Malware-WSOCK.SYS; SVCHOST.EXE Problems

Unknown

This is my first post ever to a forum.

All software on my system is alwasy up-to-date.

I'm very confused with some malware that I have on my system, and unfortunately I know exactly when it got there -- I was responsible for running a video

editing tool Link removed as to not cause infections on other users machines who may accidently click on it that was suppose to do one thing but immediately provided me with a rather not nice message and

obvioiusly did something very different.

I've run several different malware detection programs -- some detect various compoents of the problem, but none can totally remove it. Following are the

symtoms and my HiJackThis Output.

1. I immediately noticed that I lost the use of CMD, REGEDIT & Task Manager (I ran a little file that corrects all of these, so had them back)
2. My System Restore tab from My Computer > Properties was missing.
3. I lost local networking capability, but maintained internet connectivity.
4. I ran Ad-Aware and Spyboot S&D. Both flagged multiple alerts, some they could fix, other's they couldn't.
5. After F-Secure Internet Security and Anti-Virus (which was running when I ran this little devil) didn't appear to help (BTW, I had scanned the file before

I ran it and it appeared to be clean), I decided to unload F-Secure and load Zone Labs Security Suite (I own six different virus and internet security

packages because I've been assisting several of my friends evaluating them). It identified some of the same and some additional problems, correct a subset

of them.
6. <SYS> WSOCK32.SYS was itentified, but could not be deleted, so I renamed it, moved it into another directory, then renamed that directory. I could not

delete it.
7. After every reboot, the CMD, REGEDIT & Task Manager were gone. WSOCK32.SYS is back.
8. I've not be successful at restoring local networking.
9. Repeated runs of Ad-Aware, Spboot S&D, and whatever Anti-Virus I have installed at any given time, continue to identify the same problems.
10. Next I noticed the system was extremely slow. Task Manager revealed that I had multiple process copies of SVCHOST.EXE running -- at one point 50!

I realize I could simple reformat and begin again, but I very much would like to understand what is happening. What is putting WSOCK32.SYS back following

every boot?

Currently I have Kaspersky Internet Security v6 installed. I was amazed at how many things it detected that F-Secure and ZoneAlarms did not. Unfortunately,

it too could not remove many of the detected problems.

===============================================================
HiJackThis -- Somewhere in this forum I read the recommendations on Posting JiJackThis file to this forum.
That was very helpful. Thank you.
===============================================================

Logfile of HijackThis v1.99.1
Scan saved at 3:21:57 PM, on 9/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Bin.Install\Selma.Downloads\SW\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 4.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file

missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

=============================================

Thank you in advance for any ideas you can provide.

Sparky545

I just viewed my post and apoligize for the formating -- I guess I'll have to be careful posting and pasting from notepad in the future.

Also, I thought of a couple addition things that might be of interest. I googled these symtoms and one site (Sophos, I believe) indicated that this might include a rootkit. So I ran SysInternals Rootkit Revealer and F-Secure's Blacklight but neither identified anything unusual.

I have checked for many suggested fixes inside my registry, and again have not found anything obvious to be causing this problem.

Leonardo

Sparky, I've moved your thread to the Spyware/Virus/Trojan Help forum. I'm sure one of our volunteers will help you get your system back in order.

rpggamergirl

Hi Sparky545,
Welcome to the forum!


1. Please download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose "Extract All",
Open the extracted folder and double click "RunThis.bat" to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


2. Also download (the GUI) version of BlackLight, and save it to your desktop.
https://europe.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.

Sparky545

Following are, in the order they occurred:

01. SDFix Report#1 (from SafeMode)
02. Bootup File Not Found Alert#1
03. Bootup File Not Found Alert#2 (these two alerts repeated a second time)
04. Spybot Bootup Alert
05. Kaspersky Bootup Alert
06. SDFix Report#2 (following Reboot)
07. HiJackThis Log
08. BlackLight Log
09. RootkitRevealer Report
10. Ad-Aware Report
11. Spybot Report
12. Kaspersky Full System Scan Report (edited down to relevant details)

Questions:
1. While reading a guide on this forum it suggested running 8-steps to
possibly fix problems. These were WinXP Recovery Console steps that included executing ATTRIB; Del boot.ini; BOOTCFG /REBUILD; CHKDSK /R /F; FIXBOOT. Apparently I didn't use the same Load Identifier for this new rebuild as the original, so now on bootup I have two operating systems identified: (a) WinXP Pro -- the new one, and (b) Microsoft Windows XP Professional. Can you tell me how to delete the second one?

2. I have been attempting to determine "the best" anti-virus and internet
security software. Based on my limited knowledge and experience, after
installing and running six different packages, including Kaspersky, ZoneAlarms,
F-Secure, Norton, McAfee, AVG & AVAST, it appears that no individual package detects everything (i.e., if I load and unload one package, followed by another, each seems to detect unique malware). The best to me appears to be Kaspersky. Are there concrete results somewhere that are more detailed than my limited evaluation?

=========================================================
SDFix Report#1
=========================================================
SDFix: Version 1.25

---

Wed 09/20/2006 06:31 AM
Microsoft Windows XP [Version 5.1.2600]
Running from: D:\CD\Selma.Downloads\SW\SDFix
Stage One...
Checking Services...
Name:
Path:
Repairing Registry...
Restoring Default Hosts File...
Stage One Complete
Rebooting!

=========================================================
Bootup File Not Found Alerts
=========================================================
C:\Windows\System32\scvhost.exe
Windows cannot find 'C:\Windows\system32\scvhost.exe'. Make sure you typed the name correctly, and then try again. To search for a file, cike the Start button, and then click Search.

FOLLOWED IMMEDIATELY BY

Desktop
Could not load or run 'C:\Windows\system32\scvhost.exe' specified in the registry. Make sure the file exists on your computer or remove the reference to it in the registry.

NOTE: scvhost.exe does not exit, while svchost.exe does!

FOLLOWED IMMEDIATELY BY

Bootup.File.Spybot.Alert.jpg (I think I just attached that file).
I'm confused as to why this screen is always cut off at the bottom.

FOLLOWED IMMEDIATELY BY

Kaspersky.Alert.jpg (attached?)
This indicated that it detected "dirty.32.sis.trash" which was
originally WSOCK32.SYS that I renamed and attempted to delete.
I finally thought I had deleted it on a subsequent reboot, but it
continues to reappear.

=========================================================
SDFix Report#2 (following reboot)
in following reply due to reply post limitations
=========================================================

Sparky545

=========================================================
SDFix Report#2 (following reboot)
=========================================================

*NOTE

THIS IS A LIST OF TROJAN VARIANTS THAT ARE REMOVED BY THIS TOOL, PLEASE
POST THE REPORT.TXT ON THE FORUM AFTER RUNNING THE TOOL AND NOT THIS FILE !



This script will only run on Windows 2000 and Windows XP and will only run in Safe Mode !

At Present the fixtool removes these Trojan Variants:

Entries listed are taken from a HijackThis log (http://www.merijn.org/)


(IRCBot Trojans)


O4 - Global Startup: msconfig.exe
O4 - Global Startup: taskmgr.exe

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

O4 - HKLM\..\Run: [ActiveScan Antivirus] ActiveScan.exe
O4 - HKLM\..\RunServices: [ActiveScan Antivirus] ActiveScan.exe
O4 - HKCU\..\Run: [ActiveScan Antivirus] ActiveScan.exe
O4 - HKCU\..\RunServices: [ActiveScan Antivirus] ActiveScan.exe

O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\system32\algs.exe

O4 - HKLM\..\Run: [asnconsole] msasn.exe
O4 - HKLM\..\RunServices: [asnconsole] msasn.exe

F2 - REG:system.ini: Shell=Explorer.exe asus.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,asus.exe
O4 - HKLM\..\Run: [Asus MotherBoard Utility] asus.exe
O4 - HKLM\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - HKCU\..\Run: [Asus MotherBoard Utility] asus.exe
O4 - HKCU\..\RunServices: [Asus MotherBoard Utility] asus.exe

O4 - HKLM\..\Run: [ATI AS Filter] msnse.exe
O4 - HKLM\..\RunServices: [ATI AS Filter] msnse.exe
O4 - HKCU\..\Run: [ATI AS Filter] msnse.exe
O4 - HKCU\..\RunServices: [ATI AS Filter] msnse.exe

O4 - HKLM\..\Run: [Ati Control Panel] atiphexx.exe
O4 - HKLM\..\RunServices: [Ati Control Panel] atiphexx.exe
O4 - HKCU\..\Run: [Ati Control Panel] atiphexx.exe

O4 - HKLM\..\Run: [AdobeReader] msni.exe
O4 - HKLM\..\RunServices: [AdobeReader] msni.exe

O4 - HKLM\..\Run: [AdobeReaderPro] msnserve.exe
O4 - HKLM\..\RunServices: [AdobeReaderPro] msnserve.exe

O4 - HKLM\..\Run: [AdobeReaderPros] sysmsn.exe
O4 - HKLM\..\RunServices: [AdobeReaderPros] sysmsn.exe

O4 - HKLM\..\Run: [Catalyst Control Centre] atixvdm.exe
O4 - HKLM\..\RunServices: [Catalyst Control Centre] atixvdm.exe

O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINDOWS\system32\csrs.exe

O4 - HKLM\..\Run: [Client Server Run Time Proccess] csrsrv.exe
O4 - HKLM\..\RunServices: [Client Server Run Time Proccess] csrsrv.exe

O4 - HKLM\..\RunServices: [cof.updit] (Random Name).exe
O4 - HKLM\..\Run: [cof.updit] (Random Name).exe

O4 - HKLM\..\Run: [Configuration Loader] configldr.exe
O4 - HKLM\..\RunServices: [Configuration Loader] configldr.exe

O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe

O4 - HKLM\..\Run: [Configuration Loader] syscfg32.exe
O4 - HKLM\..\RunServices: [Configuration Loader] syscfg32.exe

O4 - HKLM\..\RunServices: [Configuration Loader] loadcfg32.exe

O4 - HKLM\..\Run: [Configuration Servecie] sewins.exe
O4 - HKLM\..\RunServices: [Configuration Servecie] sewins.exe
O4 - HKCU\..\Run: [Configuration Servecie] sewins.exe

F2 - REG:system.ini: Shell=Explorer.exe creative.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,creative.exe
O4 - HKLM\..\Run: [Creative Audio Drivers] creative.exe
O4 - HKLM\..\RunServices: [Creative Audio Drivers] creative.exe
O4 - HKCU\..\Run: [Creative Audio Drivers] creative.exe
O4 - HKCU\..\RunServices: [Creative Audio Drivers] creative.exe

F2 - REG:system.ini: Shell=Explorer.exe windfe.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,windfe.exe
O4 - HKLM\..\Run: [DLINK dfe drivers for Windows NT] windfe.exe
O4 - HKLM\..\RunServices: [DLINK dfe drivers for Windows NT] windfe.exe
O4 - HKCU\..\Run: [DLINK dfe drivers for Windows NT] windfe.exe
O4 - HKCU\..\RunServices: [DLINK dfe drivers for Windows NT] windfe.exe

O4 - HKLM\..\Run: [dll services] (Random Name).exe
O4 - HKLM\..\RunServices: [dll services] (Random Name).exe

O4 - HKLM\..\Run: [DRam prmaessor] mp2Ld.exe
O4 - HKLM\..\RunServices: [DRam prmaessor] mp2Ld.exe

O4 - HKLM\..\Run: [DRan posessor] DAP.exe
O4 - HKLM\..\RunServices: [DRan posessor] DAP.exe

O4 - HKLM\..\Run: [DRam prosesor] (Random Name).exe
O4 - HKLM\..\RunServices: [DRam prosesor] (Random Name).exe

