Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Mbam not cleaning Trojan.BHO.H properly

Started by jmlugnut, Apr 01 2009 04:07 PM

You cannot reply to this topic
Go to first unread post

15 replies to this topic

#1
jmlugnut

Posted 01 April 2009 - 04:07 PM

New Member

Members
11 posts

Gender:Male

I've been having some issues for quite some time now. I had some pop-up ads that appear to be gone, but Mbam keeps finding objects that is cannot clean. It prompts for a reboot to finish the clean, but then if I can again all the same things are still there. I have attached logs from Mbam and HiJackThis below. Any help is appreciated. What worries me is that I don't know what these things are doing, because they appear benign.
Thanks.

------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.35
Database version: 1929
Windows 5.1.2600 Service Pack 2

2009-04-01 10:50:17
mbam-log-2009-04-01 (10-50-17).txt

Scan type: Quick Scan
Objects scanned: 94654
Time elapsed: 4 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{93353c3e-d1a9-4f4c-ba63-7d4cd672b7c2} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{93353c3e-d1a9-4f4c-ba63-7d4cd672b7c2} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\auth.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Documents and Settings\joe.leluga\Local Settings\Temp\kcxpkhzp.dat (Rootkit.Agent) -> Delete on reboot.

------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54, on 2009-04-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\PFU\ScanSnap\PfuSsSct.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Program Files\eFax Messenger 4.4\J2GTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.igoogle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {93353C3E-D1A9-4F4C-BA63-7D4CD672B7C2} - C:\WINDOWS\system32\auth.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PfuSsSct.exe] C:\Program Files\PFU\ScanSnap\PfuSsSct.exe /Station
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: eFax 4.4.lnk = C:\Program Files\eFax Messenger 4.4\J2GTray.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Conversion to PDF with ScanSnap Organizer.lnk = ?
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: ScanSnap Manager.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll (HKCU)
O9 - Extra 'Tools' menuitem: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll (HKCU)
O15 - Trusted Zone: http://*.intranet
O15 - Trusted Zone: http://chgpw.kofax.com
O15 - Trusted Zone: http://helpdesk.kofax.com
O15 - Trusted Zone: http://intranet.kofax.com
O15 - Trusted Zone: http://lms.kofax.com
O15 - Trusted Zone: http://sp.kofax.com
O15 - Trusted Zone: http://www.kofax.com
O15 - Trusted Zone: http://*.intranet (HKLM)
O15 - Trusted Zone: http://chgpw.kofax.com (HKLM)
O15 - Trusted Zone: http://helpdesk.kofax.com (HKLM)
O15 - Trusted Zone: http://intranet.kofax.com (HKLM)
O15 - Trusted Zone: http://lms.kofax.com (HKLM)
O15 - Trusted Zone: http://sp.kofax.com (HKLM)
O15 - Trusted Zone: http://www.kofax.com (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} (Cisco AnyConnect VPN Client Web Control) - https://remote1.kofax.com/CACHE/webvpn/stc/...ries/vpnweb.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1236350038500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1236350025656
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kofax.com
O17 - HKLM\Software\..\Telephony: DomainName = kofax.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kofax.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kofax.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = kofax.com
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks Premier\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12593 bytes

#2
Fatdcuk

Posted 01 April 2009 - 04:21 PM

Malware BBQ'er

Moderators
16,150 posts

Gender:Male
Location:127.0.0.1

Hi and welcome to the MBAM forums

You have Rootkit.Sentinel onboard that is restoring thoes entries everytime we remove them.

The culprit is likely to be a driver that is not know to our Database yet and hence why we cannot finish this thing off once and for all!

To help me identify the culprit please do the following.

Download and install Autoruns.
http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx

When you first run it it will generate an extensive listing and the word "Ready" will appear in the bottom left of the sofware GUI.
At this point goto options and place check(tick) against verify coded signatures and hide Microsoft & windows entries.Next press F5 button to refresh.

Once Ready status by software is gained again then goto File option.Select "Export as" and save output file as Autoruns.txt

Can you please then copy and paste the contents of that text file into your next reply for analysis.

Thanks in advance

Ade Gill
Research Engineer

#3
jmlugnut

Posted 01 April 2009 - 04:37 PM

New Member

Members
11 posts

Gender:Male

As per your request, here is the export from Autorun. Thanks for the help.

---------------------------------------------------------------------------------------------------------------

HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
+ rdpclip RDP Clip Monitor Microsoft Corporation c:\windows\system32\rdpclip.exe
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup
+ Default Domain Policy - ALL File not found: \\kofax.com\sysvol\kofax.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Scripts\Startup\wsusfix.vbs
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
+ C:\WINDOWS\system32\userinit.exe Userinit Logon Application Microsoft Corporation c:\windows\system32\userinit.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
+ Explorer.exe Windows Explorer Microsoft Corporation c:\windows\explorer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ Apoint Alps Pointing-device Driver Alps Electric Co., Ltd. c:\program files\apoint\apoint.exe
+ Dell QuickSet QuickSet Dell Inc c:\program files\dell\quickset\quickset.exe
+ DiskeeperSystray DKICON.EXE Executive Software International, Inc. c:\program files\executive software\diskeeper\dkicon.exe
+ HotKeysCmds hkcmd Module Intel Corporation c:\windows\system32\hkcmd.exe
+ IgfxTray igfxTray Module Intel Corporation c:\windows\system32\igfxtray.exe
+ IntelWireless Intel Framework MFC Application Intel Corporation c:\program files\intel\wireless\bin\ifrmewrk.exe
+ IntelZeroConfig ZeroCfgSvc MFC Application Intel Corporation c:\program files\intel\wireless\bin\zcfgsvc.exe
+ Intuit SyncManager IntuitSyncManager Intuit Inc. All rights reserved. c:\program files\common files\intuit\sync\intuitsyncmanager.exe
+ Iomega Automatic Backup 1.0.1 Iomega Corporation c:\program files\iomega\iomega automatic backup\ibackup.exe
+ KADxMain IntelliSonic Systray Control (KADxMain) Knowles Acoustics c:\windows\system32\kadxmain.exe
+ PDVDDXSrv CyberLink PowerCinema Resident Program CyberLink Corp. c:\program files\cyberlink\powerdvd dx\pdvddxsrv.exe
+ Persistence persistence Module Intel Corporation c:\windows\system32\igfxpers.exe
+ PfuSsSct.exe PfuSSSct.exe PFU LIMITED c:\program files\pfu\scansnap\pfusssct.exe
+ SigmatelSysTrayApp Sigmatel Audio system tray application SigmaTel, Inc. c:\windows\stsystra.exe
+ SunJavaUpdateSched Java™ Platform SE binary Sun Microsystems, Inc. c:\program files\java\jre6\bin\jusched.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
+ Malwarebytes Anti-Malware (reboot) Malwarebytes' Anti-Malware Malwarebytes Corporation c:\program files\malwarebytes' anti-malware\mbam.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ Adobe Acrobat Speed Launcher.lnk c:\documents and settings\all users\start menu\programs\startup\adobe acrobat speed launcher.lnk
+ Conversion to PDF with ScanSnap Organizer.lnk PfuSsOrgOcr Application PFU LIMITED c:\program files\pfu\scansnap\organizer\ocr\pfussorgocr.exe
+ Google Calendar Sync.lnk Google Calendar Sync Google c:\program files\google\google calendar sync\googlecalendarsync.exe
+ QuickBooks Update Agent.lnk QuickBooks Automatic Update Intuit Inc. c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
+ ScanSnap Manager.lnk PFUSSMON PFU LIMITED c:\program files\pfu\scansnap\driver\pfussmon.exe
C:\Documents and Settings\joe.leluga\Start Menu\Programs\Startup
+ eFax 4.4.lnk eFax Messenger - Tray j2 Global Communications, Inc. c:\program files\efax messenger 4.4\j2gtray.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ ctfmon.exe CTF Loader Microsoft Corporation c:\windows\system32\ctfmon.exe
HKLM\SOFTWARE\Classes\Protocols\Filter
+ application/octet-stream Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-complus Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-msdownload Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\windows\system32\mscoree.dll
+ Class Install Handler OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ deflate OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ gzip OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ lzdhtml OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ text/webviewhtml Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ text/xml Microsoft Office XML MIME Filter Microsoft Corporation c:\program files\common files\microsoft shared\office12\msoxmlmf.dll
HKLM\SOFTWARE\Classes\Protocols\Handler
+ about Microsoft ® HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ cdl OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ dvd ActiveX control for streaming video Microsoft Corporation c:\windows\system32\msvidctl.dll
+ file OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ ftp OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ gopher OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ http OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ https OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ intu-help-qb2 QuickBooks Assistance Library Intuit, Inc. c:\program files\intuit\quickbooks premier\helpasyncpluggableprotocol.dll
+ its Microsoft� InfoTech Storage System Library Microsoft Corporation c:\windows\system32\itss.dll
+ javascript Microsoft ® HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ local OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ mailto Microsoft ® HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ mhtml Microsoft Internet Messaging API Microsoft Corporation c:\windows\system32\inetcomm.dll
+ mk OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ ms-help Microsoft� Help Data Services Module Microsoft Corporation c:\program files\common files\microsoft shared\help\hxds.dll
+ ms-its Microsoft� InfoTech Storage System Library Microsoft Corporation c:\windows\system32\itss.dll
+ qbwc Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\windows\system32\mscoree.dll
+ res Microsoft ® HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ skype4com Skype for COM API Skype Technologies c:\program files\common files\skype\skype4com.dll
+ sysimage Microsoft ® HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ tv ActiveX control for streaming video Microsoft Corporation c:\windows\system32\msvidctl.dll
+ vbscript Microsoft ® HTML Viewer Microsoft Corporation c:\windows\system32\mshtml.dll
+ wia WIA Scripting Layer Microsoft Corporation c:\windows\system32\wiascr.dll
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
+ 0 File not found: About:Home
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ Address Book 6 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe
+ Browser Customizations IEAK branding Microsoft Corporation c:\windows\system32\iedkcs32.dll
+ Browser Customizations IEAK branding Microsoft Corporation c:\windows\system32\iedkcs32.dll
+ IE7 Uninstall Stub IE Per User Active Setup Uninstall Utility Microsoft Corporation c:\windows\system32\ieudinit.exe
+ Internet Explorer IE Per-User Initialization Utility Microsoft Corporation c:\windows\system32\ie4uinit.exe
+ Internet Explorer IE Per-User Initialization Utility Microsoft Corporation c:\windows\system32\ie4uinit.exe
+ Microsoft Outlook Express 6 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe
+ Microsoft Windows Media Player Microsoft Windows Media Player Setup Utility Microsoft Corporation c:\windows\inf\unregmp2.exe
+ Microsoft Windows Media Player ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
+ n/a Microsoft .NET IE SECURITY REGISTRATION Microsoft Corporation c:\windows\system32\mscories.dll
+ NetMeeting 3.01 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
+ Outlook Express Windows NT User Data Migration Tool Microsoft Corporation c:\windows\system32\shmgrate.exe
+ Themes Setup File not found: C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall C:\WINDOWS\system32\themeui.dll
+ Windows Desktop Update File not found: regsvr32.exe
+ Windows Messenger 4.7 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
+ Browseui preloader Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Component Categories cache daemon Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
+ CDBurn Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ PostBootReminder Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ SysTray Systray shell service object Microsoft Corporation c:\windows\system32\stobject.dll
+ WebCheck Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ WPDShServiceObj Windows Portable Device Shell Service Object Microsoft Corporation c:\windows\system32\wpdshserviceobj.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ SABShellExecuteHook Class ShellExecuteHook SuperAdBlocker.com c:\program files\superantispyware\sasseh.dll
+ URL Exec Hook Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ Windows Desktop Search Namespace Manager Windows Search Namespace Manager Microsoft Corporation c:\program files\windows desktop search\msnlnamespacemgr.dll
HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
+ WebExShareMenu WbxRMenu Module c:\program files\webex\productivity tools\ptwbxrm.dll
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
+ Adobe.Acrobat.ContextMenu Adobe Acrobat Context Menu Adobe Systems Inc. c:\program files\adobe\acrobat 7.0\acrobat elements\contextmenu.dll
+ HotShellExt_40 eFax Messenger - Shell Extension j2 Global Communications, Inc. c:\program files\efax messenger 4.4\j2gshell.dll
+ Offline Files Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
+ Open With Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ Open With EncryptionMenu Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ SASContextMenu Class SUPERAntiSpyware Context Menu Extension SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll
+ Start Menu Pin Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ WinRAR c:\program files\winrar\rarext.dll
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
+ MBAMShlExt Malwarebytes' Anti-Malware Malwarebytes Corporation c:\program files\malwarebytes' anti-malware\mbamext.dll
+ Send To Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
+ EncryptionMenu Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ Offline Files Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
+ SASContextMenu Class SUPERAntiSpyware Context Menu Extension SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll
+ Sharing Shell extensions for sharing Microsoft Corporation c:\windows\system32\ntshrui.dll
+ WinRAR c:\program files\winrar\rarext.dll
HKLM\Software\Classes\Directory\Shellex\DragDropHandlers
+ WinRAR c:\program files\winrar\rarext.dll
HKLM\Software\Classes\Directory\Shellex\PropertySheetHandlers
+ DfsShell Class Distributed File System shell extension Microsoft Corporation c:\windows\system32\dfsshlex.dll
+ Folder Customization Tab Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ Previous Versions Property Page Previous Versions property page Microsoft Corporation c:\windows\system32\twext.dll
+ Security Shell Extension Security Shell Extension Microsoft Corporation c:\windows\system32\rshx32.dll
+ Sharing Shell extensions for sharing Microsoft Corporation c:\windows\system32\ntshrui.dll
HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers
+ CDF Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ FileSystem Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ MyDocuments My Documents Folder UI Microsoft Corporation c:\windows\system32\mydocs.dll
+ Sharing Shell extensions for sharing Microsoft Corporation c:\windows\system32\ntshrui.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ PDF Shell Extension PDF Shell Extension Adobe Systems, Inc. c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
+ {0D2E74C4-3C34-11d2-A27E-00C04FC30871} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ {24F14F01-7B1C-11d1-838f-0000F80461CF} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ {24F14F02-7B1C-11d1-838f-0000F80461CF} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ {66742402-F9B9-11D1-A202-0000F81FEDEE} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
+ MBAMShlExt Malwarebytes' Anti-Malware Malwarebytes Corporation c:\program files\malwarebytes' anti-malware\mbamext.dll
+ WinRAR c:\program files\winrar\rarext.dll
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
+ igfxcui igfxpph Module Intel Corporation c:\windows\system32\igfxpph.dll
+ New Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
+ Offline Files Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ %DESC_PublishDropTarget% Photo Printing Wizard Microsoft Corporation c:\windows\system32\photowiz.dll
+ &Address Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ &Links Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ .CAB file viewer Cabinet File Viewer Shell Extension Microsoft Corporation c:\windows\system32\cabview.dll
+ Accessible Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ ActiveX Cache Folder Object Control Viewer Microsoft Corporation c:\windows\system32\occache.dll
+ Address EditBox Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Administrative Tools Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Adobe.Acrobat.ContextMenu Adobe Acrobat Context Menu Adobe Systems Inc. c:\program files\adobe\acrobat 7.0\acrobat elements\contextmenu.dll
+ Audio Media Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll
+ Augmented Shell Folder Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Augmented Shell Folder 2 Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Auto Update Property Sheet Extension Automatic Updates Control Panel Microsoft Corporation c:\windows\system32\wuaucpl.cpl
+ Avi Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll
+ BandProxy Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Briefcase Windows Briefcase Microsoft Corporation c:\windows\system32\syncui.dll
+ CDF Extension Copy Hook Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Channel File Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll
+ Channel Handler Object Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll
+ Channel Menu Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll
+ Channel Properties Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll
+ Channel Shortcut Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll
+ Code Download Agent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ Compatibility Page Compatibility Tab Shell Extension DLL Microsoft Corporation c:\windows\system32\slayerxp.dll
+ Compressed (zipped) Folder Compressed (zipped) Folders Microsoft Corporation c:\windows\system32\zipfldr.dll
+ Compressed (zipped) Folder Right Drag Handler Compressed (zipped) Folders Microsoft Corporation c:\windows\system32\zipfldr.dll
+ Compressed (zipped) Folder SendTo Target Compressed (zipped) Folders Microsoft Corporation c:\windows\system32\zipfldr.dll
+ ConnectionAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ Crypto PKO Extension Crypto Shell Extensions Microsoft Corporation c:\windows\system32\cryptext.dll
+ Crypto Sign Extension Crypto Shell Extensions Microsoft Corporation c:\windows\system32\cryptext.dll
+ Custom MRU AutoCompleted List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Darwin App Publisher Shell Application Manager Microsoft Corporation c:\windows\system32\appwiz.cpl
+ DfsShell Distributed File System shell extension Microsoft Corporation c:\windows\system32\dfsshlex.dll
+ Directory Context Menu Verbs Directory Service Common UI Microsoft Corporation c:\windows\system32\dsuiext.dll
+ Directory Object Find Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll
+ Directory Property UI Directory Service Common UI Microsoft Corporation c:\windows\system32\dsuiext.dll
+ Directory Query UI Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll
+ Directory Start/Search Find Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll
+ Disk Copy Extension Windows DiskCopy Microsoft Corporation c:\windows\system32\diskcopy.dll
+ Disk Quota UI Windows Shell Disk Quota UI DLL Microsoft Corporation c:\windows\system32\dskquoui.dll
+ Display Adapter CPL Extension Advanced display adapter properties Microsoft Corporation c:\windows\system32\deskadp.dll
+ Display Monitor CPL Extension Advanced display monitor properties Microsoft Corporation c:\windows\system32\deskmon.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ Display TroubleShoot CPL Extension Advanced display performance properties Microsoft Corporation c:\windows\system32\deskperf.dll
+ Download Status Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ DS Security Page Directory Service Security UI Microsoft Corporation c:\windows\system32\dssec.dll
+ E-mail Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ eFax Messenger - Shell Extension eFax Messenger - Shell Extension j2 Global Communications, Inc. c:\program files\efax messenger 4.4\j2gshell.dll
+ Explorer Band Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Extensions Manager Folder Extensions Manager Microsoft Corporation c:\windows\system32\extmgr.dll
+ Favorites Band Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Fonts Windows Font Folder Microsoft Corporation c:\windows\system32\fontext.dll
