VIRUS ????

I guess I should reword that I am wondering if anyone has run into this problem before.

You seem to have a network connection.  If that is the case, make sure you have up-to-date anti virus definitions on another box attached to the n/w and then run a virus check on the problem system from there.  You may need to enable sharing on the root of the drive of the affected system and map the drive on the other system in order to be able to do that.  I'm not sure the online scanners will scan a n/w drive, but you should be able to scan from another system on your local n/w.

Good Luck.

JohnT

AVG free version won't work in a networked environment.

JohnT

OK this is what was discovered...

IN task manager CPU utilization was 100% even after adjusting windows for best performance.

SVCHOST.EXE (which their was 4 of these listed one local one network and two others that were not specified. When I checked this it was using 99% CPU utilization .. Could not access Internet Explorer, My Computer, My Network Places none of them would open it would go to an hour glass then it the screen would remove all the icons and basically go to a blank desktop then the screen would flash all the icons would come back but yet the computer was still running extremely slow..

Checked the registry under the key H_Key_Local_Machine - Software - Microsoft - Windows - Current Version - Run their was an entry saying 17669.exe this entry had no further information.

I did a search for the 17669.exe in windows it was located in C:\Windows directory and also C:\windows\Prefetch in prefetch everything has a .pf extension which seems weird this is a dell computer not sure if this is part of dells preload or backup setup but it does not seem right.

The 17669.exe file also had -13ABA5DD.PF after it in the c:\windows\prefetch directory no publisher information or anything in any of the property pages. on either one of them the one in c:\windows or c:\windows\prefetch...

Ran Adaware 6.0 and it found 192 objects this is the log

ArchiveData(auto-quarantine- 03-04-2004 23-51-16.bckp)
======================================================

ZIPCLIXTOOLBAR
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZipClix
obj[7]=RegValue : SOFTWARE\Microsoft\Internet Explorer\Toolbar
obj[12]=RegKey : SOFTWARE\Zipclix
obj[15]=RegKey : ZipclixObj.ZipclixObj
obj[16]=RegKey : ZipclixObj.ZipclixObj.1
obj[17]=RegKey : Typelib\{BBCD25C8-A31E-4DFB-B204-B54BBA477B23}
obj[21]=RegKey : Interface\{EC34A4B3-809A-4A71-88D4-55B5183D6041}
obj[32]=RegKey : CLSID\{319A68DB-06D0-46DA-9F93-A810D5A70836}
obj[36]=Folder : c:\program files\Zipclix
obj[48]=File : c:\program files\zipclix\zipclix.ini
obj[49]=File : c:\program files\zipclix\zipclix.exe
obj[50]=File : c:\program files\zipclix\zipclix.dll
obj[51]=File : c:\program files\zipclix\unwise.exe
obj[52]=File : c:\program files\zipclix\install.log