O4 - HKLM\..\Run: [DRam prosessor] winsys.exe
O4 - HKLM\..\RunServices: [DRam prosessor] winsys.exe

O4 - HKLM\..\Run: [Expl0rer soft] expl0rer.pif
O4 - HKLM\..\RunServices: [Expl0rer soft] expl0rer.pif

O4 - HKLM\..\Run: [File System] taskmqr.exe
O4 - HKLM\..\RunServices: [File System] taskmqr.exe
O4 - HKCU\..\Run: [File System] taskmqr.exe

O4 - HKLM\..\Run: [File System] taskmqrs.exe
O4 - HKLM\..\RunServices: [File System] taskmqrs.exe
O4 - HKCU\..\Run: [File System] taskmqrs.exe

O4 - HKLM\..\Run: [Fire Wall services] (Random Name).exe
O4 - HKLM\..\RunServices: [Fire Wall services] (Random Name).exe

O4 - HKLM\..\Run: [FrameWork 2.5] FrameWork.exe
O4 - HKLM\..\RunServices: [FrameWork 2.5] FrameWork.exe

O4 - HKLM\..\Run: [Google service] Googlesetup.exe
O4 - HKLM\..\RunServices: [Google service] Googlesetup.exe

O4 - HKLM\..\Run: [Internet Explorer Security] iexplore.pif
O4 - HKLM\..\RunServices: [Internet Explorer Security] iexplore.pif
O4 - HKCU\..\Run: [Internet Explorer Security] iexplore.pif
O4 - HKCU\..\RunServices: [Internet Explorer Security] iexplore.pif

O4 - HKLM\..\Run: [Index Service] dllhost32.exe
O4 - HKLM\..\RunServices: [Index Service] dllhost32.exe
O23 - Service: Index Service (b3) - Unknown owner - C:\WINDOWS\system32\dllhost32.exe" -service (file missing)

O4 - HKLM\..\Run: [internet service] svho0st98.exe
O4 - HKLM\..\RunServices: [internet service] svho0st98.exe

O4 - HKLM\..\Run: [JA Config 32] Awesome32.exe
O4 - HKLM\..\RunServices: [JA Config 32] Awesome32.exe
O4 - HKCU\..\Run: [JA Config 32] Awesome32.exe

O4 - HKLM\..\Run: [Java Runtime Value] runjava.exe
O4 - HKLM\..\RunServices: [Java Runtime Value] runjava.exe
O4 - HKCU\..\Run: [Java Runtime Value] runjava.exe
O4 - HKCU\..\RunServices: [Java Runtime Value] runjava.exe

O4 - HKLM\..\Run: [Linksys Modem Drivers] linksys.exe
O4 - HKLM\..\RunServices: [Linksys Modem Drivers] linksys.exe
O4 - HKCU\..\Run: [Linksys Modem Drivers] linksys.exe

O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\system32\lssas.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\system32\Isass.exe

O4 - HKLM\..\Run: [Managment Service] (Random Name).exe
O4 - HKLM\..\RunServices: [Managment Service] (Random Name).exe

O4 - HKLM\..\Run: [mb2np] (Random Name).exe
O4 - HKLM\..\RunServices: [mb2np] (Random Name).exe

O4 - HKLM\..\Run: [Mi7sft sdce] scorti.exe
O4 - HKLM\..\RunServices: [Mi7sft sdce] scorti.exe

O4 - HKLM\..\Run: [Microsoft Anti-Spy] (Random Name).exe
O4 - HKLM\..\RunServices: [Microsoft Anti-Spy] (Random Name).exe

O4 - HKLM\..\Run: [Microsoft AntiSpyware] KT06.pif
O4 - HKLM\..\RunServices: [Microsoft AntiSpyware] KT06.pif

O4 - HKLM\..\Run: [Microsoft Anti-Virus] (Random Name).exe
O4 - HKLM\..\RunServices: [Microsoft Anti-Virus] (Random Name).exe

O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti32.exe
O4 - HKCM\..\Run: [Microsoft AUT Update] MSlti32.exe
O4 - HKCU\..\RunServices: [Microsoft AUT Update] MSlti32.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti32.exe

O4 - HKLM\..\Run: [Microsoft CONFIG] winmx.exe
O4 - HKLM\..\RunServices: [Microsoft CONFIG] winmx.exe
O4 - HKCU\..\Run: [Microsoft CONFIG] winmx.exe

O4 - HKLM\..\Run: [Microsoft Configoration Service] msconfigs.exe
O4 - HKLM\..\RunServices: [Microsoft Configoration Service] msconfigs.exe
O4 - HKCU\..\Run: [Microsoft Configoration Service] msconfigs.exe
O4 - HKCU\..\RunServices: [Microsoft Configoration Service] msconfigs.exe

O4 - HKLM\..\Run: [Microsoft Core Support] MSbz32.exe
O4 - HKLM\..\RunServices: [Microsoft Core Support] MSbz32.exe

O4 - HKLM\..\Run: [Microsoft Corp. Host Services] svchosl.exe
O4 - HKLM\..\RunServices: [Microsoft Corp. Host Services] svchosl.exe
O4 - HKCU\..\Run: [Microsoft Corp. Host Services] svchosl.exe
O4 - HKCU\..\RunServices: [Microsoft Corp. Host Services] svchosl.exe

O4 - HKLM\..\Run: [Microsoft DirktorWin] (Random Name).exe
O4 - HKLM\..\RunServices: [Microsoft DirktorWin] (Random Name).exe

O4 - HKLM\..\Run: [Microsoft DLL Verifier] csrssv.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] csrssv.exe

O4 - HKLM\..\Run: [Microsoft DLL Verifier] Desktop.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] Desktop.exe

O4 - HKLM\..\Run: [Microsoft DLL Verifier] wns.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] wns.exe

O4 - HKLM\..\Run: [Microsoft Domain Controller] C:\WINDOWS\system32\mstc.exe

O4 - HKLM\..\Run: [Microsoft Event Engine] EvtEngn.exe
O4 - HKLM\..\RunServices: [Microsoft Event Engine] EvtEngn.exe

O4 - HKLM\..\Run: [Microsoft FixUp] (Random Name).exe
O4 - HKLM\..\RunServices: [Microsoft FixUp] (Random Name).exe

O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\system32\iexplore.exe

O4 - HKLM\..\Run: [Microsoft Internet Explorer] lEXPLORE.EXE
O4 - HKLM\..\RunServices: [Microsoft Internet Explorer] lEXPLORE.EXE

O4 - HKLM\..\Run: [Microsoft Intrenet Explorer] (Random Name).pif
O4 - HKLM\..\RunServices: [Microsoft Intrenet Explorer] (Random Name).pif

O4 - HKLM\..\Run: [Microsoft Machine] system32.exe
O4 - HKLM\..\RunServices: [Microsoft Machine] system32.exe

O4 - HKLM\..\Run: [MICROSFT MX UPDATE SUPPORT] winmx32.EXE
O4 - HKLM\..\RunServices: [MICROSFT MX UPDATE SUPPORT] winmx32.EXE

O4 - HKLM\..\Run: [Microsoft NT Drivers] ntdrv.exe
O4 - HKLM\..\RunServices: [Microsoft NT Drivers] ntdrv.exe
O4 - HKCU\..\Run: [Microsoft NT Drivers] ntdrv.exe
O4 - HKCU\..\RunServices: [Microsoft NT Drivers] ntdrv.exe

O4 - HKLM\..\Run: [Microsoft Nvidia Video] nvidia.exe
O4 - HKLM\..\RunServices: [Microsoft Nvidia Video] nvidia.exe
O4 - HKCU\..\Run: [Microsoft Nvidia Video] nvidia.exe
O4 - HKCU\..\RunServices: [Microsoft Nvidia Video] nvidia.exe

O4 - HKLM\..\Run: [Microsoft Patch Update] bootini.exe
O4 - HKLM\..\RunServices: [Microsoft Patch Update] bootini.exe

O4 - HKLM\..\Run: [Microsoft sddcE Contol] taskmnegr.exe
O4 - HKLM\..\RunServices: [Microsoft sddcE Contol] taskmnegr.exe

O4 - HKLM\..\Run: [Microsoft Security Process] wininit.exe
O4 - HKLM\..\RunServices: [Microsoft Security Process] wininit.exe
O4 - HKCU\..\Run: [Microsoft Security Process] wininit.exe

O4 - HKLM\..\Run: [Microsoft Server] rserv.exe
O4 - HKLM\..\RunServices: [Microsoft Server] rserv.exe
O4 - HKCU\..\Run: [Microsoft Server] rserv.exe

O4 - HKLM\..\Run: [Microsoft Server Applacations] Q8See.exe
O4 - HKLM\..\RunServices: [Microsoft Server Applacations] Q8See.exe
O4 - HKCU\..\Run: [Microsoft Server Applacations] Q8See.exe

O4 - HKLM\..\Run: [Microsoft Service] sysreg11.exe
O4 - HKLM\..\RunServices: [Microsoft Service] sysreg11.exe

O4 - HKLM\..\Run: [Microsoft Services] srvchost.exe
O4 - HKLM\..\RunServices: [Microsoft Services] srvchost.exe
O4 - HKCU\..\Run: [Microsoft Services] srvchost.exe

O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe

O4 - HKLM\..\Run: [Microsoft Telecoms Center] winrestore.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] winrestore.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] winrestore.exe

O4 - HKLM\..\Run: [Microsoft Telecoms Center] winupcd.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] winupcd.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] winupcd.exe

O4 - HKLM\..\Run: [Microsoft Telecoms Center] xpfilesys.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] xpfilesys.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] xpfilesys.exe

O4 - HKLM\..\Run: [Micrcoft Updat] spoolsae.exe
O4 - HKLM\..\RunServices: [Micrcoft Updat] spoolsae.exe

O4 - HKLM\..\Run: [Microsft Updtes] sarvice.exe
O4 - HKLM\..\RunServices: [Microsft Updtes] sarvice.exe

O4 - HKLM\..\Run: [Microsoft Update] bling.exe
O4 - HKLM\..\RunServices: [Microsoft Update] bling.exe
O4 - HKCU\..\Run: [Microsoft Update] bling.exe

O4 - HKLM\..\Run: [Microsoft Update] WinDrv32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] WinDrv32.exe
O4 - HKCU\..\Run: [Microsoft Update] WinDrv32.exe

O4 - HKLM\..\Run: [Microsoft Update] snlogsvc.exe
O4 - HKLM\..\RunServices: [Microsoft Update] snlogsvc.exe
O4 - HKCU\..\Run: [Microsoft Update] snlogsvc.exe

O4 - HKLM\..\Run: [Microsoft Update] Sygate.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Sygate.exe
O4 - HKCU\..\Run: [Microsoft Update] Sygate.exe

O4 - HKLM\..\Run: [Microsoft Update] system32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] system32.exe
O4 - HKCU\..\Run: [Microsoft Update] system32.exe

O4 - HKLM\..\Run: [Microsoft Update] update.exe
O4 - HKLM\..\RunServices: [Microsoft Update] update.exe
O4 - HKCU\..\Run: [Microsoft Update] update.exe

O4 - HKLM\..\Run: [Microsoft Update] wuamk032.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamk032.exe

O4 - HKLM\..\Run: [Microft Update 32] winssx.exe
O4 - HKLM\..\RunServices: [Microft Update 32] winssx.exe

O4 - HKLM\..\Run: [Microsoft Update 32] neta.exe
O4 - HKLM\..\RunServices: [Microsoft Update 32] neta.exe

O4 - HKLM\..\Run: [Microsoft Update 32] network.exe
O4 - HKLM\..\RunServices: [Microsoft Update 32] network.exe

O4 - HKLM\..\Run: [Microsoft Update 32] windowsp.exe
O4 - HKLM\..\RunServices: [Microsoft Update 32] windowsp.exe