+ Fonts Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ For &People... Find People Microsoft Corporation c:\program files\outlook express\wabfind.dll
+ FTP Folders Webview Microsoft Internet Explorer FTP Folder Shell Extension Microsoft Corporation c:\windows\system32\msieftp.dll
+ GDI+ file thumbnail extractor Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll
+ Get a Passport Wizard Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll
+ Global Folder Settings Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Help and Support Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Help and Support Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ History Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ HTML Thumbnail Extractor Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll
+ HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. c:\windows\system32\hticons.dll
+ ICC Profile Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll
+ ICM Monitor Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll
+ ICM Printer Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll
+ ICM Scanner Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll
+ IE AutoComplete Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE BandProxy Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Custom MRU AutoCompleted List Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Fade Task Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE IShellFolderBand Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Menu Band Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Menu Desk Bar Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Menu Site Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Microsoft BrowserBand Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Microsoft History AutoComplete List Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Microsoft Multiple AutoComplete List Container Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Microsoft Shell Folder AutoComplete List Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE MRU AutoComplete List Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Navigation Bar Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Registry Tree Options Utility Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE RSS Feeder Folder Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Search Band Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Shell Band Site Menu Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Shell Rebar BandSite Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Tracking Shell Menu Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE User Assist Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE4 Suite Splash Screen Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ In-pane search Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Installed Apps Enumerator Shell Application Manager Microsoft Corporation c:\windows\system32\appwiz.cpl
+ Internet Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Internet Name Space Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ InternetShortcut Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ ISFBand OC Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Microsoft Agent Character Property Sheet Handler Microsoft Agent Property Sheet Handler Microsoft Corporation c:\windows\msagent\agentpsh.dll
+ Microsoft AutoComplete Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Browser Architecture Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Microsoft Browser Architecture Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ Microsoft BrowserBand Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Data Link Microsoft Data Access - OLE DB Core Services Microsoft Corporation c:\program files\common files\system\ole db\oledb32.dll
+ Microsoft DocProp Inplace Calendar Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft DocProp Inplace Droplist Combo Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft DocProp Inplace Edit Box Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft DocProp Inplace ML Edit Box Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft DocProp Inplace Time Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft DocProp Shell Ext Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll
+ Microsoft History AutoComplete List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Internet Toolbar Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Multiple AutoComplete List Container Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Office HTML Icon Handler 2007 Microsoft Office component Microsoft Corporation c:\program files\microsoft office\office12\msohevi.dll
+ Microsoft Office Metadata Handler Microsoft Office Shell Extension Handlers Microsoft Corporation c:\program files\common files\microsoft shared\office12\msoshext.dll
+ Microsoft Office Outlook Custom Icon Handler Outlook Shell Hook for Start/Find Microsoft Corporation c:\program files\microsoft office\office12\olkfstub.dll
+ Microsoft Office Outlook Desktop Icon Handler Microsoft Shell Extension Library Microsoft Corporation c:\program files\microsoft office\office12\mlshext.dll
+ Microsoft Office Thumbnail Handler Microsoft Office Shell Extension Handlers Microsoft Corporation c:\program files\common files\microsoft shared\office12\msoshext.dll
+ Microsoft Shell Folder AutoComplete List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Microsoft Url History Service Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ Microsoft Url Search Hook Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ Microsoft.XPS.Shell.Metadata.1 Package Document Shell Extension Handler Microsoft Corporation c:\windows\system32\xpsshhdr.dll
+ Microsoft.XPS.Shell.Thumbnail.1 Package Document Shell Extension Handler Microsoft Corporation c:\windows\system32\xpsshhdr.dll
+ Midi Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll
+ MMC Icon Handler MMC Shell Extension DLL Microsoft Corporation c:\windows\system32\mmcshext.dll
+ MRU AutoComplete List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Multimedia File Property Sheet Control Panel Drivers Applet Microsoft Corporation c:\windows\system32\mmsys.cpl
+ MyDocs Copy Hook My Documents Folder UI Microsoft Corporation c:\windows\system32\mydocs.dll
+ MyDocs Drop Target My Documents Folder UI Microsoft Corporation c:\windows\system32\mydocs.dll
+ MyDocs Properties My Documents Folder UI Microsoft Corporation c:\windows\system32\mydocs.dll
+ Network Connections Network Connections Shell Microsoft Corporation c:\windows\system32\netshell.dll
+ Network Connections Network Connections Shell Microsoft Corporation c:\windows\system32\netshell.dll
+ NTFS Security Page Security Shell Extension Microsoft Corporation c:\windows\system32\rshx32.dll
+ Office Document Property Handler Microsoft Property System Microsoft Corporation c:\windows\system32\propsys.dll
+ Offline Files Folder Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
+ Offline Files Folder Options Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
+ Offline Files Menu Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll
+ OLE Docfile Property Page OLE DocFile Property Page Microsoft Corporation c:\windows\system32\docprop.dll
+ PlusPack CPL Extension Windows Theme API Microsoft Corporation c:\windows\system32\themeui.dll
+ Portable Devices Portable Devices Shell Extension Microsoft Corporation c:\windows\system32\wpdshext.dll
+ Portable Devices Menu Portable Devices Shell Extension Microsoft Corporation c:\windows\system32\wpdshext.dll
+ Portable Media Devices Portable Media Devices Shell Extension Microsoft Corporation c:\windows\system32\audiodev.dll
+ PostAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ Previous Versions Previous Versions property page Microsoft Corporation c:\windows\system32\twext.dll
+ Previous Versions Property Page Previous Versions property page Microsoft Corporation c:\windows\system32\twext.dll
+ Print Ordering via the Web Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll
+ Printers Security Page Security Shell Extension Microsoft Corporation c:\windows\system32\rshx32.dll
+ QBVersionTool QBVersionTool Intuit Inc. c:\program files\common files\intuit\quickbooks\qbversiontool.dll
+ Registry Tree Options Utility Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Remote Sessions CPL Extension Remote Sessions CPL Extension Microsoft Corporation c:\windows\system32\remotepg.dll
+ Run... Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll
+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll
+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll
+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll
+ Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll
+ Scheduled Tasks Task Scheduler interface DLL Microsoft Corporation c:\windows\system32\mstask.dll
+ Search Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Search Assistant OC Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Sendmail service Send Mail Microsoft Corporation c:\windows\system32\sendmail.dll
+ Sendmail service Send Mail Microsoft Corporation c:\windows\system32\sendmail.dll
+ Set Program Access and Defaults Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Shell Application Manager Shell Application Manager Microsoft Corporation c:\windows\system32\appwiz.cpl
+ Shell Automation Inproc Service Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll
+ Shell Band Site Menu Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Shell DeskBar Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Shell DeskBarApp Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Shell DocObject Viewer Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ Shell extensions for Microsoft Windows Network objects Network object shell UI Microsoft Corporation c:\windows\system32\ntlanui2.dll
+ Shell extensions for sharing Shell extensions for sharing Microsoft Corporation c:\windows\system32\ntshrui.dll
+ Shell extensions for sharing Shell extensions for sharing Microsoft Corporation c:\windows\system32\ntshrui.dll
+ Shell extensions for Windows Script Host Microsoft ® Shell Extension for Windows Script Host Microsoft Corporation c:\windows\system32\wshext.dll
+ Shell Icon Handler for Application References Application Deployment Support Library Microsoft Corporation c:\windows\system32\dfshim.dll
+ Shell Image Data Factory Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll
+ Shell Image Property Handler Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll
+ Shell Image Verbs Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll
+ Shell properties for a DS object Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll
+ Shell Publishing Wizard Object Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll
+ Shell Rebar BandSite Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Shell Scrap DataHandler Shell scrap object handler Microsoft Corporation c:\windows\system32\shscrap.dll
+ Shell Search Band Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ ShellLink for Application References Application Deployment Support Library Microsoft Corporation c:\windows\system32\dfshim.dll
+ Subscription Folder Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ Subscription Mgr Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ Summary Info Thumbnail handler (DOCFILES) Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll
+ Taskbar and Start Menu Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ Tasks Folder Icon Handler Task Scheduler interface DLL Microsoft Corporation c:\windows\system32\mstask.dll
+ Tasks Folder Shell Extension Task Scheduler interface DLL Microsoft Corporation c:\windows\system32\mstask.dll
+ Temporary Internet Files Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ Temporary Internet Files Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ The Internet Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
+ Track Popup Bar Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ TrayAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ TridentImageExtractor Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ User Accounts Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll
+ User Assist Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ Video Media Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll
+ Video Thumbnail Extractor Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll
+ Wav Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll
+ Web Folders Windows executable Microsoft Corporation c:\program files\common files\microsoft shared\web folders\msonsext.dll
+ Web Printer Shell Extension Print UI DLL Microsoft Corporation c:\windows\system32\printui.dll
+ Web Publishing Wizard Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll
+ Web Search Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll
+ WebCheck Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ WebCheck SyncMgr Handler Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ WebCheckChannelAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ WebCheckWebCrawler Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll
+ Windows Desktop Search Windows Search Results View Microsoft Corporation c:\program files\windows desktop search\msnlext.dll
+ Windows Media Player Add to Playlist Context Menu Handler Windows Media Player Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll
+ Windows Media Player Burn Audio CD Context Menu Handler Windows Media Player Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll
+ Windows Media Player Play as Playlist Context Menu Handler Windows Media Player Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll
+ Windows Search Deskbar Windows Search Deskbar extension Microsoft Corporation c:\program files\windows desktop search\deskbar.dll
+ WinRAR shell extension c:\program files\winrar\rarext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ AcroIEHlprObj Class Adobe Acrobat IE Helper Version 7.0 for ActiveX Adobe Systems Incorporated c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll
+ Java™ Plug-In 2 SSV Helper Java™ Platform SE binary Sun Microsystems, Inc. c:\program files\java\jre6\bin\jp2ssv.dll
+ JQSIEStartDetectorImpl Class Java™ Quick Starter binary Sun Microsystems, Inc. c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
+ Spybot-S&D IE Protection SBSD IE Protection Safer Networking Limited c:\program files\spybot - search & destroy\sdhelper.dll
+ {93353C3E-D1A9-4F4C-BA63-7D4CD672B7C2} c:\windows\system32\auth.dll
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
+ Microsoft Url Search Hook Internet Explorer Microsoft Corporation c:\windows\system32\ieframe.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ Adobe PDF Adobe IE plugin Adobe Systems Incorporated c:\program files\adobe\acrobat 7.0\acrobat\acroiefavclient.dll
HKLM\Software\Microsoft\Internet Explorer\Extensions
+ Bodog Poker File not found: C:\Program Files\Bodog Poker\BPGame.exe
+ Windows Messenger Windows Messenger Microsoft Corporation c:\program files\messenger\msmsgs.exe
HKLM\System\CurrentControlSet\Services
+ ALG Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall. Microsoft Corporation c:\windows\system32\alg.exe
+ AppMgmt Provides software installation services such as Assign, Publish, and Remove. Microsoft Corporation c:\windows\system32\appmgmts.dll
+ aspnet_state Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe
+ AudioSrv Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\audiosrv.dll
+ BITS Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly. Microsoft Corporation c:\windows\system32\qmgr.dll
+ Browser Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\browser.dll
+ CiSvc Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language. Microsoft Corporation c:\windows\system32\cisvc.exe
+ clr_optimization_v2.0.50727_32 Microsoft .NET Framework NGEN Microsoft Corporation c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe
+ COMSysApp Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\dllhost.exe
+ CryptSvc Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\cryptsvc.dll
+ DcomLaunch Provides launch functionality for DCOM services. Microsoft Corporation c:\windows\system32\rpcss.dll
+ Dhcp Manages network configuration by registering and updating IP addresses and DNS names. Microsoft Corporation c:\windows\system32\dhcpcsvc.dll
+ Diskeeper Controls the Windows Diskeeper Service Executive Software International, Inc. c:\program files\executive software\diskeeper\dkservice.exe
+ dmadmin Configures hard disk drives and volumes. The service only runs for configuration processes and then stops. Microsoft Corp., Veritas Software c:\windows\system32\dmadmin.exe
