[inactive]csrss virus - AdAware fatal system error

edited November 2006 in Spyware & Virus Removal
Greetings,

Your assistance will be much appreciated for a virus (worm? trojan?) that I picked up yesterday and can't kill the bogus csrss process or delete the bogus csrss.exe file. The HJT log is included below. Please let me know if you need any further info.

Thanks in advance for taking the time to help!
Marlene

Logfile of HijackThis v1.99.1
Scan saved at 7:54:57 PM, on 10/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\csrss.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lithic\HalfMoon\halfmoon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Qualcomm\Eudora Mail\Eudora.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HalfMoonAutoStart] C:\Program Files\Lithic\HalfMoon\halfmoon.exe -minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O15 - Trusted Zone: *.addictsvictorious.com
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.americanexpress.com
O15 - Trusted Zone: *.autoexplosion.com
O15 - Trusted Zone: *.autotrader.com
O15 - Trusted Zone: *.bairdwarner.com
O15 - Trusted Zone: *.blogspot.com
O15 - Trusted Zone: *.c21proteam.net
O15 - Trusted Zone: *.car-realtor.com
O15 - Trusted Zone: *.careerbuilder.com
O15 - Trusted Zone: *.carreview.com
O15 - Trusted Zone: *.chicagoproducers.com
O15 - Trusted Zone: *.chicagorealtor.com
O15 - Trusted Zone: *.connectmls.com
O15 - Trusted Zone: *.craigslist.org
O15 - Trusted Zone: *.dinkytown.net
O15 - Trusted Zone: *.ezdesk.com
O15 - Trusted Zone: *.fonerbooks.com
O15 - Trusted Zone: *.geoaccess.com
O15 - Trusted Zone: *.greatschools.net
O15 - Trusted Zone: *.imprev.net
O15 - Trusted Zone: *.internetcrusade.com
O15 - Trusted Zone: *.investsafe.com
O15 - Trusted Zone: *.kbb.com
O15 - Trusted Zone: *.linkedin.com
O15 - Trusted Zone: *.localrealestate.com
O15 - Trusted Zone: *.magellangps.com
O15 - Trusted Zone: *.mail.com
O15 - Trusted Zone: *.mapquest.com
O15 - Trusted Zone: *.motorola.com
O15 - Trusted Zone: *.nadaguides.com
O15 - Trusted Zone: *.realestatesimulator.com
O15 - Trusted Zone: *.realtor.org
O15 - Trusted Zone: *.rexplorer.com
O15 - Trusted Zone: *.rexplorer.net
O15 - Trusted Zone: *.search-mls.net
O15 - Trusted Zone: *.thebuilderofchoice.com
O15 - Trusted Zone: *.tucows.com
O15 - Trusted Zone: *.uexpress.com
O15 - Trusted Zone: *.virtualassistanceu.com
O15 - Trusted Zone: *.vzwshop.com
O15 - Trusted Zone: *.webex.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: *.zipagent.com
O15 - Trusted Zone: *.ziprealty.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.farmdoc.uiuc.edu/download/CfxIEAx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116639432609
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mlsni.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv1.view22.com/view22/app/view22rte.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://remax-cahi.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O20 - Winlogon Notify: rege2usb - C:\WINDOWS\SYSTEM32\rege2usb.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Comments

  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    Hi Marlene. You have a potential real nasty thing going on there so I should warn you until we get this thing rooted out (and find out exactly what it is) you shouldn't use this PC on the internet, especially for banking. You can use it to visit this site until we get you clean but in the interim keep it's connection to the internet minimal. Please follow the instructions below:

    First I would like to see a startup list from Hijack This:
    • Open Hijack This and click the open misc. tools button.
    • At the top click the Generate StartupList log button.
    • Click Yes at the next prompt.
    • The startup list will open in Notepad. Please post the entire contents of the list in your next reply.

    Next, please download haxfix.exe
    and save it to your desktop.
    • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
    • Checkmark "Create a desktop icon"
    • Click "Next"
    • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
    • Click "Finish"

    A red "dos window" (dos box) will open with options:
    1. Make logfile
    2. Run auto fix
    3. Run manual fix
    E. Exit Haxfix
    • Select option 1. Make logfile by typing 1 and then pressing Enter
    • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt.
    • Copy the contents of that logfile and paste it into this thread along with the startup list from Hijack This.
  • edited October 2006
    Hello,

    Thanks much for taking the time to answer. I tried to run haxfix.exe and get an error that the "setup files are corrupted".