O4 - HKLM\..\Run: [Microsoft Update 32] wininit.exe
O4 - HKLM\..\RunServices: [Microsoft Update 32] wininit.exe

O4 - HKLM\..\Run: [Microsoft Update Drivers] explorers.exe
O4 - HKLM\..\RunServices: [Microsoft Update Drivers] explorers.exe

O4 - HKLM\..\Run: [Microsoft Update Machine] cssrssv.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] cssrssv.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] cssrssv.exe

O4 - HKLM\..\Run: [Microsft Upgraed] (Random Name).exe
O4 - HKLM\..\RunServices: [Microsft Upgraed] (Random Name).exe

O4 - HKLM\..\Run: [Microsoft web update] webmsn.exe
O4 - HKLM\..\RunServices: [Microsoft web update] webmsn.exe

O4 - HKLM\..\Run: [Microsoft WIN32 DOS] MSdos32.exe
O4 - HKLM\..\RunServices: [Microsoft WIN32 DOS] MSdos32.exe

O4 - HKLM\..\Run: [Microsoft WIN32 Security] MSsec32.exe
O4 - HKLM\..\RunServices: [Microsoft WIN32 Security] MSsec32.exe

F2 - REG:system.ini: Shell=Explorer.exe msclt.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,msclt.exe
O4 - HKLM\..\Run: [Microsoft Windows Client Firewall] msclt.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Client Firewall] msclt.exe
O4 - HKCU\..\Run: [Microsoft Windows Client Firewall] msclt.exe
O4 - HKCU\..\RunServices: [Microsoft Windows Client Firewall] msclt.exe

F2 - REG:system.ini: Shell=Explorer.exe bootini.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,bootini.exe
O4 - HKLM\..\Run: [Microsoft Windows] bootini.exe
O4 - HKLM\..\RunServices: [Microsoft Windows] bootini.exe
O4 - HKCU\..\Run: [Microsoft Windows] bootini.exe
O4 - HKCU\..\RunServices: [Microsoft Windows] bootini.exe

O4 - HKLM\..\Run: [Microsoft Windows Drivers] windrv.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Drivers] windrv.exe
O4 - HKCU\..\Run: [Microsoft Windows Drivers] windrv.exe
O4 - HKCU\..\RunServices: [Microsoft Windows Drivers] windrv.exe

O4 - HKLM\..\Run: [Microsoft Windows Secure] windocs.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Secure] windocs.exe
O4 - HKCU\..\Run: [Microsoft Windows Secure] windocs.exe

O4 - HKLM\..\Run: [Microsoft Windows Startup] explorer.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Startup] explorer.exe

O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] syshost.exe

O4 - HKLM\..\Run: [MICROSOFT Windows update] pdate.exe
O4 - HKLM\..\RunServices: [MICROSOFT Windows update] pdate.exe
O4 - HKCU\..\Run: [MICROSOFT Windows update] pdate.exe

O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe

O4 - HKLM\..\Run: [Microsoft Xp] pdate.exe
O4 - HKLM\..\RunServices: [Microsoft Xp] pdate.exe

O4 - HKLM\..\Run: [Mirsoft sdcE] taskmegr.exe
O4 - HKLM\..\RunServices: [Mirsoft sdcE] taskmegr.exe

O4 - HKLM\..\Run: [Microsot NT Support] (Random Name).EXE
O4 - HKLM\..\RunServices: [Microsot NT Support] (Random Name).EXE

O4 - HKLM\..\Run: [MS Domain Name Server Deamon] MSDNSD32.exe
O4 - HKLM\..\RunServices: [MS Domain Name Server Deamon] MSDNSD32.exe
O4 - HKCU\..\Run: [MS Domain Name Server Deamon] MSDNSD32.exe

F2 - REG:system.ini: Shell=Explorer.exe javaapplets.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,javaapplets.exe
O4 - HKLM\..\Run: [MS Java Applets for Windows NT, ME & XP] javaapplets.exe
O4 - HKLM\..\RunServices: [MS Java Applets for Windows NT, ME & XP] javaapplets.exe
O4 - HKCU\..\Run: [MS Java Applets for Windows NT, ME & XP] javaapplets.exe
O4 - HKCU\..\RunServices: [MS Java Applets for Windows NT, ME & XP] javaapplets.exe

F2 - REG:system.ini: Shell=Explorer.exe javaapplet.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,javaapplet.exe
O4 - HKLM\..\Run: [MS Java Applets for Windows NT & XP] javaapplet.exe
O4 - HKLM\..\RunServices: [MS Java Applets for Windows NT & XP] javaapplet.exe
O4 - HKCU\..\Run: [MS Java Applets for Windows NT & XP] javaapplet.exe
O4 - HKCU\..\RunServices: [MS Java Applets for Windows NT & XP] javaapplet.exe

F2 - REG:system.ini: Shell=Explorer.exe msjava.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,msjava.exe
O4 - HKLM\..\Run: [Ms Java for Windows NT] msjava.exe
O4 - HKLM\..\RunServices: [Ms Java for Windows NT] msjava.exe
O4 - HKCU\..\Run: [Ms Java for Windows NT] msjava.exe
O4 - HKCU\..\RunServices: [Ms Java for Windows NT] msjava.exe
(or filename - mguard.exe / msi32java.exe / (Random Number)_netapi.exe / MS32.exe)

F2 - REG:system.ini: Shell=Explorer.exe xpjavams.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,xpjavams.exe
O4 - HKLM\..\Run: [MS Java for Windows NT, XP & ME] xpjavams.exe
O4 - HKLM\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe
O4 - HKCU\..\Run: [MS Java for Windows NT, XP & ME] xpjavams.exe
O4 - HKCU\..\RunServices: [MS Java for Windows NT, XP & ME] xpjavams.exe

F2 - REG:system.ini: Shell=Explorer.exe javanet.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,javanet.exe
O4 - HKLM\..\Run: [MS Java for Windows XP & NT] javanet.exe
O4 - HKLM\..\RunServices: [MS Java for Windows XP & NT] javanet.exe
O4 - HKCU\..\Run: [MS Java for Windows XP & NT] javanet.exe
O4 - HKCU\..\RunServices: [MS Java for Windows XP & NT] javanet.exe

F2 - REG:system.ini: Shell=Explorer.exe msjavames.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,msjavames.exe
O4 - HKLM\..\Run: [Ms Java for Windows 98, NT, ME & XP] msjavames.exe
O4 - HKLM\..\RunServices: [Ms Java for Windows 98, NT, ME & XP] msjavames.exe
O4 - HKCU\..\Run: [Ms Java for Windows 98, NT, ME & XP] msjavames.exe
O4 - HKCU\..\RunServices: [Ms Java for Windows 98, NT, ME & XP] msjavames.exe

F2 - REG:system.ini: Shell=Explorer.exe msjavaxps.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,msjavaxps.exe
O4 - HKLM\..\Run: [Ms Java for Windows 98, NT, XP & ME] msjavaxps.exe
O4 - HKLM\..\RunServices: [Ms Java for Windows 98, NT, XP & ME] msjavaxps.exe
O4 - HKCU\..\Run: [Ms Java for Windows 98, NT, XP & ME] msjavaxps.exe
O4 - HKCU\..\RunServices: [Ms Java for Windows 98, NT, XP & ME] msjavaxps.exe

F2 - REG:system.ini: Shell=Explorer.exe wrapper.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,wrapper.exe
O4 - HKLM\..\Run: [MS Java Service Wrapper for Windows NT & XP] wrapper.exe
O4 - HKLM\..\RunServices: [MS Java Service Wrapper for Windows NT & XP] wrapper.exe
O4 - HKCU\..\Run: [MS Java Service Wrapper for Windows NT & XP] wrapper.exe
O4 - HKCU\..\RunServices: [MS Java Service Wrapper for Windows NT & XP] wrapper.exe

F2 - REG:system.ini: Shell=Explorer.exe msijavaupdt32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,msijavaupdt32.exe
O4 - HKLM\..\Run: [Ms Java Update For Windows NT/XP] msijavaupdt32.exe
O4 - HKLM\..\RunServices: [Ms Java Update For Windows NT/XP] msijavaupdt32.exe
O4 - HKCU\..\Run: [Ms Java Update For Windows NT/XP] msijavaupdt32.exe
O4 - HKCU\..\RunServices: [Ms Java Update For Windows NT/XP] msijavaupdt32.exe
(or filename - msejavaupdt32.exe)

F2 - REG:system.ini: Shell=Explorer.exe msident.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,msident.exe
O4 - HKLM\..\Run: [MS Security Update 993] msident.exe
O4 - HKLM\..\RunServices: [MS Security Update 993] msident.exe
O4 - HKCU\..\Run: [MS Security Update 993] msident.exe
O4 - HKCU\..\RunServices: [MS Security Update 993] msident.exe

O4 - HKLM\..\Run: [Ms System Config] Mscfg.exe
O4 - HKLM\..\RunServices: [Ms System Config] Mscfg.exe
O4 - HKCU\..\Run: [Ms System Config] Mscfg.exe
O4 - HKCU\..\RunServices: [Ms System Config] Mscfg.exe

O4 - HKLM\..\Run: [MS Service Drivers] winscv.exe
O4 - HKLM\..\RunServices: [MS Service Drivers] winscv.exe
O4 - HKCU\..\Run: [MS Service Drivers] winscv.exe
O4 - HKCU\..\RunServices: [MS Service Drivers] winscv.exe

F2 - REG:system.ini: Shell=Explorer.exe winservnt32.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,winservnt32.exe
O4 - HKLM\..\Run: [Ms Update WinServices NT/XP] winservnt32.exe
O4 - HKLM\..\RunServices: [Ms Update WinServices NT/XP] winservnt32.exe
O4 - HKCU\..\Run: [Ms Update WinServices NT/XP] winservnt32.exe
O4 - HKCU\..\RunServices: [Ms Update WinServices NT/XP] winservnt32.exe

O4 - HKLM\..\Run: [msconfig38] mssvcc.exe
O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe

F2 - REG:system.ini: Shell=Explorer.exe msdnxp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,msdnxp.exe
O4 - HKLM\..\RunServices: [MSDN for Windows NT & WinXP] msdnxp.exe
O4 - HKCU\..\RunServices: [MSDN for Windows NT & WinXP] msdnxp.exe

F2 - REG:system.ini: Shell=Explorer.exe msdn-nt.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,msdn-nt.exe
O4 - HKLM\..\RunServices: [MSDN for Windows with NT's] msdn-nt.exe
O4 - HKCU\..\RunServices: [MSDN for Windows with NT's] msdn-nt.exe

O4 - HKLM\..\Run: [MSDOS Windows Service] MSDOS.PIF
O4 - HKLM\..\RunServices: [MSDOS Windows Service] MSDOS.PIF
O4 - HKCU\..\Run: [MSDOS Windows Service] MSDOS.PIF

O4 - HKCU\..\Run: [msmsngr] C:\WINDOWS\System32\msmsngr.exe
O4 - HKLM\..\Run: [msmsngr] C:\WINDOWS\System32\msmsngr.exe

O4 - HKLM\..\Run: [msnsmgr] MsnMsr.exe

O4 - HKLM\..\Run: [MSN Checker] msnchecker.exe
O4 - HKLM\..\RunServices: [MSN Checker] msnchecker.exe
O4 - HKCU\..\Run: [MSN Checker] msnchecker.exe
O4 - HKCU\..\RunServices: [MSN Checker] msnchecker.exe

O4 - HKLM\..\Run: [MSN messanger] msnmsgsm.exe
O4 - HKLM\..\RunServices: [MSN messanger] msnmsgsm.exe

O4 - HKLM\..\Run: [Msn Messenger] msnmsgs.exe

O4 - HKLM\..\Run: [MSN MESSENGER] svhostes.exe
O4 - HKLM\..\RunServices: [MSN MESSENGER] svhostes.exe
O4 - HKCU\..\Run: [MSN MESSENGER] svhostes.exe