+ dmserver Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corp. c:\windows\system32\dmserver.dll
+ Dnscache Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\dnsrslvr.dll
+ ERSvc Allows error reporting for services and applictions running in non-standard environments. Microsoft Corporation c:\windows\system32\ersvc.dll
+ Eventlog Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. Microsoft Corporation c:\windows\system32\services.exe
+ EventSystem Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\es.dll
+ EvtEng Manages the event trace messages for all the components of Intel® PROSet/Wireless software. Intel Corporation c:\program files\intel\wireless\bin\evteng.exe
+ FastUserSwitchingCompatibility Provides management for applications that require assistance in a multiple user environment. Microsoft Corporation c:\windows\system32\shsvcs.dll
+ FontCache3.0.0.0 Optimizes performance of Windows Presentation Foundation (WPF) applications by caching commonly used font data. WPF applications will start this service if it is not already running. It can be disabled, though doing so will degrade the performance of WPF applications. Microsoft Corporation c:\windows\microsoft.net\framework\v3.0\wpf\presentationfontcache.exe
+ helpsvc Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\pchealth\helpctr\binaries\pchsvc.dll
+ HidServ Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\hidserv.dll
+ HTTPFilter This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\w3ssl.dll
+ idsvc Securely enables the creation, management, and disclosure of digital identities. Microsoft Corporation c:\windows\microsoft.net\framework\v3.0\windows communication foundation\infocard.exe
+ ImapiService Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\imapi.exe
+ IntuitUpdateService Helps Intuit applications automatically update themselves. Intuit Inc. c:\program files\common files\intuit\update service\intuitupdateservice.exe
+ Iomega App Services AppServices Iomega Corporation c:\program files\iomega\system32\appservices.exe
+ JavaQuickStarterService Prefetches JRE files for faster startup of Java applets and applications Sun Microsystems, Inc. c:\program files\java\jre6\bin\jqs.exe
+ lanmanserver Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\srvsvc.dll
+ lanmanworkstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\wkssvc.dll
+ LiveUpdate LiveUpdate Core Engine Symantec Corporation c:\program files\symantec\liveupdate\lucomserver_3_1.exe
+ LmHosts Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Microsoft Corporation c:\windows\system32\lmhsvc.dll
+ MDM Supports local and remote debugging for Visual Studio and script debuggers. If this service is stopped, the debuggers will not function properly. Microsoft Corporation c:\program files\common files\microsoft shared\vs7debug\mdm.exe
+ mnmsrvc Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\mnmsrvc.exe
+ MSDTC Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\msdtc.exe
+ MSIServer Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\msiexec.exe
+ Netlogon Supports pass-through authentication of account logon events for computers in a domain. Microsoft Corporation c:\windows\system32\lsass.exe
+ Netman Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections. Microsoft Corporation c:\windows\system32\netman.dll
+ NICCONFIGSVC Configure your Internal Network Card power management settings. Dell Inc. c:\program files\dell\quickset\nicconfigsvc.exe
+ Nla Collects and stores network configuration and location information, and notifies applications when this information changes. Microsoft Corporation c:\windows\system32\mswsock.dll
+ NtLmSsp Provides security to remote procedure call (RPC) programs that use transports other than named pipes. Microsoft Corporation c:\windows\system32\lsass.exe
+ NtmsSvc Removable Storage Manager Microsoft Corporation c:\windows\system32\ntmssvc.dll
+ odserv Run portions of Microsoft Office Diagnostics. Microsoft Corporation c:\program files\common files\microsoft shared\office12\odserv.exe
+ ose Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports. Microsoft Corporation c:\program files\common files\microsoft shared\source engine\ose.exe
+ Pantech Utility Service PWIUtilityService Sprint Spectrum, L.L.C c:\program files\sprint\pantech\sprint mobile broadband (pantech)\pwiutilityservice.exe
+ PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Microsoft Corporation c:\windows\system32\services.exe
+ PolicyAgent Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Microsoft Corporation c:\windows\system32\lsass.exe
+ ProtectedStorage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Microsoft Corporation c:\windows\system32\lsass.exe
+ QBCFMonitorService QuickBooks Company File Monitoring Service Intuit c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe
+ QBFCService QuickBooks FCS module Intuit Inc. c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe
+ RasAuto Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. Microsoft Corporation c:\windows\system32\rasauto.dll
+ RasMan Creates a network connection. Microsoft Corporation c:\windows\system32\rasmans.dll
+ RDSessMgr Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box. Microsoft Corporation c:\windows\system32\sessmgr.exe
+ RegSrvc Intel® PROSet/Wireless Registry Service Intel Corporation c:\program files\intel\wireless\bin\regsrvc.exe
+ RemoteRegistry Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\regsvc.dll
+ RpcLocator Manages the RPC name service database. Microsoft Corporation c:\windows\system32\locator.exe
+ RpcSs Provides the endpoint mapper and other miscellaneous RPC services. Microsoft Corporation c:\windows\system32\rpcss.dll
+ RSVP Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets. Microsoft Corporation c:\windows\system32\rsvp.exe
+ S24EventMonitor Wireless Management Service for Intel® PROSet/Wireless Intel Corporation c:\program files\intel\wireless\bin\s24evmon.exe
+ SamSs Stores security information for local user accounts. Microsoft Corporation c:\windows\system32\lsass.exe
+ SCardSvr Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\scardsvr.exe
+ Schedule Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\schedsvc.dll
+ seclogon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\seclogon.dll
+ SENS Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Microsoft Corporation c:\windows\system32\sens.dll
+ SharedAccess Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. Microsoft Corporation c:\windows\system32\ipnathlp.dll
+ ShellHWDetection Provides notifications for AutoPlay hardware events. Microsoft Corporation c:\windows\system32\shsvcs.dll
+ SlingAgentService Enables Clip and Sling functionality Version 0.9.0.149 Sling Media Inc. c:\program files\sling media\slingagent\slingagentservice.exe
+ Spooler Loads files to memory for later printing. Microsoft Corporation c:\windows\system32\spoolsv.exe
+ srservice Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties Microsoft Corporation c:\windows\system32\srsvc.dll
+ SSDPSRV Enables discovery of UPnP devices on your home network. Microsoft Corporation c:\windows\system32\ssdpsrv.dll
+ STacSV Manages SigmaTel Audio Universal Jack configurations. SigmaTel, Inc. c:\program files\sigmatel\c-major audio\wdm\stacsv.exe
+ stisvc Provides image acquisition services for scanners and cameras. Microsoft Corporation c:\windows\system32\wiaservc.dll
+ SwPrv Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\dllhost.exe
+ SysmonLog Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\smlogsvc.exe
+ TapiSrv Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. Microsoft Corporation c:\windows\system32\tapisrv.dll
+ tcsd_win32.exe TCS service for accessing the TPM c:\program files\ntru cryptosystems\ntru tcg software stack\bin\tcsd_win32.exe
+ TermService Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server. Microsoft Corporation c:\windows\system32\termsrv.dll
+ Themes Provides user experience theme management. Microsoft Corporation c:\windows\system32\shsvcs.dll
+ TrkWks Maintains links between NTFS files within a computer or across computers in a network domain. Microsoft Corporation c:\windows\system32\trkwks.dll
+ upnphost Provides support to host Universal Plug and Play devices. Microsoft Corporation c:\windows\system32\upnphost.dll
+ UPS Manages an uninterruptible power supply (UPS) connected to the computer. Microsoft Corporation c:\windows\system32\ups.exe
+ vpnagent Cisco AnyConnect VPN Agent for Windows Cisco Systems, Inc. c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe
+ VSS Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\vssvc.exe
+ W32Time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\w32time.dll
+ WebClient Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\webclnt.dll
+ winmgmt Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\wbem\wmisvc.dll
+ WLANKEEPER Provides Single Sign On (SSO) functionality. Intel® Corporation c:\program files\intel\wireless\bin\wlkeeper.exe
+ WmdmPmSN Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device. Microsoft Corporation c:\windows\system32\mspmsnsv.dll
+ Wmi Provides systems management information to and from drivers. Microsoft Corporation c:\windows\system32\advapi32.dll
+ WmiApSrv Provides performance library information from WMI HiPerf providers. Microsoft Corporation c:\windows\system32\wbem\wmiapsrv.exe
+ WMPNetworkSvc Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play Microsoft Corporation c:\program files\windows media player\wmpnetwk.exe
+ wscsvc Monitors system security settings and configurations. Microsoft Corporation c:\windows\system32\wscsvc.dll
+ WSearch Provides content indexing and property caching for file, email and other content (via extensibility APIs). The service responds to file and email notifications to index modified content. If the service is stopped or disabled, the Explorer will not be able to display virtual folder views of items, and search in the Explorer will fall back to item-by-item slow search. Microsoft Corporation c:\windows\system32\searchindexer.exe
+ wuauserv Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. Microsoft Corporation c:\windows\system32\wuauserv.dll
+ WudfSvc Manages user-mode driver host processes Microsoft Corporation c:\windows\system32\wudfsvc.dll
+ WZCSVC Provides automatic configuration for the 802.11 adapters Microsoft Corporation c:\windows\system32\wzcsvc.dll
+ xmlprov Manages XML configuration files on a domain basis for automatic network provisioning. Microsoft Corporation c:\windows\system32\xmlprov.dll
HKLM\System\CurrentControlSet\Services
+ ACPI ACPI Driver for NT Microsoft Corporation c:\windows\system32\drivers\acpi.sys
+ aec Microsoft Acoustic Echo Canceller Microsoft Corporation c:\windows\system32\drivers\aec.sys
+ AegisP AEGIS Protocol (IEEE 802.1x) v3.6.0.0 Meetinghouse Data Communications c:\windows\system32\drivers\aegisp.sys
+ AFD AFD Networking Support Environment Microsoft Corporation c:\windows\system32\drivers\afd.sys
+ ApfiltrService Alps Touch Pad Driver Alps Electric Co., Ltd. c:\windows\system32\drivers\apfiltr.sys
+ APPDRV App Support Driver Dell Inc c:\windows\system32\drivers\appdrv.sys
+ Arp1394 1394 ARP Client Protocol Microsoft Corporation c:\windows\system32\drivers\arp1394.sys
+ AsyncMac RAS Asynchronous Media Driver Microsoft Corporation c:\windows\system32\drivers\asyncmac.sys
+ atapi IDE/ATAPI Port Driver Microsoft Corporation c:\windows\system32\drivers\atapi.sys
+ Atmarpc ATM ARP Client Protocol Microsoft Corporation c:\windows\system32\drivers\atmarpc.sys
+ audstub AudStub Driver Microsoft Corporation c:\windows\system32\drivers\audstub.sys
+ b57w2k Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver. Broadcom Corporation c:\windows\system32\drivers\b57xp32.sys
+ Beep BEEP Driver Microsoft Corporation c:\windows\system32\drivers\beep.sys
+ BrScnUsb Brother USB Scanner Driver Brother Industries Ltd. c:\windows\system32\drivers\brscnusb.sys
+ Cdaudio CD-ROM Audio Filter Driver Microsoft Corporation c:\windows\system32\drivers\cdaudio.sys
+ Cdrom SCSI CD-ROM Driver Microsoft Corporation c:\windows\system32\drivers\cdrom.sys
+ Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys
+ cicgnz File not found: system32\drivers\bpibho.sys
+ CmBatt Control Method Battery Driver Microsoft Corporation c:\windows\system32\drivers\cmbatt.sys
+ Compbatt Composite Battery Driver Microsoft Corporation c:\windows\system32\drivers\compbatt.sys
+ CSRBC CsrUsb Device Driver CSR, plc c:\windows\system32\drivers\csrbcxp.sys
+ Disk PnP Disk Driver Microsoft Corporation c:\windows\system32\drivers\disk.sys
+ DMusic Microsoft Kernel DLS Synthesizer Microsoft Corporation c:\windows\system32\drivers\dmusic.sys
+ drmkaud Microsoft Kernel DRM Audio Descrambler Filter Microsoft Corporation c:\windows\system32\drivers\drmkaud.sys
+ DXEC01 dxec01.sys Knowles Acoustics c:\windows\system32\drivers\dxec01.sys
+ Fdc Floppy Disk Controller Driver Microsoft Corporation c:\windows\system32\drivers\fdc.sys
+ Fips FIPS Crypto Driver Microsoft Corporation c:\windows\system32\drivers\fips.sys
+ Flpydisk Floppy Driver Microsoft Corporation c:\windows\system32\drivers\flpydisk.sys
+ FltMgr File System Filter Manager Driver Microsoft Corporation c:\windows\system32\drivers\fltmgr.sys
+ Ftdisk FT Disk Driver Microsoft Corporation c:\windows\system32\drivers\ftdisk.sys
+ Gpc Generic Packet Classifier Microsoft Corporation c:\windows\system32\drivers\msgpc.sys
+ guardian2 O2Micro USB CCID SmartCard Reader O2Micro c:\windows\system32\drivers\oz776.sys
+ HDAudBus High Definition Audio Bus Driver v1.0 Windows ® Server 2003 DDK provider c:\windows\system32\drivers\hdaudbus.sys
+ hidusb USB Miniport Driver for Input Devices Microsoft Corporation c:\windows\system32\drivers\hidusb.sys
+ HSF_DPV HSF_DP driver Conexant Systems, Inc. c:\windows\system32\drivers\hsf_dpv.sys
+ HSFHWAZL HSF_HWAZL WDM driver Conexant Systems, Inc. c:\windows\system32\drivers\hsfhwazl.sys
+ HTTP This service implements the hypertext transfer protocol (HTTP). If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\drivers\http.sys
+ i2omgmt File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys
+ i8042prt i8042 Port Driver Microsoft Corporation c:\windows\system32\drivers\i8042prt.sys
+ ialm Intel Graphics Miniport Driver Intel Corporation c:\windows\system32\drivers\igxpmp32.sys
+ Imapi IMAPI Kernel Driver Microsoft Corporation c:\windows\system32\drivers\imapi.sys
+ intelppm Processor Device Driver Microsoft Corporation c:\windows\system32\drivers\intelppm.sys
+ iomdisk Iomega Devices Disk Filter Driver Iomega Corporation c:\windows\system32\drivers\iomdisk.sys
+ Ip6Fw Provides intrusion prevention service for a home or small office network. Microsoft Corporation c:\windows\system32\drivers\ip6fw.sys
+ IpFilterDriver IP Traffic Filter Driver Microsoft Corporation c:\windows\system32\drivers\ipfltdrv.sys
+ IpInIp IP in IP Tunnel Driver Microsoft Corporation c:\windows\system32\drivers\ipinip.sys
+ IpNat IP Network Address Translator Microsoft Corporation c:\windows\system32\drivers\ipnat.sys
+ IPSec IPSEC driver Microsoft Corporation c:\windows\system32\drivers\ipsec.sys
+ IRENUM Infra-Red Bus Enumerator Microsoft Corporation c:\windows\system32\drivers\irenum.sys
+ isapnp PNP ISA Bus Driver Microsoft Corporation c:\windows\system32\drivers\isapnp.sys
+ Kbdclass Keyboard Class Driver Microsoft Corporation c:\windows\system32\drivers\kbdclass.sys
+ kbdhid HID Mouse Filter Driver Microsoft Corporation c:\windows\system32\drivers\kbdhid.sys
+ kmixer Kernel Mode Audio Mixer Microsoft Corporation c:\windows\system32\drivers\kmixer.sys
+ KSecDD Kernel Security Support Provider Interface Microsoft Corporation c:\windows\system32\drivers\ksecdd.sys
+ lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys
+ lfsevmwh ACPI Operation Registration Driver Microsoft Corporation c:\windows\system32\drivers\lfsevmwh.sys
+ mdmxsdk Diagnostic Interface x86 Driver Conexant c:\windows\system32\drivers\mdmxsdk.sys
+ mnmdd Frame buffer simulator Microsoft Corporation c:\windows\system32\drivers\mnmdd.sys
+ Modem Modem Device Driver Microsoft Corporation c:\windows\system32\drivers\modem.sys
+ Mouclass Mouse Class Driver Microsoft Corporation c:\windows\system32\drivers\mouclass.sys
+ mouhid HID Mouse Filter Driver Microsoft Corporation c:\windows\system32\drivers\mouhid.sys
+ MountMgr Mount Manager Microsoft Corporation c:\windows\system32\drivers\mountmgr.sys
+ MRxDAV WebDav Client Redirector Microsoft Corporation c:\windows\system32\drivers\mrxdav.sys
+ MRxSmb MRXSMB Microsoft Corporation c:\windows\system32\drivers\mrxsmb.sys
+ Msfs Mailslot driver Microsoft Corporation c:\windows\system32\drivers\msfs.sys
