orb0554

Hi Chris, I had AVG installed but would not update, hence the issues with access to any of the security sites. I removed AVG during one of the tools we were trying to run. All seems to be normal except for the wireless card. I will try to get an external card that I can plug into the notebook. Thanks for all you help and have a great weekend, Oscar ------------------------------------------------------------------------------------------------------ These are the reports you requested. Scanning Report Friday, September 4, 2009 09:13:08 - 10:03:43 Computer name: EBRUTUS Scanning type: Scan system for malware, spyware and rootkits Target: C:\ D:\ -------------------------------------------------------------------------------- 18 malware found TrackingCookie.Questionmarket (spyware) System (Disinfected) TrackingCookie.Adinterax (spyware) System (Disinfected) TrackingCookie.2o7 (spyware) System (Disinfected) TrackingCookie.Advertising (spyware) System (Disinfected) TrackingCookie.Atdmt (spyware) System (Disinfected) TrackingCookie.Adtech (spyware) System (Disinfected) TrackingCookie.Doubleclick (spyware) System (Disinfected) TrackingCookie.Revsci (spyware) System (Disinfected) TrackingCookie.Specificclick (spyware) System (Disinfected) TrackingCookie.Adrevolver (spyware) System (Disinfected) TrackingCookie.Adbrite (spyware) System (Disinfected) TrackingCookie.Xiti (spyware) System (Disinfected) TrackingCookie.Mediaplex (spyware) System (Disinfected) TrackingCookie.Tradedoubler (spyware) System (Disinfected) TrackingCookie.Statcounter (spyware) System (Disinfected) TrackingCookie.Atwola (spyware) System (Disinfected) TrackingCookie.Yieldmanager (spyware) System (Disinfected) TrackingCookie.Imrworldwide (spyware) System (Disinfected) -------------------------------------------------------------------------------- Statistics Scanned: Files: 45570 System: 3477 Not scanned: 6 Actions: Disinfected: 18 Renamed: 0 Deleted: 0 Not cleaned: 0 Submitted: 0 Files not scanned: C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM -------------------------------------------------------------------------------- Options Scanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use advanced heuristics -------------------------------------------------------------------------------- Results of screen317's Security Check version 0.98.9 Windows XP Service Pack 2 Out of date service pack!! `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! Avira AntiVir Personal - Free Antivirus Antivirus up to date! `````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware HijackThis 2.0.2 Adobe Flash Player 10 Adobe Reader 7.1.0 Out of date Adobe Reader installed! `````````````````````````````` Process Check: objlist.exe by Laurent Avira Antivir avgnt.exe Avira Antivir avguard.exe `````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log```````````

Here is the HJthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:18:16 AM, on 9/3/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user') O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop O15 - Trusted Zone: http://www.adobe.com O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 6166 bytes

Hi Chris, Here are the logs files from MBAM and HJthis. Made great progress thanks to your help. Do you think the system is cleaned? What do you recommend next? What is the best way to check/clean the removable drives like memory sticks? Thanks, Oscar mbam_log_2009_09_03__09_04_43_.txt

Normal Mode, I think it may be a HP issue. I found posts about others having the same wireless problems with the HP DV6000. New version of ComboFix worked after renameming the file. See uploaded file for results. I just started MalwareBytes and will post log when completed. Thank you, Oscar ComboFix.txt

Hi Chris, As a side note, would this virus somehow dissable my wireless connection? I no longer have wireless and can not see it in device manager. The LAN hardwired connection works fine. The notebook is a HP Pavillion DV6000. Thanks, Oscar

Chris, This is the log from Avenger2, Combofix still crashes the PC with blue screen dump. Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File move operation "C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully. Completed script processing. ******************* Finished! Terminate.