O4 - HKCU\..\Run: [Msn Plus Updater] msnplus.exe
O4 - HKCU\..\RunServices: [Msn Plus Updater] msnplus.exe
O4 - HKLM\..\Run: [Msn Plus Updater] msnplus.exe
O4 - HKLM\..\RunServices: [Msn Plus Updater] msnplus.exe

O4 - HKLM\..\Run: [Msn Messenger update] msnservice.exe
O4 - HKLM\..\RunServices: [Msn Messenger update] msnservice.exe

O4 - HKLM\..\Run: [MSN Update] dllcon.exe
O4 - HKLM\..\RunServices: [MSN Update] dllcon.exe
O4 - HKCU\..\Run: [MSN Update] dllcon.exe

O4 - HKLM\..\Run: [mssonfig] winupdate.exe
O4 - HKLM\..\RunServices: [mssonfig] winupdate.exe

F2 - REG:system.ini: Shell=Explorer.exe mssqlsnt.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mssqlsnt.exe
O4 - HKLM\..\RunServices: [MSSQL for Windows NT & XP] mssqlsnt.exe
O4 - HKCU\..\RunServices: [MSSQL for Windows NT & XP] mssqlsnt.exe

O4 - HKLM\..\Run: [msvcc25] svcchost.exe
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe

O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe

O4 - HKLM\..\Run: [Name Server] mswins.exe
O4 - HKLM\..\RunServices: [Name Server] mswins.exe
O4 - HKCU\..\Run: [Name Server] mswins.exe

O4 - HKLM\..\Run: [NeroFil] NeroFil.EXE
O4 - HKLM\..\RunServices: [NeroFil] NeroFil.EXE
O4 - HKCU\..\Run: [NeroFil] NeroFil.EXE
O4 - HKCU\..\RunServices: [NeroFil] NeroFil.EXE

O4 - HKLM\..\Run: [NetBiosSrvc] HPSrvPrt.exe
O4 - HKCU\..\Run: [NetBiosSrvc] HPSrvPrt.exe

O4 - HKLM\..\Run: [New Csnm Manager] csmn.exe
O4 - HKLM\..\RunServices: [New Csnm Manager] csmn.exe
O4 - HKCU\..\Run: [New Csnm Manager] csmn.exe
O4 - HKCU\..\RunServices: [New Csnm Manager] csmn.exe

O4 - HKLM\..\Run: [Nokia Check] nokiacheck.exe
O4 - HKLM\..\RunServices: [Nokia Check] nokiacheck.exe
O4 - HKCU\..\Run: [Nokia Check] nokiacheck.exe
O4 - HKCU\..\RunServices: [Nokia Check] nokiacheck.exe

O4 - HKLM\..\Run: [Norton Update] cUpdate.exe
O4 - HKLM\..\RunServices: [Norton Update] cUpdate.exe

O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] sysman.exe
O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] sysman.exe
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] sysman.exe

O4 - HKLM\..\Run: [p2p networking] p2pnetworking.exe
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe

O4 - HKLM\..\Run: [Plasdll service] (Random Name).exe
O4 - HKLM\..\RunServices: [Plasdll service] (Random Name).exe

O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\vmmon32.exe
O4 - HKLM\..\RunServices: [Printer] C:\WINDOWS\system32\vmmon32.exe
O4 - HKCU\..\Run: [Printer] C:\WINDOWS\system32\vmmon32.exe

F2 - REG:system.ini: Shell=Explorer.exe glossary.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,glossary.exe
O4 - HKLM\..\Run: [RBot v2 with NetAPI exploit traded with billgates I gave my mother Greetz - OG - Bluehell Irc Server] glossary.exe
O4 - HKLM\..\RunServices: [RBot v2 with NetAPI exploit traded with billgates I gave my mother Greetz - OG - Bluehell Irc Server] glossary.exe
O4 - HKCU\..\Run: [RBot v2 with NetAPI exploit traded with billgates I gave my mother Greetz - OG - Bluehell Irc Server] glossary.exe
O4 - HKCU\..\RunServices: [RBot v2 with NetAPI exploit traded with billgates I gave my mother Greetz - OG - Bluehell Irc Server] glossary.exe

O4 - HKLM\..\Run: [Registry Value Name] (Random Name).exe
O4 - HKLM\..\RunServices: [Registry Value Name] (Random Name).exe

O4 - HKLM\..\Run: [RPC Service] (Random Name).exe
O4 - HKLM\..\RunServices: [RPC Service] (Random Name).exe

O4 - HKLM\..\Run: [service] C:\WINDOWS\system32\service.exe

O4 - HKLM\..\Run: [Service Monitor] csnss.exe
O4 - HKLM\..\RunServices: [Service Monitor] csnss.exe

O4 - HKLM\..\Run: [Service Monitor] msmisso.exe
O4 - HKLM\..\RunServices: [Service Monitor] msmisso.exe

F2 - REG:system.ini: Shell=Explorer.exe SndMAX.exe
O4 - HKLM\..\Run: [SoundMax Audio Drivers] SndMAX.exe
O4 - HKLM\..\RunServices: [SoundMax Audio Drivers] SndMAX.exe
O4 - HKCU\..\Run: [SoundMax Audio Drivers] SndMAX.exe
O4 - HKCU\..\RunServices: [SoundMax Audio Drivers] SndMAX.exe

O4 - HKLM\..\Run: [Soundmax Audio Drivers] soundmax.exe
O4 - HKLM\..\RunServices: [Soundmax Audio Drivers] soundmax.exe
O4 - HKCU\..\Run: [Soundmax Audio Drivers] soundmax.exe
O4 - HKCU\..\RunServices: [Soundmax Audio Drivers] soundmax.exe

O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\system32\spooIsv.exe

O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\system32\spoolsvc.exe

O4 - HKLM\..\Run: [Startup Configuration] (Random Name).exe
O4 - HKLM\..\RunServices: [Startup Configuration] (Random Name).exe

F2 - REG:system.ini: Shell=Explorer.exe jconsole.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jconsole.exe
O4 - HKLM\..\Run: [Sun Java Console for Windows NT & XP] jconsole.exe
O4 - HKLM\..\RunServices: [Sun Java Console for Windows NT & XP] jconsole.exe
O4 - HKCU\..\Run: [Sun Java Console for Windows NT & XP] jconsole.exe
O4 - HKCU\..\RunServices: [Sun Java Console for Windows NT & XP] jconsole.exe

O4 - HKLM\..\Run: [Sygate Personal Firewall] un1x.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] un1x.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall] un1x.exe

O4 - HKLM\..\Run: [SySSL] sysl.exe
O4 - HKLM\..\RunServices: [SySSL] sysl.exe

O4 - HKLM\..\Run: [System] nav32.exe
O4 - HKLM\..\RunServices: [System] nav32.exe
O4 - HKCU\..\Run: [System] nav32.exe
O4 - HKCU\..\RunServices: [System] nav32.exe

O4 - HKLM\..\Run: [System] REG1.exe
O4 - HKLM\..\RunServices: [System] REG1.exe
O4 - HKCU\..\Run: [System] REG1.exe
O4 - HKCU\..\RunServices: [System] REG1.exe

O4 - HKLM\..\Run: [System] C:\WINDOWS\smss.exe

O4 - HKLM\..\Run: [System] winupd.exe
O4 - HKLM\..\RunServices: [System] winupd.exe
O4 - HKCU\..\Run: [System] winupd.exe
O4 - HKCU\..\RunServices: [System] winupd.exe

O4 - HKLM\..\Run: [System Download Manager] SysMgr.exe
O4 - HKLM\..\RunServices: [System Download Manager] SysMgr.exe

O4 - HKLM\..\Run: [System Service] backup.exe
O4 - HKLM\..\RunServices: [System Service] backup.exe

O4 - HKLM\..\Run: [System Service] serious.exe
O4 - HKLM\..\RunServices: [System Service] serious.exe

O4 - HKLM\..\Run: [System Service] servicess.exe
O4 - HKLM\..\RunServices: [System Service] servicess.exe

O4 - HKLM\..\Run: [System Updated] svchoes.exe
O4 - HKLM\..\RunServices: [System Updated] svchoes.exe
O4 - HKCU\..\Run: [System Updated] svchoes.exe
O4 - HKCU\..\RunServices: [System Updated] svchoes.exe

O4 - HKLM\..\Run: [System Update Service] update.pif
O4 - HKLM\..\RunServices: [System Update Service] update.pif
O4 - HKCU\..\Run: [System Update Service] update.pif
O4 - HKCU\..\RunServices: [System Update Service] update.pif

O4 - HKLM\..\Run: [sysygm32] syscxd32.exe

O4 - HKLM\..\Run: [sysygm64] winrxd64.exe

O4 - HKLM\..\Run: [Update] winzip.exe
O4 - HKLM\..\RunServices: [Update] winzip.exe

O4 - HKLM\..\Run: [Update Windows] EXPLORE.EXE
O4 - HKLM\..\RunServices: [Update Windows] EXPLORE.EXE

O4 - HKLM\..\Run: [Update Windows] svch0st.exe
O4 - HKLM\..\RunServices: [Update Windows] svch0st.exe

O4 - HKLM\..\Run: [valuename] r.exe
O4 - HKLM\..\RunServices: [valuename] r.exe
O4 - HKCU\..\Run: [valuename] r.exe
O4 - HKCU\..\RunServices: [valuename] r.exe

O4 - HKLM\..\Run: [valuename] svchosts.exe
O4 - HKLM\..\RunServices: [valuename] svchosts.exe
O4 - HKCU\..\Run: [valuename] svchosts.exe
O4 - HKCU\..\RunServices: [valuename] svchosts.exe

O4 - HKLM\..\Run: [virtual] winprotect.exe
O4 - HKLM\..\RunServices: [virtual] winprotect.exe

O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe

O4 - HKLM\..\Run: [VCS Host] vcshost.exe
O4 - HKCU\..\Run: [VCS Host] vcshost.exe
O4 - HKLM\..\RunServices: [VCS Host] vcshost.exe

O4 - HKLM\..\Run: [WIN prosessor16] (Random Name).exe
O4 - HKLM\..\RunServices: [WIN prosessor16] (Random Name).exe

O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\system32\winamp.exe

O4 - HKLM\..\Run: [WinampPlugin] winampa.exe
O4 - HKLM\..\RunServices: [WinampPlugin] winampa.exe

O4 - HKLM\..\Run: [Windowfdgfds DLL fgfdg Verifier] winsecure.exe
O4 - HKLM\..\RunServices: [Windowfdgfds DLL fgfdg Verifier] winsecure.exe

O4 - HKLM\..\Run: [WindowsBool] aimplg.exe
O4 - HKLM\..\RunServices: [WindowsBool] aimplg.exe
O4 - HKCU\..\Run: [WindowsBool] aimplg.exe

O4 - HKLM\..\Run: [WindowsFileSystem] winsfs32.exe
O4 - HKLM\..\RunServices: [WindowsFileSystem] winsfs32.exe
O4 - HKCU\..\Run: [WindowsFileSystem] winsfs32.exe

O4 - HKLM\..\Run: [Win32 Security Protocol] secure32.exe
O4 - HKLM\..\RunServices: [Win32 Security Protocol] secure32.exe
O4 - HKCU\..\Run: [Win32 Security Protocol] secure32.exe

O4 - HKLM\..\Run: [win32 update service] svchostt.exe
O4 - HKCU\..\Run: [win32 update service] svchostt.exe
O4 - HKLM\..\RunServices: [win32 update service] svchostt.exe