+ MSKSSRV MS KS Server Microsoft Corporation c:\windows\system32\drivers\mskssrv.sys
+ MSPCLOCK MS Proxy Clock Microsoft Corporation c:\windows\system32\drivers\mspclock.sys
+ MSPQM MS Proxy Quality Manager Microsoft Corporation c:\windows\system32\drivers\mspqm.sys
+ mssmbios System Management BIOS Driver Microsoft Corporation c:\windows\system32\drivers\mssmbios.sys
+ Mup Multiple UNC Provider driver Microsoft Corporation c:\windows\system32\drivers\mup.sys
+ NDIS NDIS 5.1 wrapper driver Microsoft Corporation c:\windows\system32\drivers\ndis.sys
+ NdisTapi Remote Access NDIS TAPI Driver Microsoft Corporation c:\windows\system32\drivers\ndistapi.sys
+ Ndisuio NDIS Usermode I/O Protocol Microsoft Corporation c:\windows\system32\drivers\ndisuio.sys
+ NdisWan Remote Access NDIS WAN Driver Microsoft Corporation c:\windows\system32\drivers\ndiswan.sys
+ NDProxy NDIS Proxy Microsoft Corporation c:\windows\system32\drivers\ndproxy.sys
+ NetBIOS NetBIOS Interface Microsoft Corporation c:\windows\system32\drivers\netbios.sys
+ NetBT NetBios over Tcpip Microsoft Corporation c:\windows\system32\drivers\netbt.sys
+ NETw4x32 Intel� Wireless WiFi Link Driver Intel Corporation c:\windows\system32\drivers\netw4x32.sys
+ NIC1394 IEEE1394 Ndis Miniport and Call Manager Microsoft Corporation c:\windows\system32\drivers\nic1394.sys
+ Npfs NPFS Driver Microsoft Corporation c:\windows\system32\drivers\npfs.sys
+ Null NULL Driver Microsoft Corporation c:\windows\system32\drivers\null.sys
+ NwlnkFlt IPX Traffic Filter Driver Microsoft Corporation c:\windows\system32\drivers\nwlnkflt.sys
+ NwlnkFwd IPX Traffic Forwarder Driver Microsoft Corporation c:\windows\system32\drivers\nwlnkfwd.sys
+ ohci1394 1394 OpenHCI Port Driver Microsoft Corporation c:\windows\system32\drivers\ohci1394.sys
+ Parport Parallel Port Driver Microsoft Corporation c:\windows\system32\drivers\parport.sys
+ PartMgr Partition Manager Microsoft Corporation c:\windows\system32\drivers\partmgr.sys
+ ParVdm VDM Parallel Driver Microsoft Corporation c:\windows\system32\drivers\parvdm.sys
+ PCI NT Plug and Play PCI Enumerator Microsoft Corporation c:\windows\system32\drivers\pci.sys
+ PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
+ PCIIde Generic PCI IDE Bus Driver Microsoft Corporation c:\windows\system32\drivers\pciide.sys
+ Pcmcia PCMCIA Bus Driver Microsoft Corporation c:\windows\system32\drivers\pcmcia.sys
+ PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys
+ PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys
+ PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys
+ PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys
+ PptpMiniport WAN Miniport (PPTP) Microsoft Corporation c:\windows\system32\drivers\raspptp.sys
+ PSched QoS Packet Scheduler Microsoft Corporation c:\windows\system32\drivers\psched.sys
+ PTDCBus CDMA USB Composite Device Driver DEVGURU Co,LTD. c:\windows\system32\drivers\ptdcbus.sys
+ PTDCMdm PANTECH PC Card Drivers (UDP) DEVGURU Co,LTD. c:\windows\system32\drivers\ptdcmdm.sys
+ PTDCVsp PANTECH PC Card Diagnostic Serial Port (UDP) DEVGURU Co,LTD. c:\windows\system32\drivers\ptdcvsp.sys
+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\windows\system32\drivers\ptilink.sys
+ qeoihcwi File not found: system32\drivers\tgnvjxab.sys
+ RasAcd Remote Access Auto Connection Driver Microsoft Corporation c:\windows\system32\drivers\rasacd.sys
+ Rasl2tp WAN Miniport (L2TP) Microsoft Corporation c:\windows\system32\drivers\rasl2tp.sys
+ RasPppoe Remote Access PPPOE Driver Microsoft Corporation c:\windows\system32\drivers\raspppoe.sys
+ Raspti Direct Parallel Microsoft Corporation c:\windows\system32\drivers\raspti.sys
+ Rdbss Rdbss Microsoft Corporation c:\windows\system32\drivers\rdbss.sys
+ RDPCDD RDP Miniport Microsoft Corporation c:\windows\system32\drivers\rdpcdd.sys
+ rdpdr Microsoft RDP Device redirector Microsoft Corporation c:\windows\system32\drivers\rdpdr.sys
+ RDPWD RDP Terminal Stack Driver (US/Canada Only, Not for Export) Microsoft Corporation c:\windows\system32\drivers\rdpwd.sys
+ redbook Redbook Audio Filter Driver Microsoft Corporation c:\windows\system32\drivers\redbook.sys
+ RimUsb BlackBerry Device Driver Research In Motion Limited c:\windows\system32\drivers\rimusb.sys
+ RimVSerPort RIM Virtual Serial Driver Research in Motion Ltd c:\windows\system32\drivers\rimserial.sys
+ ROOTMODEM Legacy Non-Pnp Modem Device Driver Microsoft Corporation c:\windows\system32\drivers\rootmdm.sys
+ s24trans WLAN Transport Intel Corporation c:\windows\system32\drivers\s24trans.sys
+ SASDIFSV SASDIFSV.SYS SUPERAdBlocker.com and SUPERAntiSpyware.com c:\program files\superantispyware\sasdifsv.sys
+ SASENUM SASENUM.SYS SUPERAdBlocker.com and SUPERAntiSpyware.com c:\program files\superantispyware\sasenum.sys
+ SASKUTIL SASKUTIL.SYS SUPERAdBlocker.com and SUPERAntiSpyware.com c:\program files\superantispyware\saskutil.sys
+ Secdrv SafeDisc driver Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. c:\windows\system32\drivers\secdrv.sys
+ serenum Serial Port Enumerator Microsoft Corporation c:\windows\system32\drivers\serenum.sys
+ Serial Serial Device Driver Microsoft Corporation c:\windows\system32\drivers\serial.sys
+ Sfloppy SCSI Floppy Driver Microsoft Corporation c:\windows\system32\drivers\sfloppy.sys
+ splitter Microsoft Kernel Audio Splitter Microsoft Corporation c:\windows\system32\drivers\splitter.sys
+ sr System Restore Filesystem Filter Driver Microsoft Corporation c:\windows\system32\drivers\sr.sys
+ Srv Srv Microsoft Corporation c:\windows\system32\drivers\srv.sys
+ STHDA NDRC SigmaTel, Inc. c:\windows\system32\drivers\sthda.sys
+ StillCam Serial Imaging Device Driver Microsoft Corporation c:\windows\system32\drivers\serscan.sys
+ swenum Plug and Play Software Device Enumerator Microsoft Corporation c:\windows\system32\drivers\swenum.sys
+ swmidi Microsoft GS Wavetable Synthesizer Microsoft Corporation c:\windows\system32\drivers\swmidi.sys
+ sysaudio System Audio WDM Filter Microsoft Corporation c:\windows\system32\drivers\sysaudio.sys
+ Tcpip TCP/IP Protocol Driver Microsoft Corporation c:\windows\system32\drivers\tcpip.sys
+ TDPIPE Named Pipe Transport Driver Microsoft Corporation c:\windows\system32\drivers\tdpipe.sys
+ TDTCP TCP Transport Driver Microsoft Corporation c:\windows\system32\drivers\tdtcp.sys
+ TermDD Terminal Server Driver Microsoft Corporation c:\windows\system32\drivers\termdd.sys
+ tosporte TOSHIBA Bluetooth Port Emulation Driver TOSHIBA Corporation c:\windows\system32\drivers\tosporte.sys
+ tosrfbd Bluetooth RF Bus Driver TOSHIBA CORPORATION c:\windows\system32\drivers\tosrfbd.sys
+ tosrfbnp Bluetooth RFBNEP Driver TOSHIBA Corporation c:\windows\system32\drivers\tosrfbnp.sys
+ Tosrfcom Bluetooth RFCOMM Driver TOSHIBA Corporation c:\windows\system32\drivers\tosrfcom.sys
+ Tosrfhid Bluetooth HID Driver from TOSHIBA TOSHIBA Corporation. c:\windows\system32\drivers\tosrfhid.sys
+ tosrfnds Bluetooth BNEP Driver TOSHIBA Corporation. c:\windows\system32\drivers\tosrfnds.sys
+ Tosrfusb Bluetooth USB Miniport Driver TOSHIBA CORPORATION c:\windows\system32\drivers\tosrfusb.sys
+ Update Update Driver Microsoft Corporation c:\windows\system32\drivers\update.sys
+ usbccgp USB Common Class Generic Parent Driver Microsoft Corporation c:\windows\system32\drivers\usbccgp.sys
+ usbehci EHCI eUSB Miniport Driver Microsoft Corporation c:\windows\system32\drivers\usbehci.sys
+ usbhub Default Hub Driver for USB Microsoft Corporation c:\windows\system32\drivers\usbhub.sys
+ usbohci OHCI USB Miniport Driver Microsoft Corporation c:\windows\system32\drivers\usbohci.sys
+ usbprint USB Printer driver Microsoft Corporation c:\windows\system32\drivers\usbprint.sys
+ usbscan USB Scanner Driver Microsoft Corporation c:\windows\system32\drivers\usbscan.sys
+ USBSTOR USB Mass Storage Class Driver Microsoft Corporation c:\windows\system32\drivers\usbstor.sys
+ usbuhci UHCI USB Miniport Driver Microsoft Corporation c:\windows\system32\drivers\usbuhci.sys
+ VgaSave VGA/Super VGA Video Driver Microsoft Corporation c:\windows\system32\drivers\vga.sys
+ vhic c:\windows\system32\drivers\wlohxino.sys
+ VolSnap Volume Shadow Copy Driver Microsoft Corporation c:\windows\system32\drivers\volsnap.sys
+ vpnva Cisco AnyConnect VPN Client Virtual Miniport Adapter for Windows Cisco Systems, Inc. c:\windows\system32\drivers\vpnva.sys
+ Wanarp Remote Access IP ARP Driver Microsoft Corporation c:\windows\system32\drivers\wanarp.sys
+ WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys
+ wdmaud MMSYSTEM Wave/Midi API mapper Microsoft Corporation c:\windows\system32\drivers\wdmaud.sys
+ winachsf HSF_CNXT driver Conexant Systems, Inc. c:\windows\system32\drivers\hsf_cnxt.sys
+ WmiAcpi Windows Management Interface for ACPI Microsoft Corporation c:\windows\system32\drivers\wmiacpi.sys
+ WpdUsb WPD USB Driver Microsoft Corporation c:\windows\system32\drivers\wpdusb.sys
+ WudfPf Provide communciation services for UMDF components. Microsoft Corporation c:\windows\system32\drivers\wudfpf.sys
+ WudfRd Reflect device requests to user-mode driver drivers Microsoft Corporation c:\windows\system32\drivers\wudfrd.sys
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
+ autocheck autochk * Auto Check Utility Microsoft Corporation c:\windows\system32\autochk.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
+ Your Image File Name Here without a path Symbolic Debugger for Windows 2000 Microsoft Corporation c:\windows\system32\ntsd.exe
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
+ advapi32 Advanced Windows 32 Base API Microsoft Corporation c:\windows\system32\advapi32.dll
+ comdlg32 Common Dialogs DLL Microsoft Corporation c:\windows\system32\comdlg32.dll
+ gdi32 GDI Client DLL Microsoft Corporation c:\windows\system32\gdi32.dll
+ imagehlp Windows NT Image Helper Microsoft Corporation c:\windows\system32\imagehlp.dll
+ kernel32 Windows NT BASE API Client DLL Microsoft Corporation c:\windows\system32\kernel32.dll
+ lz32 LZ Expand/Compress API DLL Microsoft Corporation c:\windows\system32\lz32.dll
+ ole32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\ole32.dll
+ oleaut32 Microsoft Corporation c:\windows\system32\oleaut32.dll
+ olecli32 Object Linking and Embedding Client Library Microsoft Corporation c:\windows\system32\olecli32.dll
+ olecnv32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\olecnv32.dll
+ olesvr32 Object Linking and Embedding Server Library Microsoft Corporation c:\windows\system32\olesvr32.dll
+ olethk32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\olethk32.dll
+ rpcrt4 Remote Procedure Call Runtime Microsoft Corporation c:\windows\system32\rpcrt4.dll
+ shell32 Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll
+ url Internet Shortcut Shell Extension DLL Microsoft Corporation c:\windows\system32\url.dll
+ urlmon OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll
+ user32 Windows XP USER API Client DLL Microsoft Corporation c:\windows\system32\user32.dll
+ version Version Checking and File Installation Libraries Microsoft Corporation c:\windows\system32\version.dll
+ wininet Internet Extensions for Win32 Microsoft Corporation c:\windows\system32\wininet.dll
+ wldap32 Win32 LDAP API DLL Microsoft Corporation c:\windows\system32\wldap32.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
+ logonui.exe Windows Logon UI Microsoft Corporation c:\windows\system32\logonui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ !SASWinLogon SUPERAntiSpyware WinLogon Processor SUPERAntiSpyware.com c:\program files\superantispyware\saswinlo.dll
+ crypt32chain Crypto API32 Microsoft Corporation c:\windows\system32\crypt32.dll
+ cryptnet Crypto Network Related API Microsoft Corporation c:\windows\system32\cryptnet.dll
+ cscdll Offline Network Agent Microsoft Corporation c:\windows\system32\cscdll.dll
+ igfxcui igfxdev Module Intel Corporation c:\windows\system32\igfxdev.dll
+ ScCertProp Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ Schedule Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ sclgntfy Secondary Logon Service Notification DLL Microsoft Corporation c:\windows\system32\sclgntfy.dll
+ SensLogn Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ termsrv Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
+ WgaLogon Windows Genuine Advantage Notification Microsoft Corporation c:\windows\system32\wgalogon.dll
+ wlballoon Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
+ 000000000001 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000002 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000003 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000004 Microsoft Windows Rsvp 1.0 Service Provider Microsoft Corporation c:\windows\system32\rsvpsp.dll
+ 000000000005 Microsoft Windows Rsvp 1.0 Service Provider Microsoft Corporation c:\windows\system32\rsvpsp.dll
+ 000000000006 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000007 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000008 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000009 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000010 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000011 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000012 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000013 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000014 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000015 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000016 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000017 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000018 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000019 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000020 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000021 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000022 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000023 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000024 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000025 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000026 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ 000000000027 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
+ Network Location Awareness (NLA) Namespace Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
+ NTDS LDAP RnR Provider DLL Microsoft Corporation c:\windows\system32\winrnr.dll
+ Tcpip Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ Adobe PDF Port Acrobat � PDF Port Adobe Systems Incorporated. c:\windows\system32\adobepdf.dll
+ BJ Language Monitor Langage Monitor for Canon Bubble-Jet Printer Microsoft Corporation c:\windows\system32\cnbjmon.dll
+ Local Port Local Spooler DLL Microsoft Corporation c:\windows\system32\localspl.dll
+ Microsoft Office Live Meeting 2007 Document Writer Monitor Microsoft� Office Document Image for Live Meeting 2007 Microsoft Corporation. c:\windows\system32\lmdimon8.dll
+ PJL Language Monitor PJL Language monitor Microsoft Corporation c:\windows\system32\pjlmon.dll
+ Standard TCP/IP Port Standard TCP/IP Port Monitor DLL Microsoft Corporation c:\windows\system32\tcpmon.dll
+ Toshiba Bluetooth Monitor tbtmon98 Toshiba America Business Solutions, Inc. c:\windows\system32\tbtmon.dll
+ USB Monitor Standard Dynamic Printing Port Monitor DLL Microsoft Corporation c:\windows\system32\usbmon.dll
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
+ digest.dll Digest SSPI Authentication Package Microsoft Corporation c:\windows\system32\digest.dll
+ msapsspc.dll DPA Client for 32 bit platforms Microsoft Corporation c:\windows\system32\msapsspc.dll
+ msnsspc.dll MSN Internet Access Microsoft Corporation c:\windows\system32\msnsspc.dll
+ schannel.dll TLS / SSL Security Provider Microsoft Corporation c:\windows\system32\schannel.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
+ msv1_0 Microsoft Authentication Package v1.0 Microsoft Corporation c:\windows\system32\msv1_0.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
+ scecli Windows Security Configuration Editor Client Engine Microsoft Corporation c:\windows\system32\scecli.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
+ kerberos Kerberos Security Package Microsoft Corporation c:\windows\system32\kerberos.dll
+ msv1_0 Microsoft Authentication Package v1.0 Microsoft Corporation c:\windows\system32\msv1_0.dll
+ schannel TLS / SSL Security Provider Microsoft Corporation c:\windows\system32\schannel.dll
+ wdigest Microsoft Digest Access Microsoft Corporation c:\windows\system32\wdigest.dll
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
+ LanmanWorkstation Microsoft Windows Network Microsoft Corporation c:\windows\system32\ntlanman.dll
+ RDPNP Microsoft Terminal Services Microsoft Corporation c:\windows\system32\drprov.dll
+ WebClient Web Client Network Microsoft Corporation c:\windows\system32\davclnt.dll