    I'm thinking it's bad enough that I'll need to reformat and reinstall Windows XP.

    What do you think?

    Thanks!
    Marlene
  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    Hi Marlene. I don't want to go that route yet. I just ran the tool on my PC and it worked so I was just checking to make sure that something in the program didn't go awry. It's a great program and I'm sorry it's not working for you. I would still like to see the startup list from Hijack This. Could you please post that in your next reply? By then I'll come up with something else we can try.
    :)

    Can you tell me---Did Haxfix install OK for you? Am I correct in saying that you got the error message when you actually tried to run the program or were you just installing it?
  • edited October 2006
    Hi,

    I downloaded the haxfix.exe and when double clicking the downloaded file it gererates the error about the setup file being corrupt. Could the virus be causing the problem? I also can't pull up some the free online virus scanners. And AdAware is still getting fatal system errors.

    The startup list from HJT is included below. I hope that I did it correctly. And I see that I need to remove the call to that csrss.exe file in the registry.

    Thanks again for your continued help.

    StartupList report, 10/26/2006, 5:02:56 PM
    StartupList version: 1.52.2
    Started from : C:\downloads\hijackthis\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Including empty and uninteresting sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Lithic\HalfMoon\halfmoon.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Program Files\Qualcomm\Eudora Mail\Eudora.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\downloads\hijackthis\HijackThis.exe


    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Marlene\Start Menu\Programs\Startup]
    *No files*

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    *No files*

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*


    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*


    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    CTSysVol = C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    CTHelper = CTHELPER.EXE
    AsioReg = REGSVR32.EXE /S CTASIO.DLL
    UpdReg = C:\WINDOWS\UpdReg.EXE
    SmcService = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    HalfMoonAutoStart = C:\Program Files\Lithic\HalfMoon\halfmoon.exe -minimized
    MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto


    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*


    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    (Default) =


    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*


    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *No values found*


    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    *No values found*


    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*


    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*


    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*


    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*


    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*


    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*


    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*


    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*


    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*


    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*


    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *No subkeys found*


    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*


    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*


    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*


    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*


    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*


    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*


    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*


    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*


    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*


    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*


    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*


    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S


    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\System32\mshta.exe "%1" %*


    File association entry for .TXT:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1


    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*


    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=


    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*



    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}


    Enumerating Task Scheduler jobs:

    *No jobs found*


    Enumerating Download Program Files:

    [DirectAnimation Java Classes]
    CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
    OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

    [Microsoft XML Parser for Java]
    CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
    OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

    [SysProWmi Class]
    InProcServer32 = C:\WINDOWS\System32\Dell\SystemProfiler\SysPro.ocx
    CODEBASE = http://support.dell.com/systemprofiler/SysPro.CAB

    [Microsoft Office Template and Media Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
    CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan60.ocx
    CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab

    [iPIX ActiveX Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ipixx.ocx
    CODEBASE = http://www.ipix.com/download/ipixx.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Windows Genuine Advantage Validation Tool]
    InProcServer32 = C:\WINDOWS\System32\LegitCheckControl.DLL
    CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

    [ewidoOnlineScan Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLL
    CODEBASE = http://download.ewido.net/ewidoOnlineScan.cab

    [Trend Micro ActiveX Scan Agent 6.5]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\Housecall_ActiveX.dll
    CODEBASE = http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

    [ChartFX Internet Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\CfxIEAx.ocx
    CODEBASE = http://www.farmdoc.uiuc.edu/download/CfxIEAx.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

    [YInstStarter Class]
    InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll
    CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll

    [PSFormX Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\PESTSC~1.OCX
    CODEBASE = http://www.pestpatrol.com/pestscan/pestscan.cab

    [WUWebControl Class]
    InProcServer32 = C:\WINDOWS\System32\wuweb.dll
    CODEBASE = http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116639432609

    [Symantec RuFSI Utility Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    [Housecall ActiveX 6.5]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
    CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

    [MLXchange Client Utils]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MLXClientUtils.dll
    CODEBASE = http://mlsni.mlxchange.com/Control/MLXClientUtils.cab