CLARIA
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[1]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PrecisionTime
obj[2]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Date Manager
obj[3]=RegValue : SOFTWARE\Microsoft\Windows\CurrentVersion\Run
obj[9]=RegKey : SOFTWARE\Gator.com
obj[10]=RegKey : Software\CLASSES\GetAndRun.DFRun
obj[11]=RegKey : Software\CLASSES\GetAndRun.DFRun.1
obj[13]=RegKey : Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\GAIN
obj[27]=RegKey : getandrun.dfrun
obj[28]=RegKey : getandrun.dfrun.1
obj[33]=RegKey : CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}
obj[38]=Folder : c:\program files\PrecisionTime
obj[40]=Folder : c:\program files\Gator.com
obj[41]=Folder : c:\program files\Date Manager
obj[43]=Folder : c:\program files\common files\GMT
obj[44]=Folder : c:\program files\common files\CMEII
obj[45]=File : c:\windows\gatorplugin.log
obj[46]=File : c:\windows\gatorpdpsetup.log
obj[47]=File : c:\windows\gatorpatch.log
obj[53]=File : c:\program files\precisiontime\unwise.exe
obj[54]=File : c:\program files\precisiontime\precisiontimewebsite.url
obj[55]=File : c:\program files\precisiontime\precisiontime.lcl
obj[56]=File : c:\program files\precisiontime\precisiontime.ini
obj[57]=File : c:\program files\precisiontime\precisiontime.exe.manifest
obj[58]=File : c:\program files\precisiontime\install.log
obj[63]=File : c:\program files\gator.com\gator
obj[64]=File : c:\program files\date manager\unwise.exe
obj[65]=File : c:\program files\date manager\install.log
obj[66]=File : c:\program files\date manager\datemanager.exe.manifest
obj[67]=File : c:\program files\date manager\datemanager.exe
obj[68]=File : c:\program files\date manager\datemanager.dat
obj[69]=File : c:\program files\date manager\date manager website.url
obj[70]=File : c:\program files\common files\gmt\scripts
obj[71]=File : c:\program files\common files\gmt\meprca.dat
obj[72]=File : c:\program files\common files\gmt\mepimg.dat
obj[73]=File : c:\program files\common files\gmt\mepgh.dat
obj[74]=File : c:\program files\common files\gmt\mepcmeft.dat
obj[75]=File : c:\program files\common files\gmt\mepcme.dat
obj[76]=File : c:\program files\common files\gmt\mepbs.dat
obj[77]=File : c:\program files\common files\gmt\helper.wav
obj[78]=File : c:\program files\common files\gmt\guninstaller.exe
obj[79]=File : c:\program files\common files\gmt\gmt.exe.manifest
obj[80]=File : c:\program files\common files\gmt\gatorstubsetup.exe
obj[81]=File : c:\program files\common files\gmt\gatorres.dll
obj[82]=File : c:\program files\common files\gmt\gator.log
obj[83]=File : c:\program files\common files\gmt\fillin.wav
obj[84]=File : c:\program files\common files\gmt\egnsengine.dll
obj[85]=File : c:\program files\common files\gmt\egieprocess.dll
obj[86]=File : c:\program files\common files\gmt\egieengine.dll
obj[87]=File : c:\program files\common files\gmt\eggcengine.dll
obj[88]=File : c:\program files\common files\gmt\downloadtemp
obj[89]=File : c:\program files\common files\gmt\data
obj[90]=File : c:\program files\common files\gmt\63735n58cj
obj[91]=File : c:\program files\common files\cmeii\store
obj[92]=File : c:\program files\common files\cmeii\gui
obj[93]=File : c:\program files\common files\cmeii\gtools.dll
obj[94]=File : c:\program files\common files\cmeii\gstoreserver.dll
obj[95]=File : c:\program files\common files\cmeii\gstore.dll
obj[96]=File : c:\program files\common files\cmeii\gobjs.dll
obj[97]=File : c:\program files\common files\cmeii\gmtproxy.dll
obj[98]=File : c:\program files\common files\cmeii\gioclclient.dll
obj[99]=File : c:\program files\common files\cmeii\giocl.dll
obj[100]=File : c:\program files\common files\cmeii\gdwldeng.dll
obj[101]=File : c:\program files\common files\cmeii\gcontroller.dll
obj[102]=File : c:\program files\common files\cmeii\gatorsupportinfo.txt
obj[103]=File : c:\program files\common files\cmeii\gappmgr.dll
obj[104]=File : c:\program files\common files\cmeii\cmesys.exe
obj[105]=File : c:\program files\common files\cmeii\cmeiiapi.dll
obj[106]=File : c:\program files\common files\cmeii\cmediagnostics.log
obj[107]=File : c:\program files\common files\cmeii\apps
obj[191]=File : c:\documents and settings\all users\start menu\programs\startup\precisiontime.lnk
obj[192]=File : c:\documents and settings\all users\start menu\programs\startup\gstartup.lnk
obj[193]=File : c:\documents and settings\all users\start menu\programs\startup\date manager.lnk