#4
Fatdcuk

Posted 01 April 2009 - 04:45 PM

Malware BBQ'er

Moderators
16,150 posts

Gender:Male
Location:127.0.0.1

Ok hi i really do need to have the filtered(reduced) log that was requested

Quote

When you first run it it will generate an extensive listing and the word "Ready" will appear in the bottom left of the sofware GUI.
At this point goto options and place check(tick) against verify coded signatures and hide Microsoft & windows entries.Next press F5 button to refresh.

Once Ready status by software is gained again then goto File option.
Select "Export as" and save output file as Autoruns.txt

Thanks in advance

Ade Gill
Research Engineer

#5
jmlugnut

Posted 01 April 2009 - 05:25 PM

New Member

Members
11 posts

Gender:Male

Sorry for that. Oddly enough, when I check both options, the file got BIGGER and the site said my post is too long

here is another export with "Hide Microsoft and Windows entries" checked (which is definitely smaller):

----------------------------------------------------------------------------------------------------------------

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup
+ Default Domain Policy - ALL File not found: \\kofax.com\sysvol\kofax.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Scripts\Startup\wsusfix.vbs
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ Apoint Alps Pointing-device Driver Alps Electric Co., Ltd. c:\program files\apoint\apoint.exe
+ Dell QuickSet QuickSet Dell Inc c:\program files\dell\quickset\quickset.exe
+ DiskeeperSystray DKICON.EXE Executive Software International, Inc. c:\program files\executive software\diskeeper\dkicon.exe
+ HotKeysCmds hkcmd Module Intel Corporation c:\windows\system32\hkcmd.exe
+ IgfxTray igfxTray Module Intel Corporation c:\windows\system32\igfxtray.exe
+ IntelWireless Intel Framework MFC Application Intel Corporation c:\program files\intel\wireless\bin\ifrmewrk.exe
+ IntelZeroConfig ZeroCfgSvc MFC Application Intel Corporation c:\program files\intel\wireless\bin\zcfgsvc.exe
+ Intuit SyncManager IntuitSyncManager Intuit Inc. All rights reserved. c:\program files\common files\intuit\sync\intuitsyncmanager.exe
+ Iomega Automatic Backup 1.0.1 Iomega Corporation c:\program files\iomega\iomega automatic backup\ibackup.exe
+ KADxMain IntelliSonic Systray Control (KADxMain) Knowles Acoustics c:\windows\system32\kadxmain.exe
+ PDVDDXSrv CyberLink PowerCinema Resident Program CyberLink Corp. c:\program files\cyberlink\powerdvd dx\pdvddxsrv.exe
+ Persistence persistence Module Intel Corporation c:\windows\system32\igfxpers.exe
+ PfuSsSct.exe PfuSSSct.exe PFU LIMITED c:\program files\pfu\scansnap\pfusssct.exe
+ SigmatelSysTrayApp Sigmatel Audio system tray application SigmaTel, Inc. c:\windows\stsystra.exe
+ SunJavaUpdateSched Java™ Platform SE binary Sun Microsystems, Inc. c:\program files\java\jre6\bin\jusched.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
+ Malwarebytes Anti-Malware (reboot) Malwarebytes' Anti-Malware Malwarebytes Corporation c:\program files\malwarebytes' anti-malware\mbam.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ Adobe Acrobat Speed Launcher.lnk c:\documents and settings\all users\start menu\programs\startup\adobe acrobat speed launcher.lnk
+ Conversion to PDF with ScanSnap Organizer.lnk PfuSsOrgOcr Application PFU LIMITED c:\program files\pfu\scansnap\organizer\ocr\pfussorgocr.exe
+ Google Calendar Sync.lnk Google Calendar Sync Google c:\program files\google\google calendar sync\googlecalendarsync.exe
+ QuickBooks Update Agent.lnk QuickBooks Automatic Update Intuit Inc. c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
+ ScanSnap Manager.lnk PFUSSMON PFU LIMITED c:\program files\pfu\scansnap\driver\pfussmon.exe
C:\Documents and Settings\joe.leluga\Start Menu\Programs\Startup
+ eFax 4.4.lnk eFax Messenger - Tray j2 Global Communications, Inc. c:\program files\efax messenger 4.4\j2gtray.exe
HKLM\SOFTWARE\Classes\Protocols\Handler
+ intu-help-qb2 QuickBooks Assistance Library Intuit, Inc. c:\program files\intuit\quickbooks premier\helpasyncpluggableprotocol.dll
+ skype4com Skype for COM API Skype Technologies c:\program files\common files\skype\skype4com.dll
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
+ 0 File not found: About:Home
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ Themes Setup File not found: C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall C:\WINDOWS\system32\themeui.dll
+ Windows Desktop Update File not found: regsvr32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ SABShellExecuteHook Class ShellExecuteHook SuperAdBlocker.com c:\program files\superantispyware\sasseh.dll
HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
+ WebExShareMenu WbxRMenu Module c:\program files\webex\productivity tools\ptwbxrm.dll
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
+ Adobe.Acrobat.ContextMenu Adobe Acrobat Context Menu Adobe Systems Inc. c:\program files\adobe\acrobat 7.0\acrobat elements\contextmenu.dll
+ HotShellExt_40 eFax Messenger - Shell Extension j2 Global Communications, Inc. c:\program files\efax messenger 4.4\j2gshell.dll
+ SASContextMenu Class SUPERAntiSpyware Context Menu Extension SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll
+ WinRAR c:\program files\winrar\rarext.dll
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
+ MBAMShlExt Malwarebytes' Anti-Malware Malwarebytes Corporation c:\program files\malwarebytes' anti-malware\mbamext.dll
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
+ SASContextMenu Class SUPERAntiSpyware Context Menu Extension SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll
+ WinRAR c:\program files\winrar\rarext.dll
HKLM\Software\Classes\Directory\Shellex\DragDropHandlers
+ WinRAR c:\program files\winrar\rarext.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ PDF Shell Extension PDF Shell Extension Adobe Systems, Inc. c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
+ MBAMShlExt Malwarebytes' Anti-Malware Malwarebytes Corporation c:\program files\malwarebytes' anti-malware\mbamext.dll
+ WinRAR c:\program files\winrar\rarext.dll
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
+ igfxcui igfxpph Module Intel Corporation c:\windows\system32\igfxpph.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ Adobe.Acrobat.ContextMenu Adobe Acrobat Context Menu Adobe Systems Inc. c:\program files\adobe\acrobat 7.0\acrobat elements\contextmenu.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ eFax Messenger - Shell Extension eFax Messenger - Shell Extension j2 Global Communications, Inc. c:\program files\efax messenger 4.4\j2gshell.dll
+ HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. c:\windows\system32\hticons.dll
+ QBVersionTool QBVersionTool Intuit Inc. c:\program files\common files\intuit\quickbooks\qbversiontool.dll
+ WinRAR shell extension c:\program files\winrar\rarext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ AcroIEHlprObj Class Adobe Acrobat IE Helper Version 7.0 for ActiveX Adobe Systems Incorporated c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll
+ Java™ Plug-In 2 SSV Helper Java™ Platform SE binary Sun Microsystems, Inc. c:\program files\java\jre6\bin\jp2ssv.dll
+ JQSIEStartDetectorImpl Class Java™ Quick Starter binary Sun Microsystems, Inc. c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
+ Spybot-S&D IE Protection SBSD IE Protection Safer Networking Limited c:\program files\spybot - search & destroy\sdhelper.dll
+ {93353C3E-D1A9-4F4C-BA63-7D4CD672B7C2} c:\windows\system32\auth.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ Adobe PDF Adobe IE plugin Adobe Systems Incorporated c:\program files\adobe\acrobat 7.0\acrobat\acroiefavclient.dll
HKLM\Software\Microsoft\Internet Explorer\Extensions
+ Bodog Poker File not found: C:\Program Files\Bodog Poker\BPGame.exe
HKLM\System\CurrentControlSet\Services
+ Diskeeper Controls the Windows Diskeeper Service Executive Software International, Inc. c:\program files\executive software\diskeeper\dkservice.exe
+ EvtEng Manages the event trace messages for all the components of Intel® PROSet/Wireless software. Intel Corporation c:\program files\intel\wireless\bin\evteng.exe
+ IntuitUpdateService Helps Intuit applications automatically update themselves. Intuit Inc. c:\program files\common files\intuit\update service\intuitupdateservice.exe
+ Iomega App Services AppServices Iomega Corporation c:\program files\iomega\system32\appservices.exe
+ JavaQuickStarterService Prefetches JRE files for faster startup of Java applets and applications Sun Microsystems, Inc. c:\program files\java\jre6\bin\jqs.exe
+ LiveUpdate LiveUpdate Core Engine Symantec Corporation c:\program files\symantec\liveupdate\lucomserver_3_1.exe
+ NICCONFIGSVC Configure your Internal Network Card power management settings. Dell Inc. c:\program files\dell\quickset\nicconfigsvc.exe
+ Pantech Utility Service PWIUtilityService Sprint Spectrum, L.L.C c:\program files\sprint\pantech\sprint mobile broadband (pantech)\pwiutilityservice.exe
+ QBCFMonitorService QuickBooks Company File Monitoring Service Intuit c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe
+ QBFCService QuickBooks FCS module Intuit Inc. c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe
+ RegSrvc Intel® PROSet/Wireless Registry Service Intel Corporation c:\program files\intel\wireless\bin\regsrvc.exe
+ S24EventMonitor Wireless Management Service for Intel® PROSet/Wireless Intel Corporation c:\program files\intel\wireless\bin\s24evmon.exe
+ SlingAgentService Enables Clip and Sling functionality Version 0.9.0.149 Sling Media Inc. c:\program files\sling media\slingagent\slingagentservice.exe
+ STacSV Manages SigmaTel Audio Universal Jack configurations. SigmaTel, Inc. c:\program files\sigmatel\c-major audio\wdm\stacsv.exe
+ tcsd_win32.exe TCS service for accessing the TPM c:\program files\ntru cryptosystems\ntru tcg software stack\bin\tcsd_win32.exe
+ vpnagent Cisco AnyConnect VPN Agent for Windows Cisco Systems, Inc. c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe
+ WLANKEEPER Provides Single Sign On (SSO) functionality. Intel® Corporation c:\program files\intel\wireless\bin\wlkeeper.exe
HKLM\System\CurrentControlSet\Services
+ AegisP AEGIS Protocol (IEEE 802.1x) v3.6.0.0 Meetinghouse Data Communications c:\windows\system32\drivers\aegisp.sys
+ ApfiltrService Alps Touch Pad Driver Alps Electric Co., Ltd. c:\windows\system32\drivers\apfiltr.sys
+ APPDRV App Support Driver Dell Inc c:\windows\system32\drivers\appdrv.sys
+ b57w2k Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver. Broadcom Corporation c:\windows\system32\drivers\b57xp32.sys
+ BrScnUsb Brother USB Scanner Driver Brother Industries Ltd. c:\windows\system32\drivers\brscnusb.sys
+ Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys
+ cicgnz File not found: system32\drivers\bpibho.sys
+ CSRBC CsrUsb Device Driver CSR, plc c:\windows\system32\drivers\csrbcxp.sys
+ DXEC01 dxec01.sys Knowles Acoustics c:\windows\system32\drivers\dxec01.sys
+ guardian2 O2Micro USB CCID SmartCard Reader O2Micro c:\windows\system32\drivers\oz776.sys
+ HDAudBus High Definition Audio Bus Driver v1.0 Windows ® Server 2003 DDK provider c:\windows\system32\drivers\hdaudbus.sys
+ HSF_DPV HSF_DP driver Conexant Systems, Inc. c:\windows\system32\drivers\hsf_dpv.sys
+ HSFHWAZL HSF_HWAZL WDM driver Conexant Systems, Inc. c:\windows\system32\drivers\hsfhwazl.sys
+ i2omgmt File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys
+ ialm Intel Graphics Miniport Driver Intel Corporation c:\windows\system32\drivers\igxpmp32.sys
+ iomdisk Iomega Devices Disk Filter Driver Iomega Corporation c:\windows\system32\drivers\iomdisk.sys
+ lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys
+ mdmxsdk Diagnostic Interface x86 Driver Conexant c:\windows\system32\drivers\mdmxsdk.sys
+ NETw4x32 Intel� Wireless WiFi Link Driver Intel Corporation c:\windows\system32\drivers\netw4x32.sys
+ PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
+ PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys
+ PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys
+ PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys
+ PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys
+ PTDCBus CDMA USB Composite Device Driver DEVGURU Co,LTD. c:\windows\system32\drivers\ptdcbus.sys
+ PTDCMdm PANTECH PC Card Drivers (UDP) DEVGURU Co,LTD. c:\windows\system32\drivers\ptdcmdm.sys
+ PTDCVsp PANTECH PC Card Diagnostic Serial Port (UDP) DEVGURU Co,LTD. c:\windows\system32\drivers\ptdcvsp.sys
+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\windows\system32\drivers\ptilink.sys
+ qeoihcwi File not found: system32\drivers\tgnvjxab.sys
+ RimUsb BlackBerry Device Driver Research In Motion Limited c:\windows\system32\drivers\rimusb.sys
+ RimVSerPort RIM Virtual Serial Driver Research in Motion Ltd c:\windows\system32\drivers\rimserial.sys
+ s24trans WLAN Transport Intel Corporation c:\windows\system32\drivers\s24trans.sys
+ SASDIFSV SASDIFSV.SYS SUPERAdBlocker.com and SUPERAntiSpyware.com c:\program files\superantispyware\sasdifsv.sys
+ SASENUM SASENUM.SYS SUPERAdBlocker.com and SUPERAntiSpyware.com c:\program files\superantispyware\sasenum.sys
+ SASKUTIL SASKUTIL.SYS SUPERAdBlocker.com and SUPERAntiSpyware.com c:\program files\superantispyware\saskutil.sys
+ Secdrv SafeDisc driver Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. c:\windows\system32\drivers\secdrv.sys
+ STHDA NDRC SigmaTel, Inc. c:\windows\system32\drivers\sthda.sys
+ tosporte TOSHIBA Bluetooth Port Emulation Driver TOSHIBA Corporation c:\windows\system32\drivers\tosporte.sys
+ tosrfbd Bluetooth RF Bus Driver TOSHIBA CORPORATION c:\windows\system32\drivers\tosrfbd.sys
+ tosrfbnp Bluetooth RFBNEP Driver TOSHIBA Corporation c:\windows\system32\drivers\tosrfbnp.sys
+ Tosrfcom Bluetooth RFCOMM Driver TOSHIBA Corporation c:\windows\system32\drivers\tosrfcom.sys
+ Tosrfhid Bluetooth HID Driver from TOSHIBA TOSHIBA Corporation. c:\windows\system32\drivers\tosrfhid.sys
+ tosrfnds Bluetooth BNEP Driver TOSHIBA Corporation. c:\windows\system32\drivers\tosrfnds.sys
+ Tosrfusb Bluetooth USB Miniport Driver TOSHIBA CORPORATION c:\windows\system32\drivers\tosrfusb.sys
+ vhic c:\windows\system32\drivers\wlohxino.sys
+ vpnva Cisco AnyConnect VPN Client Virtual Miniport Adapter for Windows Cisco Systems, Inc. c:\windows\system32\drivers\vpnva.sys
+ WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys
+ winachsf HSF_CNXT driver Conexant Systems, Inc. c:\windows\system32\drivers\hsf_cnxt.sys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ !SASWinLogon SUPERAntiSpyware WinLogon Processor SUPERAntiSpyware.com c:\program files\superantispyware\saswinlo.dll
+ igfxcui igfxdev Module Intel Corporation c:\windows\system32\igfxdev.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ Adobe PDF Port Acrobat � PDF Port Adobe Systems Incorporated. c:\windows\system32\adobepdf.dll
+ Toshiba Bluetooth Monitor tbtmon98 Toshiba America Business Solutions, Inc. c:\windows\system32\tbtmon.dll