    [Groove Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\GrooveAX.dll
    CODEBASE = http://www.nick.com/common/groove/gx/GrooveAX27.cab

    [Java Plug-in 1.5.0_05]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab

    [{B1826A9F-4AA0-4510-BA77-9013E74E4B9B}]
    CODEBASE = http://www.trendmicro.com/spyware-scan/as4web.cab

    [ASquaredScanForm Element]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\axscan.ocx
    CODEBASE = http://www.windowsecurity.com/trojanscan/axscan.cab

    [View22RTE Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\View22RTE.dll
    CODEBASE = http://hgtv1.view22.com/view22/app/view22rte.cab

    [Java Plug-in 1.5.0_05]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

    [Photodex Presenter AX control]
    InProcServer32 = C:\PROGRA~1\PHOTOD~1\pxplay.ocx
    CODEBASE = http://www.photodex.com/pxplay.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8b.ocx
    CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [GpcContainer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ieatgpc.dll
    CODEBASE = https://remax-cahi.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab


    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS\System32\mswsock.dll
    NameSpace #2: C:\WINDOWS\System32\winrnr.dll
    NameSpace #3: C:\WINDOWS\System32\mswsock.dll
    Protocol #1: C:\WINDOWS\system32\mswsock.dll
    Protocol #2: C:\WINDOWS\system32\mswsock.dll
    Protocol #3: C:\WINDOWS\system32\mswsock.dll
    Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #6: C:\WINDOWS\system32\mswsock.dll
    Protocol #7: C:\WINDOWS\system32\mswsock.dll
    Protocol #8: C:\WINDOWS\system32\mswsock.dll
    Protocol #9: C:\WINDOWS\system32\mswsock.dll
    Protocol #10: C:\WINDOWS\system32\mswsock.dll
    Protocol #11: C:\WINDOWS\system32\mswsock.dll
    Protocol #12: C:\WINDOWS\system32\mswsock.dll
    Protocol #13: C:\WINDOWS\system32\mswsock.dll


    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: *Registry value not found*


    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*


    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    system = C:\WINDOWS\csrss.exe


    End of report, 17,823 bytes
    Report generated in 0.047 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    I'm sorry Marlene but could you please post another startup list and this time make sure the two boxes next to the button that says generate startup list are checked. And I would say the virus is the total reason you can't visit security sites. You have a Netsky worm infection but I want to take care of that last if at all possible. I'll post back once we see the complete startup list.

    Sorry.
    :(
  • edited October 2006
    Hi,

    It's good of you to stick with me. I really appreciate your help.

    Here's the startup list with both boxes checked now.

    Thanks again, :)
    Marlene

    StartupList report, 10/26/2006, 7:26:23 PM
    StartupList version: 1.52.2
    Started from : C:\downloads\hijackthis\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Lithic\HalfMoon\halfmoon.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\downloads\hijackthis\HijackThis.exe


    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Marlene\Start Menu\Programs\Startup]
    *No files*

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    *No files*

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*


    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*


    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    CTSysVol = C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    CTHelper = CTHELPER.EXE
    AsioReg = REGSVR32.EXE /S CTASIO.DLL
    UpdReg = C:\WINDOWS\UpdReg.EXE
    SmcService = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    HalfMoonAutoStart = C:\Program Files\Lithic\HalfMoon\halfmoon.exe -minimized
    MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto


    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*


    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    (Default) =


    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*


    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *No values found*


    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    *No values found*


    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*


    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*


    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*


    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*


    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*


    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*


    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*


    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*


    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*


    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*


    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *No subkeys found*


    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*


    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*


    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*


    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*


    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*


    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*


    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*


    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*


    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*


    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*


    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*


    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S


    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\System32\mshta.exe "%1" %*


    File association entry for .TXT:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1


    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Remove.PerUser

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe


    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*


    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=


    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*


    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present


    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden


    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}


    Enumerating Task Scheduler jobs:

    *No jobs found*


    Enumerating Download Program Files:

    [DirectAnimation Java Classes]
    CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
    OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

    [Microsoft XML Parser for Java]
    CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
    OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

    [SysProWmi Class]
    InProcServer32 = C:\WINDOWS\System32\Dell\SystemProfiler\SysPro.ocx
    CODEBASE = http://support.dell.com/systemprofiler/SysPro.CAB