BLAZEFIND
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[4]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5941EE5-6DFA-11D8-86B0-0002441A9695}
obj[29]=RegKey : CLSID\{C5941EE5-6DFA-11D8-86B0-0002441A9695}

HUNGRYHANDS BHO
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[5]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bcf96fb4-5f1b-497b-aecc-910304a55011}
obj[19]=RegKey : TYPELIB\{03f8822f-8877-4002-8bcd-b532d53d8471}
obj[20]=RegKey : Interface\{F8FB4EA2-6C05-4DE5-8CD0-625B03F48E22}
obj[23]=RegKey : hungryhands.hungrybho
obj[24]=RegKey : hungryhands.hungrybho.1
obj[30]=RegKey : CLSID\{bcf96fb4-5f1b-497b-aecc-910304a55011}
obj[34]=RegKey : AppID\{03F8822F-8877-4002-8BCD-B532D53D8471}
obj[35]=RegKey : AppID\HungryHands.DLL

HTTPER
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[6]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a5483501-070c-41dd-af44-9bd8864b3015}
obj[14]=RegKey : Software\Httper
obj[18]=RegKey : TYPELIB\{ab7b627d-b2af-4b6d-bda1-4930579ffcd8}
obj[22]=RegKey : Interface\{7D49A302-3C1C-4706-B6DC-8C8BBB500BA0}
obj[25]=RegKey : httper.iefriendly
obj[26]=RegKey : httper.iefriendly.1
obj[31]=RegKey : CLSID\{a5483501-070c-41dd-af44-9bd8864b3015}
obj[39]=Folder : c:\program files\Httper
obj[59]=File : c:\program files\httper\unwise.exe
obj[60]=File : c:\program files\httper\install.log
obj[61]=File : c:\program files\httper\httper.ini
obj[62]=File : c:\program files\httper\httper.dll

ALEXA
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[8]=RegKey : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a


CLARIA would not remove intially also listed as cmeii adaware could not intially remove it but I instructed it to remove it after reboot... which it did successfully do.

I also ran AVG Anti Virus it found nothing...

I then ran HIJACK THIS  and i removed this entry

HKCU\Software\Microsoft\CurrentVersion\Internet Settings\Proxy Override = ;127.0.0.1;<local>


after that I regained internet access

I went to trendmicroHousecall and ran the online virus scan it found:
Malware.JS_FORTNIGHT.M and removed it this was the only thing that it found.

Here is the logfile from HIJACK THIS...

StartupList report, 4/4/2004, 1:01:10 AM
StartupList version: 1.52
Started from : C:\HiJackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Washer Pro\iw.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\HiJackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Lavon\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
Billminder.lnk = C:\Program Files\Quicken\billmind.exe
Digital Line Detect.lnk = ?
hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
Microsoft Works Calendar Reminders.lnk = ?
officejet 6100.lnk = ?
Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
BCMSMMSG = BCMSMMSG.exe
diagent = "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
UpdReg = C:\WINDOWS\UpdReg.EXE
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Alogserv = C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
McAfee Guardian = "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
DwlClient = C:\Program Files\Common Files\Dell\EUSW\Support.exe
nwiz = nwiz.exe /install
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"
Internet Washer Pro = C:\Program Files\Internet Washer Pro\iw.exe min

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{39347012-A94D-4CF3-A2B3-5EA3E924A728}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#hp psc 2100 series#1040263182.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{421A63BA-4632-43E0-A942-3B4AB645BE51}]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IWCHECK.DLL
CODEBASE = http://i.rn11.com/iwasher/pptproactauthmirror/internetwasherpro.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/123e635de35d01745823/netzip/RdxIE601.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

[CQD2Loader Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\installer.dll
CODEBASE = http://smartdownloader.com/installer.dll

[CustomerCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\customerclient.dll
CODEBASE = http://cs5b.instantservice.com/jars/customerxsigned33.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash.ocx
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

abp480n5: \SystemRoot\System32\DRIVERS\ABP480N5.SYS (disabled)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adpu160m: \SystemRoot\System32\DRIVERS\adpu160m.sys (disabled)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Compaq AGP Bus Filter: \SystemRoot\System32\DRIVERS\agpCPQ.sys (disabled)
Aha154x: \SystemRoot\System32\DRIVERS\aha154x.sys (disabled)
aic78u2: \SystemRoot\System32\DRIVERS\aic78u2.sys (disabled)
aic78xx: \SystemRoot\System32\DRIVERS\aic78xx.sys (disabled)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: \SystemRoot\System32\DRIVERS\aliide.sys (disabled)
ALI AGP Bus Filter: \SystemRoot\System32\DRIVERS\alim1541.sys (disabled)
AMD AGP Bus Filter Driver: \SystemRoot\System32\DRIVERS\amdagp.sys (disabled)
amsint: \SystemRoot\System32\DRIVERS\amsint.sys (disabled)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
asc: \SystemRoot\System32\DRIVERS\asc.sys (disabled)
asc3350p: \SystemRoot\System32\DRIVERS\asc3350p.sys (disabled)
asc3550: \SystemRoot\System32\DRIVERS\asc3550.sys (disabled)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AutoComplete Service: C:\PROGRA~1\INTERN~2\autocomp.exe (manual start)
AVG6 Kernel: \??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys (autostart)
AVG6 Rezident Driver: \??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys (autostart)
AVG6 Service: C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (autostart)
AVSync Manager: "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe" (autostart)
BCM V.92 56K Modem: System32\DRIVERS\BCMSM.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
C-DillaCdaC11BA: C:\WINDOWS\System32\drivers\CDAC11BA.EXE (autostart)
cbidf: \SystemRoot\System32\DRIVERS\cbidf2k.sys (disabled)
cd20xrnt: \SystemRoot\System32\DRIVERS\cd20xrnt.sys (disabled)
CdaC15BA: \??\C:\WINDOWS\System32\drivers\CdaC15BA.SYS (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (autostart)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
CmdIde: \SystemRoot\System32\DRIVERS\cmdide.sys (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: \SystemRoot\System32\DRIVERS\cpqarray.sys (disabled)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
dac2w2k: \SystemRoot\System32\DRIVERS\dac2w2k.sys (disabled)
dac960nt: \SystemRoot\System32\DRIVERS\dac960nt.sys (disabled)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
dpti2o: \SystemRoot\System32\DRIVERS\dpti2o.sys (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
hpn: \SystemRoot\System32\DRIVERS\hpn.sys (disabled)
IEEE-1284.4 Driver HPZid412: System32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: System32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: System32\DRIVERS\HPZius12.sys (manual start)
i2omp: \SystemRoot\System32\DRIVERS\i2omp.sys (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV2: System32\DRIVERS\wATV03nt.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
ini910u: \SystemRoot\System32\DRIVERS\ini910u.sys (disabled)
IntelIde: \SystemRoot\System32\DRIVERS\intelide.sys (disabled)
IPv6 Firewall Driver: System32\DRIVERS\Ip6Fw.sys (manual start)
IPv6 Internet Connection Firewall: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
McShield: "C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe" (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
mraid35x: \SystemRoot\System32\DRIVERS\mraid35x.sys (disabled)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
NaiFiltr: System32\DRIVERS\NaiFiltr.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NIC Management Service Configuration Driver: \??\C:\WINDOWS\System32\drivers\NMSCFG.SYS (manual start)
Intel(R) NMS: C:\WINDOWS\System32\NMSSvc.exe (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI WDM Device Driver: System32\DRIVERS\omci.sys (system)
Creative SB Live! Series (WDM): system32\drivers\P16X.sys (manual start)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
perc2: \SystemRoot\System32\DRIVERS\perc2.sys (disabled)
perc2hib: \SystemRoot\System32\DRIVERS\perc2hib.sys (disabled)
PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\System32\HPZipm12.exe (manual start)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
ql1080: \SystemRoot\System32\DRIVERS\ql1080.sys (disabled)
Ql10wnt: \SystemRoot\System32\DRIVERS\ql10wnt.sys (disabled)
ql12160: \SystemRoot\System32\DRIVERS\ql12160.sys (disabled)
ql1240: \SystemRoot\System32\DRIVERS\ql1240.sys (disabled)
ql1280: \SystemRoot\System32\DRIVERS\ql1280.sys (disabled)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: \SystemRoot\System32\DRIVERS\sisagp.sys (disabled)
Sparrow: \SystemRoot\System32\DRIVERS\sparrow.sys (disabled)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{F79A1568-D6C5-4C69-A086-936CF52DBBE3} (manual start)
symc810: \SystemRoot\System32\DRIVERS\symc810.sys (disabled)
symc8xx: \SystemRoot\System32\DRIVERS\symc8xx.sys (disabled)
sym_hi: \SystemRoot\System32\DRIVERS\sym_hi.sys (disabled)
sym_u3: \SystemRoot\System32\DRIVERS\sym_u3.sys (disabled)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TosIde: \SystemRoot\System32\DRIVERS\toside.sys (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: \SystemRoot\System32\DRIVERS\ultra.sys (disabled)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: \SystemRoot\System32\DRIVERS\viaagp.sys (disabled)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WMDM PMSP Service: C:\WINDOWS\System32\MsPMSPSv.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 36,869 bytes