#6
Fatdcuk

Posted 01 April 2009 - 06:11 PM

Malware BBQ'er

Moderators
16,150 posts

Gender:Male
Location:127.0.0.1

Ok i think we may have a contender in amongst all that data

lfsevmwh ACPI Operation Registration Driver Microsoft Corporation c:\windows\system32\drivers\lfsevmwh.sys

Inorder to confirm i need to get my hands on a copy of the file and open it up and take alook inside :blink:

If possible can you locate,zip up and upload the file to a new topic in the following forum marked for my attention.
http://www.malwareby...hp?showforum=55

Thanks in advance

Ade Gill
Research Engineer

#7
jmlugnut

Posted 01 April 2009 - 06:24 PM

New Member

Members
11 posts

Gender:Male

I will go post it there now. Oddly enough, this is one of the drivers that I found that looked suspicious (I couldn't find any reference to the name anywhere). there are also a couple of others that are on my system that fell into that category:

mryav.sys
sr.sys

Not sure if you want these too....

#8
Fatdcuk

Posted 01 April 2009 - 06:27 PM

Malware BBQ'er

Moderators
16,150 posts

Gender:Male
Location:127.0.0.1

Yeah sure if you want to throw them in i will have a look at them too :blink:

Ade Gill
Research Engineer

#9
jmlugnut

Posted 01 April 2009 - 06:34 PM

New Member

Members
11 posts

Gender:Male

I'll send another zip with sr.sys

The way I saw these was looking with RootRepeal. interestingly enough...it mryav.sys shows up there, but it notes the file is not visible...and I cannot find it on my system.

#10
Fatdcuk

Posted 01 April 2009 - 06:52 PM

Malware BBQ'er

Moderators
16,150 posts

Gender:Male
Location:127.0.0.1

Ok got the files now :blink:

Guessing that you already quite in the know with computer stuff here's a little bit of support advice when checking out a suspect file.

1st stop is VirusTotal Service for 40 second opinions
http://www.virustotal.com
Usually if its bad then someone will be flagging it the bulk of the time.

No hits at VT then google the filename and file MD5 .Now usually both legitimate files and malware files have a history as in seen before but if all 3 come up with 0 hits then there is a very high probabilty that you have just stumbled apon a new malware

In this case
VT=0/40
http://www.virustotal.com/analisis/a6db5e4...cd32b742a13089a
Filename search
http://www.google.co.uk/search?sourceid=na...;q=lfsevmwh.sys
MD5 search
http://www.google.co.uk/search?hl=en&r...earch&meta=

I can confirm after further prodding that we have found the culprit and will add new targeting definitions for it to MBAM DB,this will appear in 1 of the updates in the next 24 hrs

ps sr.sys is a legitimate driver for system restore

Ade Gill
Research Engineer

#11
jmlugnut

Posted 01 April 2009 - 07:02 PM

New Member

Members
11 posts

Gender:Male

I'm years behind my techie days....just dangerous enough to poke around (and I read through a bunch of the posts here to see what others had done, programs they had used, etc....) that's why I joined here and asked before I did anything dangerous :blink:

I'll be sure to update and retry a few times over the next 24 hours and see what happens.....this thing is really starting to Pi$$ me off !

Thanks for all your help.

#12
Fatdcuk

Posted 01 April 2009 - 09:47 PM

Malware BBQ'er

Moderators
16,150 posts

Gender:Male
Location:127.0.0.1

Hi ya,

Please update and run MBAM quick scan :blink:

Ade Gill
Research Engineer

#13
jmlugnut

Posted 01 April 2009 - 10:03 PM

New Member

Members
11 posts

Gender:Male

Updated and scanned (log attached). Rebooted, ran scan again and came up clean. Any next steps? thanks!

Malwarebytes' Anti-Malware 1.35
Database version: 1930
Windows 5.1.2600 Service Pack 2

2009-04-01 16:51:52
mbam-log-2009-04-01 (16-51-52).txt

Scan type: Quick Scan
Objects scanned: 94958
Time elapsed: 1 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{93353c3e-d1a9-4f4c-ba63-7d4cd672b7c2} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{93353c3e-d1a9-4f4c-ba63-7d4cd672b7c2} (Trojan.BHO.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lfsevmwh (Rootkit.Sentinel) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lfsevmwh (Rootkit.Sentinel) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsevmwh (Rootkit.Sentinel) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\auth.dll (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\system32\drivers\eorluriz.sys (Rootkit.Sentinel) -> Delete on reboot.
C:\WINDOWS\system32\drivers\lfsevmwh.sys (Rootkit.Sentinel) -> Delete on reboot.
C:\Documents and Settings\joe.leluga\Local Settings\Temp\kcxpkhzp.dat (Rootkit.Agent) -> Delete on reboot.

#14
Fatdcuk

Posted 01 April 2009 - 10:09 PM

Malware BBQ'er

Moderators
16,150 posts

Gender:Male
Location:127.0.0.1

Ok lookin good :blink:

If you can just do the following routine(+new HJT log afterwards) then i will be able to see if your good to go!

STEP 01
[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]

Ade Gill
Research Engineer

#15
jmlugnut

Posted 02 April 2009 - 12:45 PM

New Member

Members
11 posts

Gender:Male

Here you go....

--------------------------------------------------------------------
ComboFix 09-04-01.01 - Joe.Leluga 2009-04-02 7:29:27.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3574.2908 [GMT -5:00]
Running from: c:\documents and settings\joe.leluga\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.

2009-04-01 13:22 . 2009-04-01 14:20 <DIR> d-------- c:\temp\mbam stuff
2009-04-01 11:31 . 2009-04-01 12:22 <DIR> d-------- c:\temp\Autoruns
2009-04-01 11:31 . 2009-04-01 11:31 578,149 --a------ c:\temp\Autoruns.zip
2009-04-01 10:54 . 2009-04-01 10:54 <DIR> d-------- c:\program files\Trend Micro
2009-04-01 10:22 . 2009-04-01 10:23 <DIR> d-------- c:\temp\RootRepeal
2009-03-12 14:06 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-03-12 14:06 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-03-10 09:00 . 2009-03-10 09:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-09 21:33 . 2009-03-09 21:33 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0
2009-03-09 21:33 . 2009-03-09 21:33 <DIR> d-------- c:\documents and settings\joe.leluga\Application Data\Intuit
2009-03-09 21:30 . 2009-03-09 21:30 <DIR> d-------- c:\program files\TurboTax
2009-03-09 16:05 . 2007-07-30 14:44 3,518,464 --a------ c:\windows\system32\cdintf300.dll
2009-03-09 16:05 . 2007-06-28 14:09 1,843,200 --a------ c:\windows\system32\acXMLParser.dll
2009-03-09 15:57 . 2009-03-09 21:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Intuit
2009-03-09 15:54 . 2009-03-09 16:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\SQL Anywhere 10
2009-03-09 15:54 . 2009-03-09 15:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\COMMON FILES
2009-03-09 15:54 . 2009-03-10 12:11 93 --a------ c:\windows\QBChanUtil_Trigger.ini
2009-03-05 13:55 . 2009-03-05 13:55 <DIR> d-------- c:\program files\Cisco
2009-03-05 13:55 . 2009-03-05 13:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Cisco
2009-03-02 11:01 . 2009-03-02 11:01 <DIR> d-------- c:\program files\LimeWire
2009-03-02 10:39 . 2009-03-02 10:39 <DIR> d-------- c:\program files\Linksys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 21:27 --------- d-----w c:\program files\Trillian
2009-03-31 20:08 --------- d-----w c:\documents and settings\joe.leluga\Application Data\LimeWire
2009-03-26 22:10 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-26 21:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 21:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-22 19:17 --------- d-----w c:\program files\Common Files\Adobe
2009-03-21 03:00 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-15 00:22 --------- d-----w c:\program files\Sling Media
2009-03-10 14:58 --------- d-----w c:\program files\Google
2009-03-10 14:52 --------- d-----w c:\program files\Symantec
2009-03-10 14:52 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-10 14:52 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-10 02:32 --------- d-----w c:\program files\Common Files\Intuit
2009-03-09 21:05 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-26 17:09 --------- d-----w c:\documents and settings\joe.leluga\Application Data\webex
2009-02-23 14:06 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-23 14:06 --------- d-----w c:\program files\Java
2009-02-06 20:12 --------- d-----w c:\program files\WebEx
2009-02-06 20:12 --------- d-----w c:\documents and settings\joe.leluga\Application Data\Productivity Tools
2009-02-05 19:11 --------- d-----w c:\program files\RealVNC
2009-02-05 16:34 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-05 15:48 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-05 15:48 --------- d-----w c:\documents and settings\joe.leluga\Application Data\SUPERAntiSpyware.com
2009-02-05 15:48 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-05 15:47 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-05 15:46 1,336,947 ----a-w C:\MGtools.exe
2009-02-05 15:37 --------- d-----w c:\program files\CCleaner
2009-02-05 15:31 --------- d-----w c:\program files\3GP Player
2009-02-04 22:43 --------- d-----w c:\documents and settings\All Users\Application Data\Applications
2009-02-04 21:44 --------- d-----w c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-02-04 21:39 --------- d-----w c:\documents and settings\Administrator\Application Data\Windows Search
2009-02-04 14:46 6 ----a-w c:\windows\Fonts\wfonts.key
2009-02-03 16:15 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
.