    [Microsoft Office Template and Media Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
    CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan60.ocx
    CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab

    [iPIX ActiveX Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ipixx.ocx
    CODEBASE = http://www.ipix.com/download/ipixx.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Windows Genuine Advantage Validation Tool]
    InProcServer32 = C:\WINDOWS\System32\LegitCheckControl.DLL
    CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

    [ewidoOnlineScan Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLL
    CODEBASE = http://download.ewido.net/ewidoOnlineScan.cab

    [Trend Micro ActiveX Scan Agent 6.5]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\Housecall_ActiveX.dll
    CODEBASE = http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

    [ChartFX Internet Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\CfxIEAx.ocx
    CODEBASE = http://www.farmdoc.uiuc.edu/download/CfxIEAx.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

    [YInstStarter Class]
    InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll
    CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll

    [PSFormX Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\PESTSC~1.OCX
    CODEBASE = http://www.pestpatrol.com/pestscan/pestscan.cab

    [WUWebControl Class]
    InProcServer32 = C:\WINDOWS\System32\wuweb.dll
    CODEBASE = http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116639432609

    [Symantec RuFSI Utility Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    [Housecall ActiveX 6.5]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
    CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

    [MLXchange Client Utils]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MLXClientUtils.dll
    CODEBASE = http://mlsni.mlxchange.com/Control/MLXClientUtils.cab

    [Groove Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\GrooveAX.dll
    CODEBASE = http://www.nick.com/common/groove/gx/GrooveAX27.cab

    [Java Plug-in 1.5.0_05]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab

    [{B1826A9F-4AA0-4510-BA77-9013E74E4B9B}]
    CODEBASE = http://www.trendmicro.com/spyware-scan/as4web.cab

    [ASquaredScanForm Element]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\axscan.ocx
    CODEBASE = http://www.windowsecurity.com/trojanscan/axscan.cab

    [View22RTE Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\View22RTE.dll
    CODEBASE = http://hgtv1.view22.com/view22/app/view22rte.cab

    [Java Plug-in 1.5.0_05]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

    [Photodex Presenter AX control]
    InProcServer32 = C:\PROGRA~1\PHOTOD~1\pxplay.ocx
    CODEBASE = http://www.photodex.com/pxplay.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8b.ocx
    CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [GpcContainer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ieatgpc.dll
    CODEBASE = https://remax-cahi.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab


    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS\System32\mswsock.dll
    NameSpace #2: C:\WINDOWS\System32\winrnr.dll
    NameSpace #3: C:\WINDOWS\System32\mswsock.dll
    Protocol #1: C:\WINDOWS\system32\mswsock.dll
    Protocol #2: C:\WINDOWS\system32\mswsock.dll
    Protocol #3: C:\WINDOWS\system32\mswsock.dll
    Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #6: C:\WINDOWS\system32\mswsock.dll
    Protocol #7: C:\WINDOWS\system32\mswsock.dll
    Protocol #8: C:\WINDOWS\system32\mswsock.dll
    Protocol #9: C:\WINDOWS\system32\mswsock.dll
    Protocol #10: C:\WINDOWS\system32\mswsock.dll
    Protocol #11: C:\WINDOWS\system32\mswsock.dll
    Protocol #12: C:\WINDOWS\system32\mswsock.dll
    Protocol #13: C:\WINDOWS\system32\mswsock.dll