LET ME KNOW IF ANY OF YOU SEE ANYTHING THAT LOOKS OUT OF THE ORDINARY THE System seems to be back to normal.

Try Scanning with TrendMicro's free virus scan, it may find what your looking for

http://housecall.trendmicro.com/housecall/start_corp.asp

skaha I already did that and also Norton and AVG none of them detected the 17669.exe file as a virus. I am going to submit it to symantec and see what they say.

symantec would not let me submit it at all through their automatic system said it was not a virus tried submitting it through SARC which is their downloadable submisson tool (which ended up when it took the file(s) I saved on disk that were the virus files and put them in a temp folder on the hard drive of my other PC (how nice of them)-sarcasim

At any rate they still have not gotten back I also submitted it to F-Prot who came back saying it is a Trojan known as W32/Rdom.a but gave no further info other then it was a backdoor program.

In addition I just found out last night when I used Trend Micro' housecall to scan the system last night (since I have lost my sense of security with symantec) which still reports no virus Trend micro discovered the submitted virus in a temp folder under the directory of SARC which is symantec's submission tool. I do not know why SARC saved this to my hard drive considering I pointed SARC to the diskette with the virus files. SARC also required the diskette to have write access (which to me is a security risk).

Symantec still has no answer for why I am paying for their anti virus product when two of their competitors have identified the trojan. They keep telling me in email I can have a Virus suport technician help me by either calling a 900 number or paying $20.00 to $50.00 for them to remove it they do not seem to understand I have already removed I just want to know about it and why they did not pick it up.

At any rate here is what housecall identified it as sdown.a

here is the link http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SDOWN.A

QUICK LINKS Solution  

--------------------------------------------------------------------------------
 
Virus type: Trojan
 
Destructive: No
 
Aliases: SDOWN.A
 
Pattern file needed: 848 (1.848.25)
 
Scan engine needed: 6.500
 
 Overall risk rating:  Very Low  

--------------------------------------------------------------------------------
 
Reported infections:  Low  
 
Damage Potential:  Low  
 
Distribution Potential:  Low  
 
 

--------------------------------------------------------------------------------
 
Description:



This memory-resident Trojan checks if a system has Internet connection and then links to a particular IP address to download a malicious file.

It drops a copy of itself using a randomly generated 5-character file name in the Windows folder.

This UPX-compressed malware runs on Windows 95, 98, ME, NT, 2000, and XP.

Solution:



Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as TROJ_SDOWN.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. This is also an effective way to terminate its process. In this procedure, you will need the name/s of the file/s detected earlier.