Chris, Here is the log from Avenger: Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Error: could not open file "C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll" for move operation File move operation "C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Completed script processing. ******************* Finished! Terminate. I did a search and eventlog.dll was found in the following locations: C:\WINDOWS\system32\ C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ ComboFix started fine but during the scan I got the blue screen. - Oscar

Hi Chris, I renamed ComboFix to OscarFix and was able to start the program. ComboFix started as described and successfully downloaded the Microsoft Recovery Console. The problem begins when ComboFix starts the scanning of the computer files and XP crashes causing a reboot. I tried starting XP in safe mode and received the same results. Any suggestions is greatly appreciated. Thanks, Oscar

Hi screen317, I downloaded ComboFix using another computer and copied ComboFix to the infected computer's desktop. I double clicked on ComboFix and nothing happened. I rebooted in safe mode, double clicked on ComboFix and nothing happens. Any suggestions on how to get these tools to start? - Oscar

-screen317 Not having much luck. This is what I have so far in safe mode: Log file is located at: C:\Documents and Settings\ERMINE\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Finished! ===================================================== ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/08/26 09:12 Program Version: Version 1.3.5.0 Windows Version: Windows XP Media Center Edition SP2 ================================================== Drivers ------------------- Name: dump_nvata.sys Image Path: C:\WINDOWS\System32\Drivers\dump_nvata.sys Address: 0xEB0DD000 Size: 102400 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF79B5000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB9355000 Size: 49152 File Visible: No Signed: - Status: - Stealth Objects ------------------- Object: Hidden Module [Name: UAConevjkvotk.dll] Process: winlogon.exe (PID: 836) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: services.exe (PID: 880) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: lsass.exe (PID: 892) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UACvrgixgotkq.dll] Process: svchost.exe (PID: 1040) Address: 0x00820000 Size: 77824 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: svchost.exe (PID: 1040) Address: 0x009d0000 Size: 49152 Object: Hidden Module [Name: UACdlmlohlvrq.dll] Process: svchost.exe (PID: 1040) Address: 0x00a80000 Size: 73728 Object: Hidden Module [Name: UACypylcpaibh.dll] Process: svchost.exe (PID: 1040) Address: 0x10000000 Size: 217088 Object: Hidden Module [Name: UACypylcpaibh.dll] Process: svchost.exe (PID: 1136) Address: 0x10000000 Size: 217088 Object: Hidden Module [Name: UACypylcpaibh.dll] Process: svchost.exe (PID: 1180) Address: 0x10000000 Size: 217088 Object: Hidden Module [Name: UACypylcpaibh.dll] Process: svchost.exe (PID: 1300) Address: 0x10000000 Size: 217088 Object: Hidden Module [Name: UACypylcpaibh.dll] Process: svchost.exe (PID: 1388) Address: 0x10000000 Size: 217088 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: spoolsv.exe (PID: 1664) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UACvrgixgotkq.dll] Process: Explorer.EXE (PID: 1868) Address: 0x10000000 Size: 77824 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: PIFSvc.exe (PID: 260) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: avgcc.exe (PID: 268) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: HPWuSchd2.exe (PID: 276) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: ctfmon.exe (PID: 300) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: MsnMsgr.Exe (PID: 320) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: ERMINE.exe (PID: 396) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: CCAAgent.exe (PID: 516) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: hpqtra08.exe (PID: 524) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: hpqSTE08.exe (PID: 1464) Address: 0x00aa0000 Size: 49152 Object: Hidden Module [Name: UACypylcpaibh.dll] Process: svchost.exe (PID: 1440) Address: 0x10000000 Size: 217088 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: msdtc.exe (PID: 1796) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: avgamsvr.exe (PID: 1960) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: avgupsvc.exe (PID: 2004) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: avgemc.exe (PID: 1144) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: ehRecvr.exe (PID: 2032) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: ehSched.exe (PID: 192) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: LSSrvc.exe (PID: 336) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: PIFSvc.exe (PID: 480) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: MDM.EXE (PID: 564) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: nvsvc32.exe (PID: 232) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: HPZipm12.exe (PID: 800) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UACypylcpaibh.dll] Process: svchost.exe (PID: 1220) Address: 0x10000000 Size: 217088 Object: Hidden Module [Name: UACypylcpaibh.dll] Process: svchost.exe (PID: 1340) Address: 0x10000000 Size: 217088 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: symlcsvc.exe (PID: 1128) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: wdfmgr.exe (PID: 1532) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: mcrdsvc.exe (PID: 1684) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: mqsvc.exe (PID: 2072) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: hpqwmiex.exe (PID: 2128) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: mqtgsvc.exe (PID: 2388) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: dllhost.exe (PID: 2680) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: alg.exe (PID: 2872) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: wuauclt.exe (PID: 3664) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: RootRepeal.exe (PID: 2992) Address: 0x10000000 Size: 49152 Object: Hidden Module [Name: UACypylcpaibh.dll] Process: Iexplore.exe (PID: 2792) Address: 0x10000000 Size: 217088 Object: Hidden Module [Name: UAConevjkvotk.dll] Process: WLLoginProxy.exe (PID: 1924) Address: 0x10000000 Size: 49152 ==EOF== Please let me know how to find and remove UCA.... Thanks, Oscar