    Enumerating Windows NT/2000/XP services

    Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
    Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
    Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
    Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
    RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
    Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
    Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
    ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
    ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
    AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
    AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
    AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
    AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
    AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
    AVG Network Redirector: \??\C:\WINDOWS\System32\Drivers\avgtdi.sys (autostart)
    Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
    Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
    ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
    COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
    Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.exe (disabled)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Creative AC3 Software Decoder: System32\drivers\ctac32k.sys (manual start)
    Creative Audio Driver (WDM): system32\drivers\ctaud2k.sys (manual start)
    Creative DVD-Audio Device Driver: System32\drivers\ctdvda2k.sys (manual start)
    Creative Proxy Driver: System32\drivers\ctprxy2k.sys (manual start)
    Creative SoundFont Management Device Driver: System32\drivers\ctsfm2k.sys (manual start)
    Kodak Camera Proxy: System32\DRIVERS\DcCam.sys (system)
    DcFpoint: System32\DRIVERS\DcFpoint.sys (manual start)
    Kodak DCFS2K Driver: system32\drivers\dcfs2k.sys (autostart)
    Legacy Polling Service: System32\DRIVERS\DcLps.sys (manual start)
    dcptp: System32\DRIVERS\DcPTP.sys (manual start)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Disk Driver: System32\DRIVERS\disk.sys (system)
    Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
    dmload: System32\drivers\dmload.sys (system)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    MS IEEE-1284.4 Driver: System32\DRIVERS\Dot4.sys (manual start)
    Print Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Prt.sys (manual start)
    Scan Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Scan.sys (manual start)
    Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
    Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
    E-mu Plug-in Architecture Driver: System32\drivers\emupia2k.sys (manual start)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
    Exportit: System32\DRIVERS\exportit.sys (system)
    Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
    Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
    Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
    GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
    Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
    grmnusb: system32\drivers\grmnusb.sys (manual start)
    Creative Hardware Abstract Layer Driver: system32\drivers\ha10kx2k.sys (manual start)
    Creative P16V HAL Driver: System32\drivers\hap16v2k.sys (manual start)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
    i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
    CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
    IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
    IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
    IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
    IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
    iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
    IPSEC driver: System32\DRIVERS\ipsec.sys (system)
    IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
    PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
    Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
    Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
    Kodak Camera Connection Software: %SystemRoot%\system32\drivers\KodakCCS.exe (manual start)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
    Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
    Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
    WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
    MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
    Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
    Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
    Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
    NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
    Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
    NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
    Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
    Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
    Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
    Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
    Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
    Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
    IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
    OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
    OMCI: \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS (system)
    Creative OS Services Driver: system32\drivers\ctoss2k.sys (manual start)
    Parallel port driver: System32\DRIVERS\parport.sys (manual start)
    PCI Bus Driver: System32\DRIVERS\pci.sys (system)
    PCIIde: System32\DRIVERS\pciide.sys (system)
    PfModNT: \??\C:\WINDOWS\System32\drivers\PfModNT.sys (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
    Processor Driver: System32\DRIVERS\processr.sys (system)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
    Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
    PxHelp20: System32\Drivers\PxHelp20.sys (system)
    Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
    Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
    Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
    Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
    Rdbss: System32\DRIVERS\rdbss.sys (system)
    RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
    Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
    Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
    Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
    rege memory mapper: \??\C:\WINDOWS\System32\regepsrvc.sys (system)
    Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
    Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: System32\DRIVERS\secdrv.sys (manual start)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
    Serial port driver: System32\DRIVERS\serial.sys (system)
    Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Sygate Personal Firewall: C:\Program Files\Sygate\SPF\smc.exe (autostart)
    Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Srv: System32\DRIVERS\srv.sys (manual start)
    SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
    Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
    Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
    MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{19DA051E-D7D9-478A-9B97-280E172C9C07} (manual start)
    Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
    Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
    Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
    Teefer for NT: SYSTEM32\Drivers\Teefer.sys (system)
    Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
    Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
    Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
    Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
    Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
    Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
    Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
    USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
    Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
    USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
    Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
    VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
    Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
    Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    SyGate for NT, wg3n: \SystemRoot\SYSTEM32\Drivers\wg3n.sys (autostart)
    SyGate for NT, wg4n: \SystemRoot\SYSTEM32\Drivers\wg4n.sys (autostart)
    SyGate for NT, wg5n: \SystemRoot\SYSTEM32\Drivers\wg5n.sys (autostart)
    SyGate for NT, wg6n: \SystemRoot\SYSTEM32\Drivers\wg6n.sys (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    WMDM PMSP Service: C:\WINDOWS\System32\MsPMSPSv.exe (disabled)
    Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
    wpsdrvnt: \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (system)
    Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    YCHGGQOX: \??\C:\WINDOWS\System32\ychggqox.djz (autostart)



    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: *Registry value not found*


    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*


    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    system = C:\WINDOWS\csrss.exe


    End of report, 35,902 bytes
    Report generated in 0.125 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    Hi Marlene. Thanks for the log. It tells us much more. I would like you to delete the haxfix.exe that you have now and download it again and try to run it according to the instructions from my first post to you. If it runs please post the log it generates back here.
    :D

    I will include those instructions again below. Please delete the first downloaded file and then:

    Download haxfix.exe
    and save it to your desktop.
    • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
    • Checkmark "Create a desktop icon"
    • Click "Next"
    • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
    • Click "Finish"

    A red "dos window" (dos box) will open with options:
    1. Make logfile
    2. Run auto fix
    3. Run manual fix
    E. Exit Haxfix
    • Select option 1. Make logfile by typing 1 and then pressing Enter
    • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt.
    • Copy the contents of that logfile and paste it into this thread.
  • edited October 2006
    Hello,

    I did as you requested and got the same error about setup file corruption. So I saved it to my D drive and it installed successfully from there.