Open Registry Editor. Click Start>Run, type Regedit then hit Enter.
In the left panel, double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file/s detected earlier.
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as TROJ_SDOWN.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.

 
In the wild: Yes
 
Language: English
 
Platform: Windows 95, 98, ME, NT, 2000, XP
 
Encrypted: No
 
Size of virus: 27,648 Bytes (compressed)
57,344 Bytes (decompressed)
 
 Pattern file needed: 848 (1.848.25)
 
Scan engine needed: 6.500
 
Discovered: Apr. 4, 2004
 
Detection available: Apr. 4, 2004
 
 

--------------------------------------------------------------------------------
 
Details:



Installation

Upon execution, this memory-resident Trojan drops a copy of itself using a randomly generated file name in the Windows folder. The file name is composed of 5-character combinations of letters and numbers (i.e. 4a086.exe, 5740f.exe, 38dbd.exe, etc.).

Once executed, it checks if a system is currently connected to the Internet. If so, it connects to the following IP address:

209.4<BLOCKED>15.83
It then tries to download one of the following files, which are suspected to be malicious:

FT39.COM
KR62.COM
QT94.COM
RD19.COM
XT40.COM
Autostart Technique

This malware creates the following registry entry so that it executes at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
<5-digit_filename.exe> = <"5-digit_filename.exe">

(Note: 5-digit_filename.exe represents the dropped copy of this malware.)

Other Details

The following text strings are found in the body of this malware:

"Program:
<program name unknown>

A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated. Buffer overrun detected!

A security error of unknown cause has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated. Unknown security failure detected!"





--------------------------------------------------------------------------------
Analysis by: Reuel A. Morales



 

Description created: Apr. 4, 2004
 

I would suggest uninstalling the road runner medic.  I have heard of major issues due to Road Runner Medic installed.  You may have to resort to a fresh system format.

I don't have road runner medic on the system i got rid of that a long time ago because it installs broadjump client foundation (which is spyware)

Thanks for the points briancassin, hope I helped a little.

Your welcome and yes you helped :)

Thank you.

your welcome gemarti thank you for your help sorry to all of you it took so long for me to close out.

Assume that anything may attempt to create nuisance.
When you experience this - go to "Windows" and "Windows\system32" - place Explorer in "details" and display the directories according to modified date. Only "Performance Logs" should be a late entries. Take "Properties" on all late ".exe" files - check for orgination, version identification. Hit CRTL+ALT+DEL to activate Taskman/Processes - and try to stop the process with this image. Rename image from "xx.exe" - to "xx.exe.vir" if you are suspicious. Use the copied image in the  cached folder if you have to rename a "DLL" file. You will not be able to copy running images..

In Regedit - verify the two RUN keys. Remove all entries you do not know - or rename key with '% first in the key name if you are suspicous.
Now reboot after power down. take notice of messages that occur and inspect the event logs at succesful boot.

Back up, go to Windows - raname all ".exe" files with a combination of UPPERcase and lowerCASE letter - according to your pattern - e.g. 3rd and 6th letter in UPPER case:
rename taskman.exe taSkmAn.exe
Copy or zip all ".exe"+ ".dll" to "System32.zip" and "Windows.zip" - restore changed files from this, remake library after every system upgrade.
Next time you reboot, you will be able to see "trusted" files immediately in Taskman and "novelties" will stand out, e.g. if you have renamed dlLhoSt.exe - back to old DLLHOST.EXE is revealing.

Search the "Documents and Settings" for ".exe" files. Usually the viruses are temporarily stored here before being copied. If you find any files - then search the computer for copies - and remove any reference in the registry.

Do not rely on virus scanner - viruses now come as adverts on sites and on a 50Mbps wireless connection you can get a pile of them in a few seconds. IT TAKES HOUR TO UPGRADE A VIRUS SCANNER WITH NEW "PATTERNS". Finally, post your findings in places like this for others to review.