I am having problem with RootRepeal. I am getting an error message that it is not able to read boot sector and sugest using options to adjust Disk Access Level. I tried different setting and I am still getting the same error message. I have tried running RootRepeal and system crashes after about 10 minutes. I have started Windows in safe mode with networking enabled but RootRepeal is taking too long, about 36 hours so far. Also, while RootRepeal was running; IE opened up with Google's page without user intervention. IE had been started/opened.

I have a HP notebook with MS Win XP SP2 Media Center Edition and need help in removing malware. My problems started with unknown sounds playing by themselves on the notebook. I tried upgrading my existing AVG but no response from PC. Downloaded and installed Malwarebytes but will not run, not even in safe mode. Downloaded Hijackthis but PC does not respond and it is not installed. Tried to install VArestorepolicies but not sure if it is installed. Downloaded FixPolicies.exe but will not install or run. Silentrunners.vbs provided the log: "Silent Runners.vbs", revision 59, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS] "ERMINE" = "C:\Documents and Settings\ERMINE\ERMINE.exe" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "Symantec PIF AlertEng" = ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Development Company, L.P."] "KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar Helper" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" [file not found] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] {9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided) -> {HKLM...CLSID} = "Windows Live Sign-in Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {HKLM...CLSID} = "Display Panning CPL Extension" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete" -> {HKLM...CLSID} = "IE Microsoft AutoComplete" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] "{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band" -> {HKLM...CLSID} = "History Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."] "{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "ShellViewRTF" -> {HKLM...CLSID} = "ShellViewRTF" \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {HKLM...CLSID} = "AVG7 Find Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."] "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders" -> {HKLM...CLSID} = "My Sharing Folders" \InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."] MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ FAExt\(Default) = "{05672D66-9736-42F5-8BEB-FA1DD3CA51C4}" -> {HKLM...CLSID} = "FAExt Class" \InProcServer32\(Default) = "C:\PROGRA~1\FILEAS~1\FILEAS~1.DLL" ["Malwarebytes"] MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} "InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles {unrecognized setting} "InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\Wave.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\Wave.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\system32\Berlitz.SCR" [empty string] Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ EHomeMusicDropTarget\ "Provider" = "Media Center" "InvokeProgID" = "EHomeDropTarget.EHomeMusicDropTarget" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeMusicDropTarget\shell\play\DropTarget\CLSID = "{ED87EFF3-FF22-404E-B2BD-BC3841BDCB2C}" -> {HKLM...CLSID} = "EHomeMusicDropTarget Class" \InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS] EHomePhotosHandler\ "Provider" = "Media Center" "InvokeProgID" = "EHomeDropTarget.EHomePhotosHandler" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomePhotosHandler\shell\play\DropTarget\CLSID = "{4b7601c1-d292-4902-89f4-583a5ce0c535}" -> {HKLM...CLSID} = "EHomePhotosHandler Class" \InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS] EHomeVideoDropTarget\ "Provider" = "Media