    Here is the log.

    HAXFIX logfile - by Marckie
    ______________
    version 4.28
    Fri 10/27/2006 9:51:47.07

    checking for haxdoor
    checking for a3d files....
    a3d files not found

    checking for matching notify keys....
    no matching notify keys found

    checking for matching services....
    no matching services found

    checking for matching safeboot services....
    no matching safeboot services found

    checking for other haxdoorfiles....


    Checking for goldun

    checking for SSODL keys....
    no ssodl keys found

    checking for notify keys....
    rege2usb

    checking for services....
    regepsrvc

    checking for other goldunfiles....


    Finished


    Hope that helps. You are so kind to spend your free time helping me. I sincerely appreciate it. :)

    Thanks!
    Marlene
  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    Good thinking Marlene! And the log showed me what I wanted to see. Now follow these instructions:
    • Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
    • Close all other open windows since this step requires a reboot
    • Select option 2. Run auto fix by typing 2 and then pressing Enter
    If an infection is found, you'll get a message to close all other open windows.
    • Close all open windows except the red dos window from haxfix and then press Enter
    • The computer will reboot
    • After reboot a logfile will open > (c:\haxfix.txt)
    • Post the contents of that logfile along with a new HijackThis log.
  • edited October 2006
    Hi,

    I did as you requested and the log is included below.

    What's next?

    With many thanks,
    Marlene

    HAXFIX logfile - by Marckie
    version 4.28
    Fri 10/27/2006 14:11:38.76

    --- Auto Haxdoorfix ---


    searching for files:

    no infections found


    --- Goldunfix ---


    searching for files:

    searching for SSODLkeys:
    no SSODLkeys found

    searching for notifykeys:
    rege2usb

    searching for services:
    regepsrvc


    deleting service regepsrvc
    [SWSC] DeleteService SUCCESS


    .....rebooting the computer.....


    searching for ssodlkeys

    not needed


    searching for notifykeys

    notifykey rege2usb not found


    searching for services

    service regepsrvc not found


    searching for safeboot services

    not needed


    searching for files

    rege2usb.dll exists
    deleting rege2usb.dll
    rege2usb.dll has been deleted

    regepsrvc.sys exists
    deleting regepsrvc.sys
    regepsrvc.sys has been deleted


    checking for other files

    ksl48.bin exists
    deleting ksl48.bin
    ksl48.bin has been deleted


    checking for a3d files

    no a3d files found


    Finished
  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    Looks good. Now please post a fresh Hijack This log and we'll take care of the rest.
    :)
  • edited October 2006
    Oops...sorry. I forgot to include the new HJT log in the last post. Here it is.

    You're my hero! :)
    Thanks,
    Marlene

    Logfile of HijackThis v1.99.1
    Scan saved at 2:59:19 PM, on 10/27/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Lithic\HalfMoon\halfmoon.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [HalfMoonAutoStart] C:\Program Files\Lithic\HalfMoon\halfmoon.exe -minimized
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.farmdoc.uiuc.edu/download/CfxIEAx.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116639432609
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mlsni.mlxchange.com/Control/MLXClientUtils.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
    O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv1.view22.com/view22/app/view22rte.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://remax-cahi.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    Hi Marlene. Excellent Job!
    :D

    As a final precaution and cleanup please follow these instructions:

    Download ATF cleaner from here.

    Locate ATF Cleaner.exe and open it.

    Under Main select the following:

      Windows Temp
      Current User Temp
      All Users Temp
      Cookies
      Temporary Internet Files
      Prefetch
      Java Cache


      *The other boxes are optional*
      Then click the Empty Selected button.

      If you use Firefox:
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

      Click Exit on the Main menu to close the program.