If "malware" is so bad then why does Norton or any of the other major anit-v programs detect this?  Should this person be running adaware in ADDITION??

>>If "malware" is so bad then why does Norton or any of the other major anit-v programs detect this?
It's an opportunity to make more money and expand the product line. Simple economics. ....

Most people don't consider the stuff that adware picks up to be harmful.  But looks like it is!  EEK!

Yeah it's a nuisance...

How can i Remove IE Small Icon from the title bar of theModal DIalog Box.
HELLO EXPERTS,
I WANT TO KNOW HOW CAN I REMOVE SMALL INTERNET EXPLORER ICON AND THE "WEB DIALOG BOX" TITLE FROM THE MODAL DIAOG BOX OR ANY OTHER TYPE OF DIALOG BOX.

I SEE THE AUTOCOMPLETE ADVERTISEMENT OF THE DIALOG BOX WHICH DO NOT CONTAIN ANY ICON ON IT WHEN I BROWSE GOOGLE.COM.

PLEASE ANSWER MY QUESTION AND SEND THE SCRIPT OF THE DIALOG BOX WHICH DO NOT CONTAIN ANY ICON ON THE TOP LEFT CORNER SITE...

msnia,

This is a new question.  Please raise it properly.  [And don't shout (use block capitals.)]

lol

JohnT

"Malware" or not, I raised this with the "Better Business Beurau".
If you consider it appropriate that another company can at any time inspect you computer - see all installed software, what you are running and possibly intercept what is typed - then fine; just leave this discussion.

I also know that trace of the doings of "commercial exploitation" is not searched for by any virus scanner - including Norton. You have to detect this yourself - remove what is inapropriate and retain sufficient to allow e.g. Kodak camera software to be used.

There is a need for the public (US and the rest of the world) to stand up and dictate to companies what we find "reasonable" trespassing on our computer; -  where they cross the border of "privacy". Is it acceptable to leave a port open "LISTEN" for code update? - that send "I'm on the net"? - or does a company need to notify the user of an update policy, and leave it to this to "the consumer" to chose? To make the Kodak update, much of the Blaster virus code was used, while Kodak claim that they just outsourced this to a company that provided the sollution they distribute - and they are unaware of links between the codes.

To halt what I consider a nuisance - I need to understand more than a virus scanner - and cannot rely on that. To determine what a community accepts as "threat" or "invasion of privacy" we need another forum. This is not even security it is ethics.

So I ask the moderator to recommend further action
Knut H.

As far as I am concerned the spyware should be illegal.... it opens up ports like opening doors and windows on your house... If my computer was a work computer say a laptop that connects through VPN or what not to my company this is a big security risk in my eyes having this spyware on a system. If companies can code stuff like coolweb search (which should be considered 100% malicious code because of what it does) and distribute it and then cause my system and other peoples systems to be unusable in addition to hogging bandwidth etc... this should be illegal...

cable theft is illegal so why is not illegal for companies to rip off my bandwidth allocated to me by my ISP who is a cable provider ?

Tapping someones phone or recording a conversation without consent is illegal so why is it legal for companies to tap my computer ?

If I put a program on someone elses computer it would be considered hacking and so forth if it collected data about them so why is it that these companies that make spyware do not go to jail ?

With the Patriot act why is it not illegal for these companies to aquire personal data about you ? How do we know that some of these spywares are not developed by other goverments or individuals just waiting for the spyware to get on the right persons PC to get information off of their system to sell or use for other malicious purposes.

Even better yet these marketing companies are making money off of putting their junk on peoples computers seeing as how no one will buy the telemarketing junk and/or participate in surveys now they have to be sneaky about it and they get money for this, this data is sold to the highest bidder for demographic / marketing data.