Center" "InvokeProgID" = "EHomeDropTarget.EHomeVideoDropTarget" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeVideoDropTarget\shell\play\DropTarget\CLSID = "{A48E70A4-8E15-4465-9D85-CCE9E63F8AAB}" -> {HKLM...CLSID} = "EHomeVideoDropTarget Class" \InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS] EHomeVideosHandler\ "Provider" = "Media Center" "InvokeProgID" = "EHomeDropTarget.EHomeVideosHandler" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeVideosHandler\shell\play\DropTarget\CLSID = "{4f61ec50-acef-4ae7-b4c6-b19bddc0f745}" -> {HKLM...CLSID} = "EHomeVideosHandler Class" \InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS] HPAutoplayExpress\ "Provider" = "HP Photosmart Express Software" "InvokeProgID" = "HpqUnApl.Autoplay" "InvokeVerb" = "Express" HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Express\DropTarget\CLSID = "{57FA3F08-E36E-4820-9CC4-122D46114993}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = "C:\Program Files\HP\Digital Imaging\Unload\HpqUnApl.exe" ["Hewlett-Packard"] HPUnloadAutoplay\ "Provider" = "HP Photosmart Transfer Software" "InvokeProgID" = "HpqUnApl.Autoplay" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Play\DropTarget\CLSID = "{E1A1C814-FD09-4c9d-BB4A-0394B836A1F0}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = "C:\Program Files\HP\Digital Imaging\Unload\HpqUnApl.exe" ["Hewlett-Packard"] muveeVideoCameraArrival\ "Provider" = "muvee autoProducer 5.0" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""C:\Program Files\muvee Technologies\muvee autoProducer 5.0 - SE\muveeapp.exe" /RECORD" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] QuickPlayDCameraArrival\ "Provider" = "HP QuickPlay" "InvokeProgID" = "Picture" "InvokeVerb" = "PlayWithQuickPlay" HKLM\SOFTWARE\Classes\Picture\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY DSC "%L"" ["CyberLink Corp."] QuickPlayDVArrival\ "Provider" = "HP QuickPlay" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""C:\Program Files\HP\QuickPlay\QP.exe" DV "%L"" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] QuickPlayMusicFilesArrival\ "Provider" = "HP QuickPlay" "InvokeProgID" = "MusicFiles" "InvokeVerb" = "PlayWithQuickPlay" HKLM\SOFTWARE\Classes\MusicFiles\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY MUSIC "%L"" ["CyberLink Corp."] QuickPlayPlayCDAudioOnArrival\ "Provider" = "HP QuickPlay" "InvokeProgID" = "AudioCD" "InvokeVerb" = "PlayWithQuickPlay" HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY CD "%L"" ["CyberLink Corp."] QuickPlayPlayDVDMovieOnArrival\ "Provider" = "HP QuickPlay" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithQuickPlay" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."] QuickPlayVideoFilesArrival\ "Provider" = "HP QuickPlay" "InvokeProgID" = "VideoFiles" "InvokeVerb" = "PlayWithQuickPlay" HKLM\SOFTWARE\Classes\VideoFiles\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY VIDEO "%L"" ["CyberLink Corp."] RhapsodyCDBurningOnArrival\ "Provider" = "Rhapsody" "InvokeProgID" = "Rhapsody.CDBurn.3" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\Rhapsody.CDBurn.3\shell\open\command\(Default) = ""C:\Program Files\HP Rhapsody\rhapsody.exe" /burn "%1"" ["RealNetworks, Inc."] RhapsodyDeviceOnArrival\ "Provider" = "Rhapsody" "ProgID" = "Rhapsody.HWEventHandler" HKLM\SOFTWARE\Classes\Rhapsody.HWEventHandler\CLSID\(Default) = "{5717E2AC-8A5C-47b7-BFE5-50BAD65AB904}" -> {HKLM...CLSID} = "Rhapsody Helper" \LocalServer32\(Default) = ""C:\PROGRA~1\HPRHAP~1\rhaphlpr.exe"" ["RealNetworks, Inc."] RhapsodyMusicDevice\ "Provider" = "Rhapsody" "InvokeProgID" = "Rhapsody.MusicDevice.3" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\Rhapsody.MusicDevice.3\shell\open\command\(Default) = ""C:\Program Files\HP Rhapsody\rhapsody.exe" /device: "%1"" ["RealNetworks, Inc."] RhapsodyPlayCDAudioOnArrival\ "Provider" = "Rhapsody" "InvokeProgID" = "Rhapsody.AudioCD.3" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\Rhapsody.AudioCD.3\shell\play\command\(Default) = ""C:\Program