      Next,

      Please download AVG Anti-Spyware from my signature below. It is a free trial of the software. Save the install file to your desktop.
      • Install AVG by double clicking the installer.
      • Follow the prompts. Make sure that Launch AVG is checked.
      • On the main screen under Your Computer's security.
        • Click on Change state next to Resident shield. It should now change to inactive.
        • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
        • Wait until you see the Update succesfull message.
          Note: If the Update now option is grayed out, follow the steps below.
          • Click on Update on the toolbar.
          • Under Manual update, click on the Start Update button.
          • Wait until you see the Update succesfull message.
      • Right-click the AVG Tray Icon and select Exit. Confirm by clicking Yes.
      If you are having problems with the updater, you can use this link to manually update AVG.
      AVG manual updates.
      Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG is closed before installing the update.

      ______________________________


      Reboot your computer in Safe Mode.
      • If the computer is running, shut down Windows, and then turn off the power.
      • Wait 30 seconds, and then turn the computer on.
      • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
      • Ensure that the Safe Mode option is selected.
      • Press Enter. The computer then begins to start in Safe mode.
      • Login on your usual account.
      ______________________________

      Close ALL open Windows / Programs / Folders. Please start AVG and run a full scan.
      • Click on Scanner on the toolbar.
      • Click on the Settings tab.
        • Under How to act?
          • Click on Recommended Action and choose Quarantine from the popup menu.
        • Under How to scan?
          • All checkboxes should be ticked.
        • Under Possibly unwanted software:
          • All checkboxes should be ticked.
        • Under Reports:
          • Select Automatically generate report after every scan and uncheck Only if threats were found.
        • Under What to scan?
          • Select Scan every file.
      • Click on the Scan tab.
      • Click on Complete System Scan to start the scan process.
      • Let the program scan the machine.
      • When the scan has finished, follow the instructions below.
        IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
        • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
        • At the bottom of the window click on the Apply all Actions button. (3)
          scanavgjk2.jpg
      • When done, click the Save Scan Report button.(4)
        • Click the Save Report as button.
        • Save the report to your Desktop.
      • Right-click the AVG Tray Icon and select Exit. Confirm by clicking Yes.
      Reboot in Normal Mode.

      Please post the AVG Log and a fresh Hijack This log in your next reply.
    • edited October 2006
      Hi Skywalker,

      I ran ATF cleaner as you suggested.

      Since I already have AVG Free Edition installed, would it cause a problem to install another copy?

      Also, do you think if I had had the Pro version installed that it would stopped these viruses?

      Please let me know which viruses/trojans/worms that you discovered and how each of them was caught (website or email).

      I did run AVG and it didn't find anything. Do you think I still need to run the paid version?

      Thank you so much!!!!
      Marlene
    • skywalker45skywalker45 Bloomington, IN. USA
      edited October 2006
      Hi Marlene. You have AVG Anti-Virus Free installed. AVG Anti-Spyware is a different program and it won't conflict with the Anti-Virus product. I recommend that you download it and run it as instructed above. It is a 30 day free trial of the product and it will likely uncover some things that AVG Anti-Virus won't.

      My advice is not to pay for anything unless you have to.
      :D

      There are many great products out there that are completely free or have a decent trial period. So go ahead and download and run AVG Anti-Spyware according to the instructions above and post the log it generates along with a fresh Hijack This log.

      As far as a paid version stopping a virus/trojan as opposed to a free version is anyone's guess. Malware works to try to subvert any and all security programs so I would say no.

      Ooops! I almost forgot what was identified in your log. You had a variant of the Goldun Trojan. The reason I was so worried in the beginning is that many times when you see it in a log the Haxdoor Rootkit could also be there. In this case it wasn't but it never hurts to be safe. Haxdoor can be very dangerous and Goldun is bad enough. It can steal passwords, log websites you visit, etc. But it's gone now. The process csrss.exe that was running from your Windows directory is usually an indication of infection with the Netsky worm, but in this case it must have went with the Goldun so it was likely added by that Trojan, because it doesn't appear in your last log.

      AVG will clean up any remaining parts of these bugs.
    • edited November 2006
      Whilst we appreciate that you may be busy, it has been 7 days or more since we heard from you.

      Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Spyware & Virus Removal Forum

      If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

      Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
    This discussion has been closed.