F2 - REG:system.ini: Shell=Explorer.exe osndyrn.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,osndyrn.exe
O4 - HKLM\..\Run: [Windows Communicator for NT/XP] osndyrn.exe
O4 - HKLM\..\RunServices: [Windows Communicator for NT/XP] osndyrn.exe
O4 - HKCU\..\Run: [Windows Communicator for NT/XP] osndyrn.exe
O4 - HKCU\..\RunServices: [Windows Communicator for NT/XP] osndyrn.exe

O4 - HKLM\..\Run: [Windows Compliant] (Random Name).exe
O4 - HKLM\..\RunServices: [Windows Compliant] (Random Name).exe
O4 - HKCU\..\Run: [Windows Compliant] (Random Name).exe

O4 - HKLM\..\Run: [Windows Config] ZANBOR.EXE

O4 - HKLM\..\Run: [Windows Config Connection] msicll.exe
O4 - HKLM\..\RunServices: [Windows Config Connection] msicll.exe

O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\system32\explorer.exe

F2 - REG:system.ini: Shell=Explorer.exe chh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,chh.exe
O4 - HKLM\..\Run: [Windows firewall manager] chh.exe
O4 - HKLM\..\RunServices: [Windows firewall manager] chh.exe
O4 - HKCU\..\Run: [Windows firewall manager] chh.exe
O4 - HKCU\..\RunServices: [Windows firewall manager] chh.exe

F2 - REG:system.ini: Shell=Explorer.exe msguard.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,msguard.exe
O4 - HKLM\..\Run: [Windows firewall manager] msguard.exe
O4 - HKLM\..\RunServices: [Windows firewall manager] msguard.exe
O4 - HKCU\..\Run: [Windows firewall manager] msguard.exe
O4 - HKCU\..\RunServices: [Windows firewall manager] msguard.exe

O4 - HKLM\..\Run: [Windows HTTP services] winhttps.exe
O4 - HKLM\..\RunServices: [Windows HTTP services] winhttps.exe

F2 - REG:system.ini: Shell=Explorer.exe wkssvr.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,wkssvr.exe
O4 - HKLM\..\Run: [Windows Kernel System Service] wkssvr.exe
O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O4 - HKCU\..\Run: [Windows Kernel System Service] wkssvr.exe
O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe

O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\system32\winIogon.exe

O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\system32\logon.exe

O4 - HKLM\..\Run: [Windows Login Manager] winlogin.exe
O4 - HKLM\..\RunServices: [Windows Login Manager] winlogin.exe
O4 - HKCU\..\Run: [Windows Login Manager] winlogin.exe

O4 - HKLM\..\Run: [Windows Media Player Service] wmedia.exe
O4 - HKLM\..\RunServices: [Windows Media Player Service] wmedia.exe
O4 - HKCU\..\Run: [Windows Media Player Service] wmedia.exe
O4 - HKCU\..\RunServices: [Windows Media Player Service] wmedia.exe

O4 - HKLM\..\Run: [Windows mod Verifier] Windows-mod.exe
O4 - HKLM\..\RunServices: [Windows mod Verifier] Windows-mod.exe

O4 - HKLM\..\Run: [Windows modz Verifier] Meseger.exe
O4 - HKLM\..\RunServices: [Windows modz Verifier] Meseger.exe

O4 - HKLM\..\Run: [Windows modez Verifier] Windows-.exe
O4 - HKLM\..\RunServices: [Windows modez Verifier] Windows-.exe

O4 - HKLM\..\Run: [Windows modez Verifier] winl0g0z.exe
O4 - HKLM\..\RunServices: [Windows modez Verifier] winl0g0z.exe

O4 - HKLM\..\Run: [Windows mplayercodex Services] MSPF.EXE
O4 - HKLM\..\RunServices: [Windows mplayercodex Services] MSPF.EXE
O4 - HKCU\..\Run: [Windows mplayercodex Services] MSPF.EXE
O4 - HKCU\..\RunServices: [Windows mplayercodex Services] MSPF.EXE

O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINDOWS\system32\firewall.exe

O4 - HKLM\..\Run: [Windows Print Monitor Daemon] (Random Name).exe
O4 - HKLM\..\RunServices: [Windows Print Monitor Daemon] (Random Name).exe
O4 - HKCU\..\Run: [Windows Print Monitor Daemon] (Random Name).exe

O4 - HKLM\..\Run: [Windows Registers] winservicess.exe
O4 - HKLM\..\RunServices: [Windows Registers] winservicess.exe
O4 - HKCU\..\Run: [Windows Registers] winservicess.exe

O4 - HKLM\..\Run: [Windows Secure Layer] (Random Name).exe
O4 - HKLM\..\RunServices: [Windows Secure Layer] (Random Name).exe
O4 - HKCU\..\Run: [Windows Secure Layer] (Random Name).exe

O4 - HKLM\..\Run: [Windows Security Service] windows.pif
O4 - HKLM\..\RunServices: [Windows Security Service] windows.pif
O4 - HKCU\..\Run: [Windows Security Service] windows.pif
O4 - HKCU\..\RunServices: [Windows Security Service] windows.pif

O4 - HKLM\..\Run: [Windows Security Update] winupdat.exe
O4 - HKLM\..\RunServices: [Windows Security Update] winupdat.exe
O4 - HKCU\..\Run: [Windows Security Update] winupdat.exe

O4 - HKLM\..\Run: [Windows Security Update] (Random Name).exe
O4 - HKLM\..\RunServices: [Windows Security Update] (Random Name).exe
O4 - HKCU\..\Run: [Windows Security Update] (Random Name).exe

O4 - HKLM\..\Run: [Windows Services] spoolsvc.exe
O4 - HKLM\..\RunServices: [Windows Services] spoolsvc.exe
O4 - HKCU\..\Run: [Windows Services] spoolsvc.exe
O4 - HKCU\..\RunServices: [Windows Services] spoolsvc.exe

O4 - HKLM\..\Run: [Windows Socket Procedure] WinSock32.exe
O4 - HKLM\..\RunServices: [Windows Socket Procedure] WinSock32.exe

O4 - HKLM\..\Run: [Windows Sound Verifier] WinIp32.exe
O4 - HKLM\..\RunServices: [Windows Sound Verifier] WinIp32.exe

O4 - HKLM\..\Run: [Windows SSH Client] winssh.exe
O4 - HKLM\..\RunServices: [Windows SSH Client] winssh.exe
O4 - HKCU\..\Run: [Windows SSH Client] winssh.exe
O4 - HKCU\..\RunServices: [Windows SSH Client] winssh.exe

O4 - HKLM\..\Run: [Windows System] winsys.exe
O4 - HKLM\..\RunServices: [Windows System] winsys.exe

O4 - HKLM\..\Run: [Windows Update] msnupdates.exe
O4 - HKLM\..\RunServices: [Windows Update] msnupdates.exe
O4 - HKCU\..\Run: [Windows Update] msnupdates.exe

O4 - HKLM\..\Run: [Windows Update] update32.exe
O4 - HKLM\..\RunServices: [Windows Update] update32.exe

O4 - HKLM\..\Run: [Windows Update] wupdate.exe
O4 - HKLM\..\RunServices: [Windows Update] wupdate.exe

O4 - HKLM\..\Run: [Windows Updates] winlogon32.exe
O4 - HKLM\..\RunServices: [Windows Updates] winlogon32.exe

O4 - HKLM\..\Run: [Windows Update IPv6 Layer] (Random Name).exe
O4 - HKLM\..\RunServices: [Windows Update IPv6 Layer] (Random Name).exe
O4 - HKCU\..\Run: [Windows Update IPv6 Layer] (Random Name).exe

O4 - HKLM\..\Run: [Windows Update Drive] updrvs.exe
O4 - HKLM\..\RunServices: [Windows Update Drive] updrvs.exe
O4 - HKCU\..\Run: [Windows Update Drive] updrvs.exe

O4 - HKLM\..\Run: [Windows Winhlp32 Stub Service] winhlp32.pif
O4 - HKLM\..\RunServices: [Windows Winhlp32 Stub Service] winhlp32.pif
O4 - HKCU\..\Run: [Windows Winhlp32 Stub Service] winhlp32.pif
O4 - HKCU\..\RunServices: [Windows Winhlp32 Stub Service] winhlp32.pif

O4 - HKLM\..\Run: [Windows Workstation Service] explore.exe
O4 - HKLM\..\RunServices: [Windows Workstation Service] explore.exe

O4 - HKLM\..\Run: [Windows Workstation Service] wor.exe
O4 - HKLM\..\RunServices: [Windows Workstation Service] wor.exe

O4 - HKLM\..\Run: [WinFix service] (Random Name).exe
O4 - HKLM\..\RunServices: [WinFix service] (Random Name).exe

O4 - HKLM\..\Run: [WinFixer service] (Random Name).exe
O4 - HKLM\..\RunServices: [WinFixer service] (Random Name).exe

O4 - HKLM\..\Run: [WinReg32 service] (Random Name).exe
O4 - HKLM\..\RunServices: [WinReg32 service] (Random Name).exe

O4 - HKLM\..\Run: [winsystems25] winsystems.exe
O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe

O4 - HKLM\..\Run: [winystems25] winystems.exe
O4 - HKLM\..\RunServices: [winystems25] winystems.exe

O4 - HKLM\..\Run: [Winz Firewall] (Random Name).exe
O4 - HKLM\..\RunServices: [Winz Firewall] (Random Name).exe
O4 - HKCU\..\Run: [Winz Firewall] (Random Name).exe

O4 - HKLM\..\Run: [Zonesoft Cleaner] C:\WINDOWS\system32\\rnsys.exe
O4 - HKLM\..\Run: [Zonesoft Cleaner] C:\WINDOWS\system32\\svmgr.exe

