
    {unrecognized setting}

    "NoBandCustomize" = (REG_DWORD) hex:0x00000000
    {User Configuration|Administrative Templates|Windows Components|Internet Explorer|Toolbars|
    Disable customizing browser toolbars}

    "NoMovingBands" = (REG_DWORD) hex:0x00000000
    {unrecognized setting}

    "NoCloseDragDropBands" = (REG_DWORD) hex:0x00000000
    {unrecognized setting}

    "NoSetTaskbar" = (REG_DWORD) hex:0x00000000
    {User Configuration|Administrative Templates|Start Menu and Taskbar|
    Prevent changes to Taskbar and Start Menu Settings}

    "NoToolbarsOnTaskbar" = (REG_DWORD) hex:0x00000000
    {unrecognized setting}

    "NoSaveSettings" = (REG_DWORD) hex:0x00000000
    {User Configuration|Administrative Templates|Desktop|
    Don't save settings at exit}

    "NoActiveDesktop" = (REG_DWORD) hex:0x00000000
    {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop|
    Disable Active Desktop}

    "ClassicShell" = (REG_DWORD) hex:0x00000000
    {User Configuration|Administrative Templates|Windows Components|Windows Explorer|
    Enable Classic Shell / Turn on Classic Shell}

    HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

    "Colors" = (REG_DWORD) hex:0x00000000
    {unrecognized setting}

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Devices: Allow undock without having to log on}


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


    Startup items in "Master" & "All Users" startup folders:
    --------------------------------------------------------

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
    "Fn-esse" -> shortcut to: "C:\Program Files\Toshiba\Windows Utilities\FNESSE32.EXE" ["TOSHIBA Corp."]
    "TurboNote" -> shortcut to: "C:\Program Files\TurboNote\tbnote.exe" ["WebCentre Ltd, New Zealand"]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 35
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{F2CF5485-4E02-4F68-819C-B92DE9277049}"
    -> {HKLM...CLSID} = "&Links"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

    HKLM\Software\Microsoft\Internet Explorer\Toolbar\
    "{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"
    -> {HKLM...CLSID} = "FlashGet Bar"
    \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\fgiebar.dll" ["Amaze Soft"]

    Explorer Bars

    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

    HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
    Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
    InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
    AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
    Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
    Cisco Systems, Inc. VPN Service, CVPND, ""C:\Program Files\NUS-VPN\cvpnd.exe"" ["Cisco Systems, Inc."]
    Messenger Sharing USN Journal Reader service, usnsvc, "C:\WINDOWS\system32\svchost.exe -k usnsvc" {"C:\Program Files\MSN Messenger\usnsvc.dll" [MS]}
    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


    Print Monitors:
    ---------------

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    BJ Language Monitor2\Driver = "CNBJMON2.DLL" [MS]
    Canon BJ Language Monitor PIXMA iP1000\Driver = "CNMLM6e.DLL" ["CANON INC."]
    HP CLJ2600n LM\Driver = "ZLHP2600.DLL" ["Zenographics, Inc."]
    Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
    PrimoMon\Driver = "Primomonnt.dll" [null data]


    ----------
    <<!>>: Suspicious data at a malware launch point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points, use the -supp parameter or answer "No" at the
    first message box and "Yes" at the second message box.
    ---------- (total run time: 120 seconds, including 18 seconds for message boxes)

  5. #5
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Start Hijackthis and place a check next to these items If there.
    O20 - Winlogon Notify: winnqw32 - winnqw32.dll (file missing)
    ====================================
    Hit fix checked and close Hijackthis.

    How's that PC acting now ?
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  6. #6
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default

    Ok. Done as instructed. However, the PC is still having the same problem.

  7. #7
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    What changes or new software were made or installed just prior to the problems starting ?