Files\HP Rhapsody\rhapsody.exe" /play "%1"" ["RealNetworks, Inc."] SonicSCAudioCDTask\ "Provider" = "Sonic Audio Module" "InvokeProgID" = "Sonic.SonicCentral" "InvokeVerb" = "AudioCDTask" HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\AudioCDTask\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {EBD22732-1CC3-4CD7-9A45-B8D98DA0E784}" [null data] SonicSCCopyCD\ "Provider" = "Sonic Copy Module" "InvokeProgID" = "Sonic.SonicCentral" "InvokeVerb" = "ExactCopyJob" HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data] SonicSCCopyDisc\ "Provider" = "Sonic Copy Module" "InvokeProgID" = "Sonic.SonicCentral" "InvokeVerb" = "ExactCopyJob" HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data] SonicSCDataProject\ "Provider" = "Sonic Data Module" "InvokeProgID" = "Sonic.SonicCentral" "InvokeVerb" = "DataGuide" HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataGuide\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch Data" [null data] SonicSCDataTask\ "Provider" = "Sonic Data Module" "InvokeProgID" = "Sonic.SonicCentral" "InvokeVerb" = "DataTask" HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataTask\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {0BAC5C34-DF45-4C0F-8D64-8E92DCCF007D}" [null data] SonicVideoCameraArrival\ "Provider" = "Sonic Solutions" "ProgID" = "MyDVD.MyDVDAPHandler" "InitCmdLine" = "new" HKLM\SOFTWARE\Classes\MyDVD.MyDVDAPHandler\CLSID\(Default) = "{3D5EF619-F606-4FAA-97C0-222B7DCA05EC}" -> {HKLM...CLSID} = "MyDVDAPHandler Class" \LocalServer32\(Default) = "C:\PROGRA~1\Sonic\DIGITA~1\MYDVDP~1\MyDVD.EXE -autoplay" ["Sonic Solutions"] SonicVideoCameraArrivalDirect\ "Provider" = "Sonic Solutions" "ProgID" = "MyDVD.MyDVDAPHandler" "InitCmdLine" = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {3563B7B4-E6D4-4360-8E38-64E008F52C5C}" HKLM\SOFTWARE\Classes\MyDVD.MyDVDAPHandler\CLSID\(Default) = "{3D5EF619-F606-4FAA-97C0-222B7DCA05EC}" -> {HKLM...CLSID} = "MyDVDAPHandler Class" \LocalServer32\(Default) = "C:\PROGRA~1\Sonic\DIGITA~1\MYDVDP~1\MyDVD.EXE -autoplay" ["Sonic Solutions"] Startup items in "ERMINE" & "All Users" startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "Clean Access Agent" -> shortcut to: "C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe" ["Cisco Systems, Inc"] "HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Development Company, L.P."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Research" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [strings]: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop Missing lines (compared with English-language version): [strings]: 1 line HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "*l" (unwritable string) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."] AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."] hpqwmiex, hpqwmiex, "C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe" ["Hewlett-Packard Development Company, L.P."] LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"] LiveUpdate Notice Service, LiveUpdate Notice Service, ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll"" ["Symantec Corporation"] Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS] Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS] Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS] Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS] Message Queuing, MSMQ, "C:\WINDOWS\system32\mqsvc.exe" [MS] Message Queuing Triggers, MSMQTriggers, "C:\WINDOWS\system32\mqtgsvc.exe" [MS] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"] Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ LIDIL hpzll4pi\Driver = "hpzll4pi.dll" ["Hewlett-Packard Company"] Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] ---------- (launch time: 2009-08-16 22:11:22) <<!>>: Suspicious data at a malware launch point. <<H>>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 50 seconds, including 22 seconds for message boxes)