O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Application Layer Gateway System (ALGS) - Unknown owner - C:\WINDOWS\system32\algsys.exe
O23 - Service: Asus Motherboard Utility (Asus) - Unknown owner - C:\WINDOWS\asus.exe
O23 - Service: chckntfs - Unknown owner - C:\WINDOWS\chckntfs.exe
O23 - Service: chkext(chkext) (chkext) - Unknown owner - C:\WINDOWS\system32\chkext.exe
O23 - Service: Clients Server Runtime Process (Windows Internet) - Unknown owner - C:\WINDOWS\csrss.exe
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINDOWS\system\dllhost.exe
O23 - Service: crss32.exe - Unknown owner - C:\WINDOWS\crss32.exe
O23 - Service: Dcom Helper (DcmHlp) - Unknown owner - C:\WINDOWS\dcmhelp.exe
O23 - Service: direct sound rss (dsrss) - Unknown owner - C:\WINDOWS\dsrss.exe
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINDOWS\system32\dxdmain.exe
O23 - Service: Dynamic Library Host (DLLHOSTS) - Unknown owner - C:\WINDOWS\dllhost.exe
O23 - Service: firefox auto update - Unknown owner - C:\WINDOWS\firefox.exe
O23 - Service: Generic Host Process For Win32 Services (Generic Host Process) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: InstallDriver Service (ISDS) - Unknown owner - C:\WINDOWS\system32\csscv.exe
O23 - Service: Internet Service Manager (INETSVC) - Unknown owner - C:\WINDOWS\INETSVC.EXE
O23 - Service: Italian Grand Prix - Unknown owner - C:\WINDOWS\system32\dllcache\grand.exe
O23 - Service: iTunes Music Service (iTunesMusic) - Apple - C:\WINDOWS\iTunesMusic.exe
O23 - Service: JavaPlatform64 - Unknown owner - C:\WINDOWS\JavaPlatform
O23 - Service: Kernell32 - Unknown owner - C:\WINDOWS\system32\termsv.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe
O23 - Service: Microsoft Corporation (Windows Wordpad) - Unknown owner - C:\WINDOWS\wordpad.exe
O23 - Service: Microsoft DCOM PC Service (mspcdcom) - Unknown owner - C:\WINDOWS\System32\mspcdcom.exe
O23 - Service: Microsoft DLL System - Unknown owner - C:\WINDOWS\system32\smsc.exe
O23 - Service: Microsoft DHCPA Service - Unknown owner - C:\WINDOWS\system32\dllcache\mshcp.exe
O23 - Service: Microsoft HDA Protocol (svhda) - Unknown owner - C:\WINDOWS\svhda.exe
O23 - Service: Microsoft Logon Service - Unknown owner - C:\WINDOWS\system32\dllcache\mslogon.exe
O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe
O23 - Service: Microsoft Net API (NETAPI) - Unknown owner - C:\WINDOWS\system32\ntps.exe
O23 - Service: Microsoft Networks DN (msndn) - Unknown owner - C:\WINDOWS\msndn.exe
O23 - Service: Microsoft Path Finder Service (mspathfinder) - Unknown owner - C:\WINDOWS\mspathfinder
O23 - Service: Microsoft SCC Host Protocol (POOLSVR) - Unknown owner - C:\WINDOWS\poolsv.exe
O23 - Service: Microsoft SCC Host Protocol (TaskMGM) - Unknown owner - C:\WINDOWS\taskmg.exe
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Microsoft SQL Server Debug (sql) - Unknown owner - C:\WINDOWS\sqldebug.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINDOWS\system32\ssl.exe
O23 - Service: Microsoft Startup Manager. (Microsoft Startup Manager) - Unknown owner - C:\WINDOWS\msput.exe
O23 - Service: Microsoft Terminal Service - Unknown owner - C:\WINDOWS\system32\dllcache\msterminal.exe
O23 - Service: Microsoft Windows Avantage Service (Windows Avantage) - Unknown owner - C:\WINDOWS\avantage32.exe
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINDOWS\services.exe
O23 - Service: Microsoft Windows System32 - Unknown owner - C:\WINDOWS\winsysdir.exe
O23 - Service: Microsoft Windows System32 - Unknown owner - C:\WINDOWS\winservs.exe
O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmiapsrv.exe
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\system32\mousecrm.exe
O23 - Service: MSCom - Unknown owner - C:\WINDOWS\system32\dllcache\mscom.exe
O23 - Service: MSCommmand - Unknown owner - C:\WINDOWS\system32\dllcache\mswincom32.exe
O23 - Service: Msdtc Manager - Unknown owner - C:\WINDOWS\winlogin.exe
O23 - Service: msecure (mcsecure) - Unknown owner - C:\WINDOWS\mcsecure.exe

=========================================================
To be continued
=========================================================

Sparky545

=====================================================
SDFix Report#2 - continued
=====================================================

O23 - Service: msmbios (Microsoft System Management BIOS Driver) - Unknown owner - C:\WINDOWS\mssmbios.exe
O23 - Service: msvbn - Unknown owner - C:\WINDOWS\msvbn.exe
O23 - Service: msvrcs(msvrcs) (msvrcs) - Unknown owner - C:\WINDOWS\system32\msvrcs.exe
O23 - Service: MS DTC console - Unknown owner - C:\WINDOWS\msdtc.exe
O23 - Service: netconf32 - Unknown owner - C:\WINDOWS\netconf32.exe
O23 - Service: Net Functions Monitoring (Netmon) - Unknown owner - C:\WINDOWS\system32\Netmon.exe
O23 - Service: Network Gateway Manager (npx) - Unknown owner - C:\WINDOWS\csrsc.exe
O23 - Service: Network Location Manager - Unknown owner - C:\WINDOWS\system32\lssc.exe
O23 - Service: Network Provision Managing Service (xmlprovman) - Unknown owner - C:\WINDOWS\system32\provsvc.exe
O23 - Service: Network Station Task Manager (TSKIB) - Unknown owner - C:\WINDOWS\taskib.exe
O23 - Service: Network Station Task Manager (TASKSQ) - Unknown owner - C:\WINDOWS\tasksch.exe
O23 - Service: Norton Online Anti Virus - Unknown owner - C:\WINDOWS\avll32.exe
O23 - Service: P-SYS (P-SYS Service) - Unknown owner - C:\WINDOWS\termsvrs.exe
O23 - Service: PE Sytray Manager - Unknown owner - C:\WINDOWS\system32\ssmc.exe
O23 - Service: PixelModule (pxlmdl) - Unknown owner - C:\WINDOWS\nvidcgui.exe
O23 - Service: Print Spooler Manager (prntspman) - Unknown owner - C:\WINDOWS\spoolsvr.exe
O23 - Service: regstrmon - Unknown owner - C:\WINDOWS\regstrmon.exe
O23 - Service: Remote Debug System - Unknown owner - C:\WINDOWS\system32\scvhost.exe
O23 - Service: Remote Procedure Call (RPC) Relocator (RpcRelocator) - Unknown owner - C:\WINDOWS\relocater.exe
O23 - Service: Remote Procedure Call (RPC) Remote (RpcRemote) - Unknown owner - C:\WINDOWS\system32\remote.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\System32\RpcSs.exe
O23 - Service: Remote Reader Machine - Unknown owner - C:\WINDOWS\system32\ssmc.exe
O23 - Service: RPC Debug Control (RPCDB) - Unknown owner - C:\WINDOWS\system32\csts.exe
O23 - Service: rundll32.exe - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\msn93.exe
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\msngrsm.exe
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe
O23 - Service: Secondary .NET Framework (SVSNET) - Unknown owner - C:\WINDOWS\system32\svsnet.exe
O23 - Service: Server Management Service - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Service Cache Terminal (SVCTERM) - Unknown owner - C:\WINDOWS\system32\svscache.exe
O23 - Service: Service Logon Protocol (SVSLOG) - Unknown owner - C:\WINDOWS\svslogon.exe
O23 - Service: services32 (Content List Management Sub System) - Unknown owner - C:\WINDOWS\services32.exe
O23 - Service: SMS Help Center (SMS32) - Unknown owner - C:\WINDOWS\smss32.exe
O23 - Service: smsmanger - Unknown owner - C:\WINDOWS\smsmanger.exe
O23 - Service: smsc - Unknown owner - C:\WINDOWS\smsc.exe
O23 - Service: smscc - Unknown owner - C:\WINDOWS\smscc.exe
O23 - Service: sql-smss - Unknown owner - C:\WINDOWS\sql-smss.exe
O23 - Service: sqldps - Unknown owner - C:\WINDOWS\sqldps.exe
O23 - Service: sqlmanagement - Unknown owner - C:\WINDOWS\sqlmanagement.exe
O23 - Service: svahost - Unknown owner - C:\WINDOWS\svahost.exe
O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe
O23 - Service: System Driver Service (systemdriver) - Unknown owner - C:\WINDOWS\system32\sysdriver.exe
O23 - Service: System Internal AntiVirus (SVSAV) - Unknown owner - C:\WINDOWS\system32\svsnt.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe
O23 - Service: System Service Monitor (servicemon) - Unknown owner - C:\WINDOWS\system32\servicemon.exe
O23 - Service: System Spooler Host - Unknown owner - C:\WINDOWS\system32\dllcache\syspool.exe
O23 - Service: Task Manager Message Service (TSKMS) - Unknown owner - C:\WINDOWS\taskms.exe
O23 - Service: TCPIPSTACK - Unknown owner - C:\WINDOWS\TCPIPSTACK.EXE
O23 - Service: Terminal Connections (terms) - Unknown owner - C:\WINDOWS\system32\terminals.exe
O23 - Service: The Sims 2 - Unknown owner - C:\WINDOWS\system32\dllcache\thesims2.exe
O23 - Service: TskScheduler - Unknown owner - C:\WINDOWS\taskshed.exe
O23 - Service: Userinit Logon Verification (UsrInitVerif) - Unknown owner - C:\WINDOWS\userinit.exe
O23 - Service: User Initialization (usrinit32) - Unknown owner - C:\WINDOWS\userinit.exe
O23 - Service: Vital Microsoft Sub-system Resource - Unknown owner - C:\WINDOWS\MSVISI.exe
O23 - Service: wfsup(wfsup) (wfsup) - Unknown owner - C:\WINDOWS\system32\wfsup.exe
O23 - Service: Win32Export - Unknown owner - C:\WINDOWS\winsysplg.exe
O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe
O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe
O23 - Service: win32 socket (win32socket) - Unknown owner - C:\WINDOWS\win325b.exe
O23 - Service: win32 update service (defiled) - Unknown owner - C:\WINDOWS\System32\svchostt.exe" -netsvcs
O23 - Service: winconfig.exe - Unknown owner - C:\WINDOWS\win32dll.exe
O23 - Service: Window Dispaly System - Unknown owner - C:\WINDOWS\system32\lsays.exe
O23 - Service: Window Services Connection - Unknown owner - C:\WINDOWS\system32\smsc.exe
O23 - Service: WindowsSysBoot - Unknown owner - C:\WINDOWS\mvsql.exe
O23 - Service: Windows Binary Reader - Unknown owner - C:\WINDOWS\system32\smsc.exe
O23 - Service: Windows Client/Server Runtime Server Subsystem (WCSRSS) - Unknown owner - C:\WINDOWS\wcsrss.exe
O23 - Service: Windows Decrypt manager (wincrypt32.exe) - Unknown owner - C:\WINDOWS\wincrypt32.exe
O23 - Service: Windows DLL System - Unknown owner - C:\WINDOWS\system32\smsc.exe
O23 - Service: windows drivers32 - Unknown owner - C:\WINDOWS\windrvrs32.exe
O23 - Service: windows file explorer (explorer) - Unknown owner - C:\WINDOWS\ssms.exe
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINDOWS\system32\wgareg.exe
O23 - Service: Windows Genuine Advantage Validation Monitor (wgavm) - Unknown owner - C:\WINDOWS\system32\wgavm.exe
O23 - Service: Windows Genuine Advantage Validation Notification (wgavn) - Unknown owner - C:\WINDOWS\system32\wgavn.exe
O23 - Service: Windows Internet Control (Windows Internet) - Unknown owner - C:\WINDOWS\internet.exe
O23 - Service: Windows Kernel - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Windows Kernel Services - Unknown owner - C:\WINDOWS\winlogon.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Windows Management Construct (winmgmc) - Unknown owner - C:\WINDOWS\winmgc.exe
O23 - Service: Windows Management Instrument Driver Includes (WMIDriverInc) - Unknown owner - C:\WINDOWS\wmiprvse.exe
O23 - Service: Windows Management Updater (WinManUpdater) - Unknown owner - C:\WINDOWS\smss.exe
O23 - Service: Windows NT Session Manager (SMSS) - Unknown owner - C:\WINDOWS\smss.exe
O23 - Service: Windows NT Session Managers - Unknown owner - C:\WINDOWS\smss.exe
O23 - Service: Windows PE Debugger - Unknown owner - C:\WINDOWS\system32\lviss.exe
O23 - Service: Windows Process Moniter - Unknown owner - C:\WINDOWS\winmon.exe
O23 - Service: Windows Register Control - Unknown owner - C:\WINDOWS\register.exe
O23 - Service: Windows Smrss Service - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Windows Socket System Service - Unknown owner - C:\WINDOWS\system32\dllcache\wksrvs.exe
O23 - Service: Windows Services Configuration - Unknown owner - C:\WINDOWS\system32\lsvss.exe
O23 - Service: Windows Task Scheduler (MSTASK) - Unknown owner - C:\WINDOWS\system\mstask.exe
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe
O23 - Service: Windows Time Sync (wservtime) - Unknown owner - C:\WINDOWS\csrss.exe
O23 - Service: Windows Updater (Win32Export) - Unknown owner - C:\WINDOWS\win64tyt.exe
O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\Msmgs.exe
O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\msnwebmgr.exe
O23 - Service: wins(WINS) (wins) - Unknown owner - C:\WINDOWS\system32\winscntrl.exe
O23 - Service: winupd - Unknown owner - C:\WINDOWS\winupd.exe
O23 - Service: wkssvc (Windows Kernel Serivce) - Unknown owner - C:\WINDOWS\AIMClient.exe
O23 - Service: wkssvc (Windows Kernel Serivce) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: WmDmPsp - Unknown owner - C:\WINDOWS\system32\sysdtc32.exe
O23 - Service: Work Station Development (NTDEV) - Unknown owner - C:\WINDOWS\ntdev.exe