    Reboot to safe mode make a Hijackthis startup list reboot back to normal then post that list.
    Once in safe mode Start Hijackthis click config misc tools >
    plcase a check in [X] list also minor sections
    and [X] list empty sections, then click gernerate startuplist log.
    restart back to a normal windows session and post that log please.

    Also go start run type cmd, type in
    sc query "Ken32 Driver Service"
    what do you see ? then type exit to exit the cmd prompt
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  8. #8
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default

    Frankly, I do not remember the softwares which I have installed that could have caused the problem. SRS Audio Sandbox, DFX Audio enhancer, Registry Mechanic ??? These are the softwares i have recently installed about the same time as when I discovered the unusual CPU usage. I suspect these because I had attempted to find cracks on the Net for these

    The Startuplist log is here:

    StartupList report, 12/28/2006, 2:01:20 AM
    StartupList version: 1.52.2
    Started from : C:\Documents and Settings\Master\Desktop\hijackthis\HijackThis.EXE
    Detected: Windows XP SP2 (WinNT 5.01.2600)
    Detected: Internet Explorer v7.00 (7.00.5730.0011)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\taskmgr.exe
    C:\Documents and Settings\Master\Desktop\hijackthis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Master\Start Menu\Programs\Startup]
    *No files*

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    Fn-esse.lnk = C:\Program Files\Toshiba\Windows Utilities\FNESSE32.EXE
    TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    IgfxTray = C:\WINDOWS\System32\igfxtray.exe
    HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
    00THotkey = C:\WINDOWS\System32\00THotkey.exe
    000StTHK = 000StTHK.exe
    TFNF5 = TFNF5.exe
    SigmaTel StacMon = C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    Apoint = C:\Program Files\Apoint2K\Apoint.exe
    TFncKy = C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
    TouchED = C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    PadTouch = "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
    AGRSMMSG = AGRSMMSG.exe
    IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
    QuickTime Task = C:\WINDOWS\system32\qttask.exe
    SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    TPSMain = TPSMain.exe
    AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    1A:Stardock TrayMonitor =
    (Default) =
    Sony Ericsson PC Suite = "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    RegistryMechanic =

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    1A:Stardock TrayMonitor =

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
    MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    HomeAlarm = C:\Program Files\Chameleon Clock\ChamClock.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

    --------------------------------------------------

    File association entry for .TXT:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
    StubPath = C:\WINDOWS\system32\ieudinit.exe

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
    (no name) - C:\PROGRA~1\FlashGet\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}

    --------------------------------------------------
    To be Cont'd

  9. #9
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default

    *Continuation


    Enumerating Task Scheduler jobs:

    *No jobs found*

    --------------------------------------------------

    Enumerating Download Program Files:

    [Windows Genuine Advantage Validation Tool]
    InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
    CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

    [Minesweeper Flags Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
    CODEBASE = http://messenger.zone.msn.com/binary...r.cab31267.cab

    [Office Update Installation Engine]
    InProcServer32 = C:\WINDOWS\opuc.dll
    CODEBASE = http://office.microsoft.com/officeup...tent/opuc3.cab

    [WUWebControl Class]
    InProcServer32 = C:\WINDOWS\System32\wuweb.dll
    CODEBASE = http://update.microsoft.com/windowsu...?1136329400116

    [Java Plug-in]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
    CODEBASE = http://messenger.zone.msn.com/binary...t.cab31267.cab

    [F-Secure Online Scanner 3.0]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\fscax.dll
    CODEBASE = http://support.f-secure.com/ols/fscax.cab

    [Java Plug-in]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    CODEBASE = http://java.sun.com/products/plugin/...ndows-i586.cab

    [Java Plug-in]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

    [Java Plug-in 1.5.0_06]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
    CODEBASE = http://fpdownload2.macromedia.com/ge...sh/swflash.cab

    [CTAdjust Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\clearadjust.dll
    CODEBASE = http://download.microsoft.com/downlo...4/clearadj.cab