I think personally a class action lawsuit should be started based on and seeking:

Invasion of privacy
Loss of functionality / use of equipment
Emotional Damages - based on the stress of trying to get the garbage off the PC.
Misrepresentation / Fraud / False Advertising
Punitive damages - based on the above mentioned.
Repair costs and reimbursement for time loss due to problems caused by the spyware and also the removal of it. ( this should be available to the home user and corporations).
Using someone elses equipment for profit without written consent ( I would think anyone would charge money to rent equipment or space these days... so if their software is using my pc as a server then I want to be paid as a hosting company would be).

I have tried the "Invasion of Privacy"  - where the BBB (US "Consumer councils") rejected the case on the basis that the distributor of the "software" was "ignorant of malice" and "relied on professional recommendation when developing the software". I needed to provide evidence of intent of malice - furthermore the distribution was a "free" ad-on to a product, where functionality could be acheived without it. (So - what is the purpose, other than surveillance of buyers' behaviour?)

Illegal.
- Which law do you apply: US state law, UK law - my Kodak company has a mailing address in NJ - where complaints where treated out of courtesy because I was not a NJ resident.
In Europe, it is simpler - we may raise issues like this with local consumer councils that will make recommendation first with national ramifications - and then gradually end up as EC against ... - but until then we fight a dodging US community. I would recommend full public reporting of the activity - possibly even as virus, with full removal as an option. I would also like to see an agency that could "approve" code. That would involve verifying the source code, describe top-level actions, and the nature of he reporting. There used to be standards here - as a vendor we had to warrant that the code had no side effects and made no usage of other resources - and expected to be dragged to court of deviating from this. We could not subcontract development to other companies if we could not inspect the code to verify and ensure that they did not reopardise us.
There is a "cowboy" attitude in the industry - someone got away with it makes presendence. It is with full intent I refer to the company that brought this to my attention. I ask everyone to do likewise - not
                "I received spyware the other day" - but
                .."after installing new camara drivers from Kodak - I discovered that..." - ready with full name and address, to enable others that have installed a similar driver to inspect, see and learn.
My hope is that finally the companies will learn. This may entail that we may have to discourage installation and recommend against purchase of things. However, companies should be certain that the products they develop and sell products that the consumer meets consumer requirement - and not everything else.

I agree that we may need to get some lawyers out.

"To halt what I consider a nuisance - I need to understand more than a virus scanner - and cannot rely on that. To determine what a community accepts as "threat" or "invasion of privacy" we need another forum. This is not even security it is ethics."

I totally agree with all these comments.  Technology is great. But - Sheesh between the malware and outsourcing, companies are exploiting loopholes that interfere with our rights as far as I am concerned.  Big business is a worse threat than Big Brother.  Let them do business just don't interfere with my rights!  look at all of the posts of late with people upset about them screwing with our personal computers.  This is outrageous.

Beware,
It is not your "personal" computer that suffers the most.
In another discusion group I posted a virus that left a bank open - Anyone could write a simple VBA program. I used an LDAP browser to see who worked in the bank - link names, email addresses, PC/LAN names - and what they worked on. What you could have done with their banking systems is left for me and you to imagine. Had I hacked my way into the bank - instead of writing an email to the sysadm - they could have prosecuted me for criminal conduct. That they left a security hole and tried to infect my PC with a virus would be irrelevant. I would have a lot of explaining to do to the judge - and wonder if I ever would have got off the hook.

One company that was traced last year as orginator for such "Adware" - caused a major hickup on the Internet yesterday according to the Washington Post.
It makes me believe it is no long "Big Business" - but "Greedy Business", usually relatively small companies that cause the big problems. It is also the rest of us that leave it to others to fix our own problems. A virus scanner will detect persistent objects as "files" on your computer, compare with what has been found on others, give them a name that you can report and delete the files. Their skills in networking bothers me - and I rely on continuing updating Stinger - and no scanner- but a firewall that is effective. Beware the Microsoft's implementations of tcp/ip is incomplete and with so many security holes that I wonder why nobody has seen the business opprotunity in making a full "Winsocket" implementation - without the "Commercial exploitations".

Very much of all this could have been avoided by all of us if we had used a browser like Opera, that traps Adware.