((((((((((((((((((((((((((((( SnapShot_2009-03-13_15.26.11.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-13 14:35:53 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe
+ 2009-03-22 19:22:31 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe
- 2008-10-13 14:35:53 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat_Standard.exe
+ 2009-03-22 19:22:32 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat_Standard.exe
- 2008-10-13 14:35:53 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Distiller.exe
+ 2009-03-22 19:22:32 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Distiller.exe
- 2008-10-13 14:35:53 7,278 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_ELEMENTS_DT.exe
+ 2009-03-22 19:22:32 7,278 ----a-r c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_ELEMENTS_DT.exe
- 2009-01-20 00:34:10 4,150 ----a-r c:\windows\Installer\{E2741785-8993-4BB6-A76F-35244DC4FFB0}\ARPPRODUCTICON.exe
+ 2009-03-15 00:23:19 4,150 ----a-r c:\windows\Installer\{E2741785-8993-4BB6-A76F-35244DC4FFB0}\ARPPRODUCTICON.exe
- 2009-01-20 00:34:11 397,312 ----a-r c:\windows\Installer\{E2741785-8993-4BB6-A76F-35244DC4FFB0}\NewShortcut2_E274178589934BB6A76F35244DC4FFB0.exe
+ 2009-03-15 00:23:19 397,312 ----a-r c:\windows\Installer\{E2741785-8993-4BB6-A76F-35244DC4FFB0}\NewShortcut2_E274178589934BB6A76F35244DC4FFB0.exe
- 2009-01-20 00:34:11 397,312 ----a-r c:\windows\Installer\{E2741785-8993-4BB6-A76F-35244DC4FFB0}\SlingPlayerShortCu_E274178589934BB6A76F35244DC4FFB0.exe
+ 2009-03-15 00:23:19 397,312 ----a-r c:\windows\Installer\{E2741785-8993-4BB6-A76F-35244DC4FFB0}\SlingPlayerShortCu_E274178589934BB6A76F35244DC4FFB0.exe
- 2009-01-20 00:34:11 8,854 ----a-r c:\windows\Installer\{E2741785-8993-4BB6-A76F-35244DC4FFB0}\UNINST_Uninstall_S_E274178589934BB6A76F35244DC4FFB0.exe
+ 2009-03-15 00:23:19 8,854 ----a-r c:\windows\Installer\{E2741785-8993-4BB6-A76F-35244DC4FFB0}\UNINST_Uninstall_S_E274178589934BB6A76F35244DC4FFB0.exe
- 2009-03-12 18:06:23 79,550 ----a-w c:\windows\system32\perfc009.dat
+ 2009-04-01 21:57:34 79,550 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-12 18:06:23 465,700 ----a-w c:\windows\system32\perfh009.dat
+ 2009-04-01 21:57:34 465,700 ----a-w c:\windows\system32\perfh009.dat
- 2004-01-07 18:21:24 237,936 ----a-w c:\windows\system32\unicows.dll
+ 2008-09-23 22:46:32 245,408 ----a-w c:\windows\system32\unicows.dll
+ 2009-04-01 21:52:52 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_144.dat
+ 2009-03-13 20:33:32 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PfuSsSct.exe"="c:\program files\PFU\ScanSnap\PfuSsSct.exe" [2003-12-22 110592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-14 138008]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"Iomega Automatic Backup 1.0.1"="c:\program files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-10-15 3014656]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-14 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-14 162584]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 184408]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-23 148888]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 c:\windows\stsystra.exe]

c:\documents and settings\IT\Start Menu\Programs\Startup\
Diskeeper 9 Home Edition Registration.lnk - c:\program files\Executive Software\Diskeeper\ESIRegister.exe [2005-01-04 3674112]

c:\documents and settings\joe.leluga\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-07 656896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= c:\windows\system32\..\pre.sxf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=wsusfix.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Sling Media\\SlingPlayer\\SlingPlayer.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Premier\\QBDBMgrN.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-01-28 13088]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2008-12-10 88576]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2008-05-19 370872]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-02 97536]
S0 cicgnz;cicgnz;c:\windows\system32\drivers\bpibho.sys --> c:\windows\system32\drivers\bpibho.sys [?]
S0 qeoihcwi;qeoihcwi;c:\windows\system32\drivers\tgnvjxab.sys --> c:\windows\system32\drivers\tgnvjxab.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 vpnva;Cisco AnyConnect VPN Virtual Miniport Adapter for Windows;c:\windows\system32\drivers\vpnva.sys [2008-05-19 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.igoogle.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intranet
Trusted Zone: kofax.com\chgpw
Trusted Zone: kofax.com\helpdesk
Trusted Zone: kofax.com\hpsim
Trusted Zone: kofax.com\intranet
Trusted Zone: kofax.com\knownow
Trusted Zone: kofax.com\lms
Trusted Zone: kofax.com\lotus
Trusted Zone: kofax.com\sp
Trusted Zone: kofax.com\www
Trusted Zone: intranet
Trusted Zone: kofax.com\chgpw
Trusted Zone: kofax.com\helpdesk
Trusted Zone: kofax.com\hpsim
Trusted Zone: kofax.com\intranet
Trusted Zone: kofax.com\knownow
Trusted Zone: kofax.com\lms
Trusted Zone: kofax.com\lotus
Trusted Zone: kofax.com\sp
Trusted Zone: kofax.com\www
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks Premier\HelpAsyncPluggableProtocol.dll
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://remote1.kofax.com/CACHE/webvpn/stc/1/binaries/vpnweb.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 07:30:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\cscdll.dll
.
Completion time: 2009-04-02 7:31:07
ComboFix-quarantined-files.txt 2009-04-02 12:31:05
ComboFix2.txt 2009-03-13 20:27:02
ComboFix3.txt 2009-02-05 17:10:01

Pre-Run: 140,853,772,288 bytes free
Post-Run: 141,109,182,464 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

221 --- E O F --- 2008-09-24 17:28:46

--------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:39, on 2009-04-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\PFU\ScanSnap\PfuSsSct.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.igoogle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PfuSsSct.exe] C:\Program Files\PFU\ScanSnap\PfuSsSct.exe /Station
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: eFax 4.4.lnk = C:\Program Files\eFax Messenger 4.4\J2GTray.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Conversion to PDF with ScanSnap Organizer.lnk = ?
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: ScanSnap Manager.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll (HKCU)
O9 - Extra 'Tools' menuitem: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\Program Files\WebEx\Productivity Tools\ptonecli.dll (HKCU)
O15 - Trusted Zone: http://*.intranet
O15 - Trusted Zone: http://chgpw.kofax.com
O15 - Trusted Zone: http://helpdesk.kofax.com
O15 - Trusted Zone: http://intranet.kofax.com
O15 - Trusted Zone: http://lms.kofax.com
O15 - Trusted Zone: http://sp.kofax.com
O15 - Trusted Zone: http://www.kofax.com
O15 - Trusted Zone: http://*.intranet (HKLM)
O15 - Trusted Zone: http://chgpw.kofax.com (HKLM)
O15 - Trusted Zone: http://helpdesk.kofax.com (HKLM)
O15 - Trusted Zone: http://intranet.kofax.com (HKLM)
O15 - Trusted Zone: http://lms.kofax.com (HKLM)
O15 - Trusted Zone: http://sp.kofax.com (HKLM)
O15 - Trusted Zone: http://www.kofax.com (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} (Cisco AnyConnect VPN Client Web Control) - https://remote1.kofax.com/CACHE/webvpn/stc/...ries/vpnweb.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1236350038500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1236350025656
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kofax.com
O17 - HKLM\Software\..\Telephony: DomainName = kofax.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kofax.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kofax.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = kofax.com
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks Premier\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprint Mobile Broadband (Pantech)\PWIUtilityService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12127 bytes

#16
Fatdcuk

Posted 02 April 2009 - 01:08 PM

Malware BBQ'er

Moderators
16,150 posts

Gender:Male
Location:127.0.0.1

Ok the logs are looking good to go now

Here's some handy reading tho Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Safe surfing

Ade Gill
Research Engineer

Back to Resolved HijackThis Logs · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Malwarebytes

Mbam not cleaning Trojan.BHO.H properly

#1
jmlugnut

Posted 01 April 2009 - 04:07 PM

#2
Fatdcuk

Posted 01 April 2009 - 04:21 PM

#3
jmlugnut

Posted 01 April 2009 - 04:37 PM

#4
Fatdcuk

Posted 01 April 2009 - 04:45 PM

#5
jmlugnut

Posted 01 April 2009 - 05:25 PM

#6
Fatdcuk

Posted 01 April 2009 - 06:11 PM

#7
jmlugnut

Posted 01 April 2009 - 06:24 PM

#8
Fatdcuk

Posted 01 April 2009 - 06:27 PM

#9
jmlugnut

Posted 01 April 2009 - 06:34 PM

#10
Fatdcuk

Posted 01 April 2009 - 06:52 PM

#11
jmlugnut

Posted 01 April 2009 - 07:02 PM

#12
Fatdcuk

Posted 01 April 2009 - 09:47 PM

#13
jmlugnut

Posted 01 April 2009 - 10:03 PM

#14
Fatdcuk

Posted 01 April 2009 - 10:09 PM

#15
jmlugnut

Posted 02 April 2009 - 12:45 PM

#16
Fatdcuk

Posted 02 April 2009 - 01:08 PM

1 user(s) are reading this topic

Products

About

Partners

Follow Us

Malwarebytes

Mbam not cleaning Trojan.BHO.H properly

#1 jmlugnut Posted 01 April 2009 - 04:07 PM

#2 Fatdcuk Posted 01 April 2009 - 04:21 PM

#3 jmlugnut Posted 01 April 2009 - 04:37 PM

#4 Fatdcuk Posted 01 April 2009 - 04:45 PM

#5 jmlugnut Posted 01 April 2009 - 05:25 PM

#6 Fatdcuk Posted 01 April 2009 - 06:11 PM

#7 jmlugnut Posted 01 April 2009 - 06:24 PM

#8 Fatdcuk Posted 01 April 2009 - 06:27 PM

#9 jmlugnut Posted 01 April 2009 - 06:34 PM

#10 Fatdcuk Posted 01 April 2009 - 06:52 PM

#11 jmlugnut Posted 01 April 2009 - 07:02 PM

#12 Fatdcuk Posted 01 April 2009 - 09:47 PM

#13 jmlugnut Posted 01 April 2009 - 10:03 PM

#14 Fatdcuk Posted 01 April 2009 - 10:09 PM

#15 jmlugnut Posted 02 April 2009 - 12:45 PM

#16 Fatdcuk Posted 02 April 2009 - 01:08 PM

1 user(s) are reading this topic

Products

About

Partners

Follow Us

#1
jmlugnut

Posted 01 April 2009 - 04:07 PM

#2
Fatdcuk

Posted 01 April 2009 - 04:21 PM

#3
jmlugnut

Posted 01 April 2009 - 04:37 PM

#4
Fatdcuk

Posted 01 April 2009 - 04:45 PM

#5
jmlugnut

Posted 01 April 2009 - 05:25 PM

#6
Fatdcuk

Posted 01 April 2009 - 06:11 PM

#7
jmlugnut

Posted 01 April 2009 - 06:24 PM

#8
Fatdcuk

Posted 01 April 2009 - 06:27 PM

#9
jmlugnut

Posted 01 April 2009 - 06:34 PM

#10
Fatdcuk

Posted 01 April 2009 - 06:52 PM

#11
jmlugnut

Posted 01 April 2009 - 07:02 PM

#12
Fatdcuk

Posted 01 April 2009 - 09:47 PM

#13
jmlugnut

Posted 01 April 2009 - 10:03 PM

#14
Fatdcuk

Posted 01 April 2009 - 10:09 PM

#15
jmlugnut

Posted 02 April 2009 - 12:45 PM

#16
Fatdcuk

Posted 02 April 2009 - 01:08 PM