    [Solitaire Showdown Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
    CODEBASE = http://messenger.zone.msn.com/binary...n.cab31267.cab

    [IWinAmpActiveX Class]
    InProcServer32 = C:\PROGRA~1\COMMON~1\Nullsoft\ActiveX\2.4\AmpX.dll
    CODEBASE = http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS\System32\mswsock.dll
    NameSpace #2: C:\WINDOWS\System32\winrnr.dll
    NameSpace #3: C:\WINDOWS\System32\mswsock.dll
    NameSpace #4: C:\WINDOWS\system32\wshbth.dll
    Protocol #1: C:\WINDOWS\system32\mswsock.dll
    Protocol #2: C:\WINDOWS\system32\mswsock.dll
    Protocol #3: C:\WINDOWS\system32\mswsock.dll
    Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #6: C:\WINDOWS\system32\mswsock.dll
    Protocol #7: C:\WINDOWS\system32\mswsock.dll
    Protocol #8: C:\WINDOWS\system32\mswsock.dll
    Protocol #9: C:\WINDOWS\system32\mswsock.dll
    Protocol #10: C:\WINDOWS\system32\mswsock.dll
    Protocol #11: C:\WINDOWS\system32\mswsock.dll
    Protocol #12: C:\WINDOWS\system32\mswsock.dll
    Protocol #13: C:\WINDOWS\system32\mswsock.dll
    Protocol #14: C:\WINDOWS\system32\mswsock.dll
    Protocol #15: C:\WINDOWS\system32\mswsock.dll
    Protocol #16: C:\WINDOWS\system32\mswsock.dll
    Protocol #17: C:\WINDOWS\system32\mswsock.dll
    Protocol #18: C:\WINDOWS\system32\mswsock.dll
    Protocol #19: C:\WINDOWS\system32\mswsock.dll
    Protocol #20: C:\WINDOWS\system32\mswsock.dll
    Protocol #21: C:\WINDOWS\system32\mswsock.dll
    Protocol #22: C:\WINDOWS\system32\mswsock.dll
    Protocol #23: C:\WINDOWS\system32\mswsock.dll
    Protocol #24: C:\WINDOWS\system32\mswsock.dll
    Protocol #25: C:\WINDOWS\system32\mswsock.dll
    Protocol #26: C:\WINDOWS\system32\mswsock.dll
    Protocol #27: C:\WINDOWS\system32\mswsock.dll
    Protocol #28: C:\WINDOWS\system32\mswsock.dll
    Protocol #29: C:\WINDOWS\system32\mswsock.dll
    Protocol #30: C:\WINDOWS\system32\mswsock.dll
    Protocol #31: C:\WINDOWS\system32\mswsock.dll
    Protocol #32: C:\WINDOWS\system32\mswsock.dll
    Protocol #33: C:\WINDOWS\system32\mswsock.dll
    Protocol #34: C:\WINDOWS\system32\mswsock.dll
    Protocol #35: C:\WINDOWS\system32\mswsock.dll