(Trojan Ranky/Ranck)

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\config\svchost.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\winsock\csrss.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\etc\services.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\nsms.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\NT\nrcs.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\config\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\winsock\csrss.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\etc\services.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\nsms.exe

O4 - HKLM\..\Run: [Beawver] saqevre.exe
O4 - HKLM\..\RunServices: [Beawver] saqevre.exe
O4 - HKCU\..\Run: [Beawver] saqevre.exe
O4 - HKLM\..\Run: [BF4P] C:\WINDOWS\system32\bf4p.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Configuration Backup Service] C:\WINDOWS\config\svchost.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Network Security Management Service] C:\WINDOWS\system32\nsms.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Protected Content Restoration Service] C:\WINDOWS\etc\services.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows TCP/IP Socket Driver] C:\WINDOWS\winsock\csrss.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Service] C:\WINDOWS\update\wuauclt.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Vista/NT Runtime Compatibility Service] C:\WINDOWS\NT\nrcs.exe
O4 - HKLM\..\Run: [Microsoft Windows 128bit Subsystem] C:\WINDOWS\system32\system12.exe
O4 - HKLM\..\Run: [MS DLL Library Manager] C:\WINDOWS\system32\dllsys64.exe
O4 - HKLM\..\Run: [Norton] C:\WINDOWS\system32\(Random Name).exe
O4 - HKLM\..\Run: [Roflcopteur] C:\WINDOWS\SYSTEM32\seman.exe
O4 - HKLM\..\Run: [Services] c:\iexplorer.exe
O4 - HKLM\..\Run: [win32] C:\WINDOWS\system32\win32.exe
O4 - HKLM\..\Run: [Windows Core Kernel Update] c:\iexplorer.exe
O4 - HKLM\..\Run: [Windows Core Kernel Update] C:\WINDOWS\system32\win32bootcfg.exe

O23 - Service: Windows Configuration Backup Service (CfgBackupSvc) - Unknown owner - C:\WINDOWS\config\svchost.exe
O23 - Service: Windows Protected Content Restoration Service (ProtectedContentSvc) - Unknown owner - C:\WINDOWS\etc\services.exe
O23 - Service: Windows Network Security Management Service (nsms) - Unknown owner - C:\WINDOWS\system32\nsms.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
O23 - Service: Windows Update Service (UpdateSvc) - Unknown owner - C:\WINDOWS\update\wuauclt.exe
O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINDOWS\winsock\csrss.exe
O23 - Service: Windows Vista/NT Runtime Compatibility Service (ntrcs) - Unknown owner - C:\WINDOWS\NT\nrcs.exe


(Proxy/Backdoor/PWStealer Trojans)

O4 - HKLM\..\Run: [Airgo NIC Service] anlServ.exe
O4 - HKLM\..\RunServices: [Airgo NIC Service] anlServ.exe

O4 - HKLM\..\Run: [audiocfg.exe] C:\WINDOWS\system32\audiocfg.exe

O4 - HKLM\..\Run: [Firewall.exe] C:\WINDOWS\system32\Firewall.exe

O4 - HKLM\..\Run: [msserv] C:\WINDOWS\system32\lvsrev.exe

O4 - HKLM\..\Run: [pigglett] c:\windows\system32\pigglett.exe
O4 - HKLM\..\RunServices: [pigglett] c:\windows\system32\pigglett.exe
O4 - HKCU\..\Run: [pigglett] c:\windows\system32\pigglett.exe

O4 - HKLM\..\Run: [rpcc] rpcc.exe

O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\explorer..exe
O4 - HKCU\..\Run: [MSN Messenger] C:\WINDOWS\explorer..exe

O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\explorer..exe

O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe

O4 - HKCU\..\Run: [SystemDriver] c:\DriverLoad\windrv.exe
O4 - HKCU\..\Run: [FDriver] c:\DriverLoad\windrv.exe
O4 - HKCU\..\Run: [ADriver] c:\DriverLoad\windrv.exe
O4 - HKCU\..\Run: [CDriver] c:\DriverLoad\windrv.exe
O4 - HKCU\..\Run: [DDriver] c:\DriverLoad\windrv.exe

O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe

O4 - HKCU\..\Run: [ttool] C:\WINDOWS\scvc.exe

O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmgn.exe

O4 - HKLM\..\Run: [winmlp02] C:\pizza.exe

O4 - HKLM\..\Run: [winmlp05] C:\elk.exe

O4 - HKLM\..\Run: [WinSec] C:\WINDOWS\system32\i_explorer.exe
O4 - HKCU\..\Run: [WinSec] C:\WINDOWS\system32\i_explorer.exe

O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - %temp%\dnlsvc.exe


(HackerDefender)

O23 - Service: Print Spooler Service (SpoolSvc201) - Unknown owner - Random Filename
to
O23 - Service: Print Spooler Service (SpoolSvc227) - Unknown owner - Random Filename
O23 - Service: Time Service (TIME) - Unknown owner - Random Filename


(Trojan/Rootkit Components)

haxdrv.sys
Hpdriver.sys
msdirect.sys
msdirectx.sys
rdriv.sys
remon.sys
rofl.sys
SMONITOR.SYS
SVKP.SYS
timedrv26.sys
winmon.sys

Any Comments or Questions, please send them to AndyManchesta@hotmail.com

=========================================================
HiJackThis Log (rerun) --- in following reply due to reply post limitations
=========================================================

Sparky545

=========================================================
HiJackThis Log (rerun)
=========================================================
Logfile of HijackThis v1.99.1
Scan saved at 6:42:35 AM, on 9/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
D:\CD\Selma.Downloads\SW\HijackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 4.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{562FFF1B-353F-4591-B845-DEC2CB541BEA}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{562FFF1B-353F-4591-B845-DEC2CB541BEA}: NameServer = 192.168.2.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{562FFF1B-353F-4591-B845-DEC2CB541BEA}: NameServer = 192.168.2.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

=========================================================
BlackLight Log - found no hidden items
=========================================================
09/20/06 06:43:24 [Info]: BlackLight Engine 1.0.46 initialized
09/20/06 06:43:24 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/20/06 06:43:24 [Note]: 7019 4
09/20/06 06:43:24 [Note]: 7005 0
09/20/06 06:43:26 [Note]: 7006 0
09/20/06 06:43:26 [Note]: 7011 1764
09/20/06 06:43:26 [Note]: 7026 0
09/20/06 06:43:26 [Note]: 7026 0
09/20/06 06:43:31 [Note]: FSRAW library version 1.7.1019
09/20/06 06:44:58 [Note]: 7007 0

Sparky545

=========================================================
Rootkit Revealer Report
=========================================================
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\360.326DC4CC01C6DCBB.history\00000000.bak 9/20/2006 6:48 AM 5.95 MB Hidden from Windows API.

=========================================================
Ad-Aware Report
=========================================================

Ad-Aware SE Build 1.06r1
Logfile Created on:Wednesday, September 20, 2006 6:59:22 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R124 19.09.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie(TAC index:3):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


9-20-2006 6:59:22 AM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 728
ThreadCreationTime : 9-20-2006 1:35:26 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 812
ThreadCreationTime : 9-20-2006 1:35:28 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 836
ThreadCreationTime : 9-20-2006 1:35:31 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 880
ThreadCreationTime : 9-20-2006 1:35:31 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 892
ThreadCreationTime : 9-20-2006 1:35:31 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1048
ThreadCreationTime : 9-20-2006 1:35:32 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1108
ThreadCreationTime : 9-20-2006 1:35:32 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1200
ThreadCreationTime : 9-20-2006 1:35:32 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1296
ThreadCreationTime : 9-20-2006 1:35:32 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1360
ThreadCreationTime : 9-20-2006 1:35:32 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1500
ThreadCreationTime : 9-20-2006 1:35:32 PM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1764
ThreadCreationTime : 9-20-2006 1:35:38 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:13 [avp.exe]
FilePath : C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\
ProcessID : 1828
ThreadCreationTime : 9-20-2006 1:35:38 PM
BasePriority : Normal
FileVersion : 6.0.0.299
ProductVersion : 6.0.0.299
ProductName : Kaspersky Anti-Virus
CompanyName : Kaspersky Lab
FileDescription : Kaspersky Anti-Virus
InternalName : AVP
LegalCopyright : Copyright © Kaspersky Lab 1996-2006.
LegalTrademarks : Kaspersky™ Anti-Virus ® is registered trademark of Kaspersky Lab.
OriginalFilename : AVP.EXE

#:14 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1936
ThreadCreationTime : 9-20-2006 1:35:39 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:15 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 856
ThreadCreationTime : 9-20-2006 1:35:42 PM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:16 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1916
ThreadCreationTime : 9-20-2006 1:37:36 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:17 [soundman.exe]
FilePath : C:\WINDOWS\
ProcessID : 708
ThreadCreationTime : 9-20-2006 1:37:36 PM
BasePriority : Normal
FileVersion : 5.1.0.40
ProductVersion : 5.1.0.40
ProductName : Realtek Sound Manager
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright (c) 2001-2004 Realtek Semiconductor Corp.
OriginalFilename : ALSMTray.exe
Comments : Realtek AC97 Audio Sound Manager

#:18 [acrotray.exe]
FilePath : C:\Program Files\Adobe\Acrobat 7.0\Distillr\
ProcessID : 800
ThreadCreationTime : 9-20-2006 1:37:36 PM
BasePriority : Normal
FileVersion : 7.0.7.2006011200
ProductVersion : 7.0.7.2006011200
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
LegalCopyright : Copyright 1984-2006 Adobe Systems Incorporated and its licensors. All rights reserved.
OriginalFilename : AcroTray.exe

#:19 [avp.exe]
FilePath : C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\
ProcessID : 720
ThreadCreationTime : 9-20-2006 1:37:36 PM
BasePriority : Normal
FileVersion : 6.0.0.299
ProductVersion : 6.0.0.299
ProductName : Kaspersky Anti-Virus
CompanyName : Kaspersky Lab
FileDescription : Kaspersky Anti-Virus
InternalName : AVP
LegalCopyright : Copyright © Kaspersky Lab 1996-2006.
LegalTrademarks : Kaspersky™ Anti-Virus ® is registered trademark of Kaspersky Lab.
OriginalFilename : AVP.EXE

#:20 [em_exec.exe]
FilePath : C:\Program Files\Logitech\MouseWare\system\
ProcessID : 1016
ThreadCreationTime : 9-20-2006 1:37:36 PM
BasePriority : Normal
FileVersion : 9.79.025
ProductVersion : 9.79.025
ProductName : MouseWare
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
LegalCopyright : (C) 1987-2003 Logitech. All rights reserved.
LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
OriginalFilename : Em_Exec.exe
Comments : Created by the MouseWare team

#:21 [teatimer.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ProcessID : 956
ThreadCreationTime : 9-20-2006 1:37:36 PM
BasePriority : Idle
FileVersion : 1, 4, 0, 2
ProductVersion : 1, 4, 0, 3
ProductName : Spybot - Search & Destroy
CompanyName : Safer Networking Limited
FileDescription : System settings protector
InternalName : TeaTimer
LegalCopyright : © 2000-2005 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.
LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.
OriginalFilename : TeaTimer.exe
Comments : Schützt Systemeinstellungen vor ungewollten Änderungen.