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
    Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
    TOSHIBA V92 Software Modem: System32\DRIVERS\AGRSM.sys (manual start)
    Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
    Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
    Alps Pointing-device Filter Driver: System32\DRIVERS\Apfiltr.sys (manual start)
    Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
    Aspi32: System32\drivers\aspi32.sys (autostart)
    ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
    RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
    Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
    ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
    AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
    AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
    AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
    AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
    AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
    AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
    Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Bluetooth Audio Service: system32\DRIVERS\blueletaudio.sys (manual start)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Bluetooth PAN Network Adapter: system32\DRIVERS\btnetdrv.sys (manual start)
    Bluetooth USB For Bluetooth Service: System32\Drivers\btcusb.sys (manual start)
    Bluetooth Request Block Driver: system32\DRIVERS\BthEnum.sys (manual start)
    Bluetooth HID Enumerator: system32\DRIVERS\vbtenum.sys (manual start)
    Bluetooth HID Manager Service: System32\Drivers\BTHidMgr.sys (system)
    Bluetooth Device (Personal Area Network): system32\DRIVERS\bthpan.sys (manual start)
    Bluetooth Port Driver: System32\Drivers\BTHport.sys (manual start)
    Bluetooth Support Service: %SystemRoot%\system32\svchost.exe -k bthsvcs (autostart)
    Bluetooth Radio USB Driver: System32\Drivers\BTHUSB.sys (manual start)
    Xircom CardBus Ethernet 10/100 Adapter family Driver: System32\DRIVERS\cben5.sys (manual start)
    Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
    CD-Lock: \??\F:\cdm.sys (manual start)
    CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
    Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
    ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
    .NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
    Microsoft ACPI Control Method Battery Driver: System32\DRIVERS\CmBatt.sys (manual start)
    Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
    COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Cisco Systems VPN Adapter: system32\DRIVERS\CVirtA.sys (manual start)
    Cisco Systems, Inc. VPN Service: "C:\Program Files\NUS-VPN\cvpnd.exe" (autostart)
    National University of Singapore IPsec Driver: \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys (autostart)
    Qmax Webcam: System32\Drivers\TP6810.sys (manual start)
    DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Disk Driver: System32\DRIVERS\disk.sys (system)
    Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
    dmload: System32\drivers\dmload.sys (system)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
    Deterministic Network Enhancer Miniport: system32\DRIVERS\dne2000.sys (manual start)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
    dtscsi: \SystemRoot\System32\Drivers\dtscsi.sys (manual start)
    DVD-RAM_Service: C:\WINDOWS\System32\DVDRAMSV.exe (manual start)
    Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
    Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    FltMgr: system32\drivers\fltmgr.sys (system)
    Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
    GEARSecurity: %SystemRoot%\System32\GEARSec.exe (disabled)
    Sony Ericsson USB Flash Driver: system32\DRIVERS\ggsemc.sys (manual start)
    Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
    Intel GV3 Processor Driver: System32\DRIVERS\gv3.sys (manual start)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
    HTTP: System32\Drivers\HTTP.sys (manual start)
    HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
    i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
    ialm: System32\DRIVERS\ialmnt5.sys (manual start)