#:22 [hpogrp07.exe]
FilePath : C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\
ProcessID : 2080
ThreadCreationTime : 9-20-2006 1:37:37 PM
BasePriority : Normal
FileVersion : 2.00
ProductVersion : A.14.07.04
ProductName : hp officejet 7100 series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOGRP07
LegalCopyright : Copyright (C) Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOGRP07.EXE
Comments : HP OfficeJet <GromitPlus> Series COM Device Objects

#:23 [hpoevm07.exe]
FilePath : C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\
ProcessID : 2232
ThreadCreationTime : 9-20-2006 1:37:38 PM
BasePriority : Normal
FileVersion : 1.00
ProductVersion : A.14.07.04
ProductName : hp officejet 7100 series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM07
LegalCopyright : Copyright (C) Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOEVM07.EXE
Comments : HP OfficeJet COM Event Manager

#:24 [hpoipm07.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2304
ThreadCreationTime : 9-20-2006 1:37:38 PM
BasePriority : Normal
FileVersion : 4, 5, 0, 767
ProductVersion : 4, 5, 0, 767
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:25 [hposts07.exe]
FilePath : C:\Program Files\Hewlett-Packard\AiO\Shared\bin\
ProcessID : 2568
ThreadCreationTime : 9-20-2006 1:37:43 PM
BasePriority : Normal
FileVersion : 1.00
ProductVersion : A.14.07.04
ProductName : hp officejet 7100 series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS07
LegalCopyright : Copyright (C) Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOCPY07.EXE
Comments : HP OfficeJet Status

#:26 [hpofxm07.exe]
FilePath : C:\Program Files\Hewlett-Packard\AiO\Shared\bin\
ProcessID : 2576
ThreadCreationTime : 9-20-2006 1:37:43 PM
BasePriority : Normal
FileVersion : 1.00
ProductVersion : A.14.07.04
ProductName : hp officejet 7100 series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet G Series Fax Manager
InternalName : HPOFXM07
LegalCopyright : Copyright (C) Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOFXM07.EXE
Comments : HP OfficeJet G Series Fax Manager

#:27 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1736
ThreadCreationTime : 9-20-2006 1:58:56 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email]tim@zedo[1].txt[/email]
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:tim@zedo.com/
Expires : 9-16-2016 6:25:58 PM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email]tim@serving-sys[2].txt[/email]
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value : Cookie:tim@serving-sys.com/
Expires : 12-31-2037 3:00:00 PM
LastSync : Hits:10
UseCount : 0
Hits : 10

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email]tim@adrevolver[3].txt[/email]
TAC Rating : 3
Category : Data Miner
Comment : Hits:13
Value : Cookie:tim@media.adrevolver.com/adrevolver/
Expires : 6-14-2009 8:53:22 PM
LastSync : Hits:13
UseCount : 0
Hits : 13

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email]tim@tribalfusion[2].txt[/email]
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:tim@tribalfusion.com/
Expires : 9-20-2006 6:54:44 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email]tim@adrevolver[2].txt[/email]
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value : Cookie:tim@adrevolver.com/
Expires : 9-19-2007 10:53:24 AM
LastSync : Hits:10
UseCount : 0
Hits : 10

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 5



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Deep scanning and examining files (S:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for S:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 5




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

7:07:41 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:08:18.657
Objects scanned:227382
Objects identified:5
Objects ignored:0
New critical objects:5

=========================================================
Spybot Report
=========================================================
Win23.PE: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pe386

Win23.PE: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-09-18 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-09-15 Includes\Cookies.sbi (*)
2006-09-15 Includes\Dialer.sbi (*)
2006-09-15 Includes\Hijackers.sbi (*)
2006-09-15 Includes\Keyloggers.sbi (*)
2006-09-15 Includes\Malware.sbi (*)
2006-09-15 Includes\PUPS.sbi (*)
2006-09-15 Includes\Revision.sbi (*)
2006-09-15 Includes\Security.sbi (*)
2006-09-15 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-09-15 Includes\Trojans.sbi (*)

=========================================================
Kaspersky Full Scan Results (edited to relevant info)
=========================================================

*******************
NOTE: "dirty.32.sis.trash" (below) was a copy of WSOCK32.SYS that I renamed,
placed into a directory, renamed directory, moved, than deleted following reboot.
*******************

9/20/2006 6:51:39 AM File D:\RECYCLER\S-1-5-21-1417001333-602162358-839522115-1003\Dd6\dirty.32.sis.trash: detected Trojan program Backdoor.Win32.Ciadoor.13
9/20/2006 6:51:39 AM Security threats have been detected. You are advised to neutralize them immediately.
9/20/2006 6:53:02 AM File D:\RECYCLER\S-1-5-21-1417001333-602162358-839522115-1003\Dd6\dirty.32.sis.trash: deleted

Reports

---

Task Status Start Finish Size
----

---

---

---

----
Anti-Hacker running 9/20/2006 6:35:42 AM 0 bytes
Anti-Spy running 9/20/2006 6:35:42 AM 0 bytes
Web Anti-Virus running 9/20/2006 6:35:42 AM 162.4 KB
Anti-Spam running 9/20/2006 6:35:42 AM 0 bytes
Proactive Defense running 9/20/2006 6:35:42 AM 0 bytes
File Anti-Virus running 9/20/2006 6:35:42 AM 29.7 MB
Mail Anti-Virus running 9/20/2006 6:35:42 AM 0 bytes
Scan My Computer completed 9/20/2006 7:17:15 AM 9/20/2006 7:41:26 AM 63.5 MB

Quarantine

---

Status Object Size Added

---

---

----

---

Backup

---

Status Object Size

---

---

----
Infected: Trojan program Backdoor.Win32.Ciadoor.13 D:\RECYCLER\S-1-5-21-1417001333-602162358-839522115-1003\Dd6\dirty.32.sis.trash 159.5 KB
Infected: Trojan program Backdoor.Win32.Ciadoor.13 C:\WINDOWS\system32\wsock32.sys 159.5 KB
Infected: Trojan program Backdoor.Win32.Ciadoor.13 C:\WINDOWS\SYSTEM32\SCVHOST.EXE 182 KB
Infected: Trojan program Backdoor.Win32.Ciadoor.13 c:\windows\system32\x3suf4k1c4.ini 182 KB

rpggamergirl

Your Questions:
1. While reading a guide on this forum it suggested running 8-steps to
possibly fix problems. These were WinXP Recovery Console steps that included executing ATTRIB; Del boot.ini; BOOTCFG /REBUILD; CHKDSK /R /F; FIXBOOT. Apparently I didn't use the same Load Identifier for this new rebuild as the original, so now on bootup I have two operating systems identified: (a) WinXP Pro -- the new one, and (b) Microsoft Windows XP Professional. Can you tell me how to delete the second one?

I'm only new here and I haven't been anywhere to this site except the "Spyware/Virus/Trojan Help" and I haven't read their stickies yet. So I don't know where you found the "8 steps to possible fix a problem" thread, sorry.

To remove an OS in your bootup file, you need to edit your "boot.ini" file, then Save.

You have to show hidden files and folders first:
In Explorer > Tools > Folder Options > View
Checkmarked "Show Hidden Files and Folders"
Uncheck "Hide protected operating system files (recommended)


The content of the boot.ini file will look similar to this:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

Delete the line of the OS that you want to delete,

Also note:
the line which begins with "default=" should be pointing to your XP Pro partition.
The string behind "default=" must be identical with the string on the line for XP Pro before the equal sign.


2. I have been attempting to determine "the best" anti-virus and internet
security software. Based on my limited knowledge and experience, after
installing and running six different packages, including Kaspersky, ZoneAlarms,
F-Secure, Norton, McAfee, AVG & AVAST, it appears that no individual package detects everything (i.e., if I load and unload one package, followed by another, each seems to detect unique malware). The best to me appears to be Kaspersky. Are there concrete results somewhere that are more detailed than my limited evaluation?

I think you're doing the right thing, I agree that Kaspersky seem to be the best out there.
Here's a 2006 review of top ten antivirus, although BitDefender tops for the best deal, it's Kaspersky that I would go.
http://anti-virus-software-review.toptenreviews.com/


Run Hijackthis and put a check next to these entries:
F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exeClose all browsers and other windows and click "Fix Checked".

Fixing the above entries will fix the error "Could not load or run 'C:\Windows\system32\scvhost.exe"

Sparky545

Thank you for your help and suggestions.

I've decided to reformat and rebuild my system because I've been working on this for a week and need to get back to being productive. I was trying to understand exactly what was happening and why so I could prevent (or fix) this from occurring again.

FYI, here's what I learned:

1. Before I recieved you latest response, it was obvious this malware had deleted svchost.exe and replaced it with scvhost.exe. So I copied the correct file from a working system. In the registry I search for all instances of scvhost.exe. I discovered multiple modifications. Basically it appears that these modifications did some funny cross-linking between HKCR & HKLM in the Software.Microsoft.WindowsNT(or Windows).CurrentVersion.Windows areas settings making various entries into Load and Run and modifiying pointers to HKCR and HKLM. I used an existing non-infected system as a guide to correct everything that I saw that looked odd. I fully expected my system to not reboot after all these modifications, given that I only know enough to be dangerous, not enough to really know what I'm doing. But I figured my system was gone anyway, so what the heck. The system always rebooted and began becoming more and more stable. I was finally able to delete and remove WSOCK32.SYS and SCVHOST.EXE. I apparently got everything pointing back to SVCHOST.EXE.

2. I'm not sure what did it, but I finally got my system to stop removing my CMD, REGEDIT & Task Mgr on bootup. However, on every reboot Kaspersky detects and prevents "something" from trying to reset things in the registry back to SCVHOST.EXE. I have no idea what is executing on shut-down or bootup that is initiating this.

3. I still do not have permission to use my network resources (with administrative privileges). I have tried everything I can think of and googled and followed many posted suggestions.

4. I still do not have System Restore anywhere on my system. I don't know where it went, what shut it down, or how to get it back.

I don't even know what to call this malware I got. It was and is a very nasty little thing. Somebody had a great time wasting my time. I don't know if karma exists, but I sure hope so for the creator of this malware.

Thank you all again.

rpggamergirl

A lot of viruses these days can disable utilities and even disable Firewall, antivirus and System Restore which can be really annoying.
P2PNetwork worm or variants of Alcan worm are known to disable CMD, REGEDIT & Task Mgr but you also had something nastier and less known WSOCK32.SYS


Sorry to hear you had to reformat. Maybe it's for the best to start afresh.

You might like to read Tony Kleins article "How did I Get Infected In The First Place?
http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I

Leonardo

You might like to read...

You might also like to our very ownShort-Media guide to avoiding the nasties!

rpggamergirl

Ooops! sorry... lol

That link looks good!
I might have to add that in my Bullguard sig

dthede

Same symptoms as described, with the additional ones that Webroot's Spysweeper and McAfee's Antivirus would each attempt to start and would be immediately terminated.

For me, the key was seeing an unfamiliar process in Taskmanager (grand.exe) which could not be terminated, and seeing an unfamiliar service, "Italian Grand Prix," running with no substantial information about it.

Victims maybe should be aware that I was operating though a dialup at the time I contracted this disease, and I noticed that 1.5MB of "stuff" had been uploaded to somewhere -- yet I was doing nothing at the machine. (I immediately pulled the plug to stop the leak.) The point is that stuff from your system gets sent somewhere else without your consent, so it's theft.

Regards,
dthede

dthede

Sparky 545 also mentions the Sys Internals tools. In my case, disk- or filemon would run because it was outside the default folder, but access to the other tools in the default folder was prevented: as soon as the folder was opened, it closed automatically. Bear in mind that I have a slow processor (733 MHz) so events I see in stages, may be happening in the blink of an eye (or quicker) for others. Grand.exe consumed 72% of CPU cycles on my machine, so it was easy to spot.