    * To be Continued

  10. #10
    Junior Member
    Join Date
    Dec 2006
    Posts
    7

    Default

    *Continuation

    CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
    IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
    IntelIde: System32\DRIVERS\intelide.sys (system)
    Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
    IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
    IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
    IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
    IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
    IPSEC driver: System32\DRIVERS\ipsec.sys (system)
    IrDA Protocol: system32\DRIVERS\irda.sys (autostart)
    IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
    Infrared Monitor: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
    Sony Ericsson K510 Driver driver (WDM): system32\DRIVERS\k510bus.sys (manual start)
    Sony Ericsson K510 USB WMC Modem Filter: system32\DRIVERS\k510mdfl.sys (manual start)
    Sony Ericsson K510 USB WMC Modem Driver: system32\DRIVERS\k510mdm.sys (manual start)
    Sony Ericsson K510 USB WMC Device Management Drivers (WDM): system32\DRIVERS\k510mgmt.sys (manual start)
    Sony Ericsson K510 USB WMC OBEX Interface: system32\DRIVERS\k510obex.sys (manual start)
    Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
    Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
    Ken32 Driver Service: C:\WINDOWS\System32\SVCH0ST (autostart)
    Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    meiudf: System32\Drivers\meiudf.sys (system)
    Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
    Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
    Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
    WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
    MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
    Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
    Microsoft IR Communications Driver: system32\DRIVERS\MSIRCOMM.sys (manual start)
    Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
    Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
    Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
    NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
    Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
    Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
    NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
    Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
    NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
    Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
    Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
    Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
    Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
    Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Network Monitor Driver: system32\DRIVERS\NMnt.sys (manual start)
    Norton Ghost: C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe (disabled)
    Netgroup Packet Filter: \??\C:\WINDOWS\system32\drivers\packet.sys (manual start)
    NSNDIS5 NDIS Protocol Driver: \??\C:\WINDOWS\system32\NSNDIS5.SYS (manual start)
    NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
    Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
    IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
    Texas Instruments OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
    Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
    Parallel port driver: System32\DRIVERS\parport.sys (manual start)
    PCANDIS5 Protocol Driver: \??\C:\WINDOWS\system32\PCANDIS5.SYS (manual start)
    PCI Bus Driver: System32\DRIVERS\pci.sys (system)
    PCIIde: System32\DRIVERS\pciide.sys (system)
    Pcmcia: System32\DRIVERS\pcmcia.sys (system)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
    Processor Driver: System32\DRIVERS\processr.sys (system)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
    Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
    PxHelp20: System32\Drivers\PxHelp20.sys (system)
    Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
    Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start)
    WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
    Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
    Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
    Rdbss: System32\DRIVERS\rdbss.sys (system)
    RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
    Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
    Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
    Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
    Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Bluetooth Device (RFCOMM Protocol TDI): system32\DRIVERS\rfcomm.sys (manual start)
    Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
    Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
    WLAN Transport: System32\DRIVERS\s24trans.sys (disabled)
    SABProcEnum: \??\C:\Program Files\Mozilla Firefox\SABProcEnum.sys (manual start)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: System32\DRIVERS\secdrv.sys (manual start)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    High-Capacity Floppy Disk Drive: System32\DRIVERS\sfloppy.sys (manual start)
    Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
    Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    sptd: System32\Drivers\sptd.sys (system)
    System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    SRS Labs Audio Sandbox (WDM): system32\drivers\srs_sscfilter.sys (manual start)
    Srv: System32\DRIVERS\srv.sys (manual start)
    SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Audio Driver (WDM) - SigmaTel CODEC: system32\drivers\stac97.sys (manual start)
    SigmaTel USB-IrDA Dongle: system32\DRIVERS\irstusb.sys (manual start)
    Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
    BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
    Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
    MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{06052CA0-DB8F-4488-8C88-7711E8824B98} (manual start)
    Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
    Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
    Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
    Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
    Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver: System32\DRIVERS\TVALZ.SYS (system)
    Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
    Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
    Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
    Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
    USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
    Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
    USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
    USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
    Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
    Messenger Sharing USN Journal Reader service: C:\WINDOWS\system32\svchost.exe -k usnsvc (manual start)
    Virtual Serial port driver: system32\DRIVERS\VComm.sys (manual start)
    Bluetooth VComm Manager Service: System32\Drivers\VcommMgr.sys (manual start)
    VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
    Bluetooth HID Device Service: system32\drivers\VHIDMini.sys (manual start)
    Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
    Intel(R) PRO/Wireless 2200 Adapter Driver: System32\DRIVERS\w22n51.sys (manual start)
    Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP: system32\DRIVERS\w29n51.sys (manual start)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
    Microsoft WDM Virtual Wave Driver (WDM): system32\drivers\wdmaud.sys (manual start)
    WEASEL: \??\C:\WINDOWS\system32\drivers\WEASEL.SYS (manual start)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
    Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
    Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
    Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
    Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)
    AIM 3.0 Part 01 Codec Driver CH-7009-A/CH-7011: system32\drivers\wA301a.sys (manual start)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: *Registry value not found*

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\system32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*

    --------------------------------------------------

    End of report, 39,697 bytes
    Report generated in 0.301 seconds

    ***************************************************
    Did sc query "Ken32 Driver Service":

    SERVICE_NAME: Ken32 Driver Service
    TYPE : 110 WIN32_OWN_PROCESS (interactive)
    STATE : 1 STOPPED
    (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
    WIN32_EXIT_CODE : 1067 (0x42b)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0

    * End

    Anything i missed? By the way, during Safe Mode, the problem does not occur. When I boot into safe mode, the process iexplore.exe is not listed in the Taskmanager.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •