Malware infection w/ HJT and other log files attached

Truly, much of this is Greek to me. Have a look see yourself. Do you guys see anything peculiar:

(661 x 548)
http://www.patcostello.com/images/pe.gif

Do you mean hitting F8 at the beep? That "safe mode?" If so, then no. Nobody said to do it that way lol. What's the order of steps that I should use? (I really have no clue about this stuff.)

 

From the HijackThis log

Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} .......wait for it to complete the search, click ok at the prompt. Then when wordpad opens, copy that back here please.

 

I ran all proggies again in Safe Mode including HJT, ComboFix, and SDFix (both "run this" and "catch me. ") No dice. *sigh*

I'm about ready to take a sledgehammer to the darn thing.

For what it's worth, I *do* have and use a NetDisk backup drive, so I'm not so sure that is the problem. But here are the regedit results, just in case:


REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}" 6/8/2007 1:20:39 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}]

[HKEY_USERS\S-1-5-21-3529363498-689911805-3147829007-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}]

[HKEY_USERS\S-1-5-21-3529363498-689911805-3147829007-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\iexplore]



What is this line at the end of the HJT log?:
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)

 

Okay. Good to know.

Do you have any other suggestions for the problem I am experiencing? Forgive me for using inaccurate terms to describe what's happening, but it's like another program is "hijacking" Windows right after start-up. A new splash screen is inserted (just says "Welcome" instead of "Welcome, starting Windows..." etc.) Wallpaper and icons come up temporarily, then the wallpaper disappears (goes black, while leaving the icons on the desktop). Seconds later, the wallpaper comes back, but the desktop acts glitchy (hesitates), and minute black borders can be seen around the icons. If the icons are moved on the desktop, the borders change slightly. The screen refreshes with the same attributes if I open or close a file folder or run an application. It's as if the hijacking program is providing a new environment to make me *think* I'm "home," when the reality is a new environment has been created with a few barely perceptible flaws.

That may or may not be exactly what's happening, but given the world of computer viruses in which we live, it's the first thing that came to mind. One thing is for sure though, it's not normal. Things have changed, and it started about three days ago after an ad pop-up appeared that crashed my browser and halted the computer, requiring me to hard re-start it.

 

Copy the following bolded blue text to a blank notepad, then save it to the desktop as;

Filename: remCLSID.bat
Save As Type: All Files (*.*)

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}]

***Make sure the format stays the same!

Double click the bat to run it. It will open and close very quickly.
Do another regsrch.vbs for {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} and post the contents if anything is found.

 

Two results found:

[HKEY_USERS\S-1-5-21-3529363498-689911805-3147829007-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}]

[HKEY_USERS\S-1-5-21-3529363498-689911805-3147829007-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\iexplore]

(I have not rebooted or run any other proggies.)

 

Right click the remCLSID.bat and select edit to open it in notepad. Replace the previous text with the following.

REGEDIT4

[HKEY_USERS\S-1-5-21-3529363498-689911805-3147829007-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}]

Close the bat, saving the changes, then double click to run. Do another regsrch.vbs

 

Here ya go:

[HKEY_USERS\S-1-5-21-3529363498-689911805-3147829007-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}]

[HKEY_USERS\S-1-5-21-3529363498-689911805-3147829007-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\iexplore]


Looks like the same two results.

 

Oops! Edit that bat file again, placing a minus sign between the bracket and the H in the path, save and run again.


REGEDIT4

[-HKEY_USERS\S-1-5-21-3529363498-689911805-3147829007-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}]

 

Hmm. I think it's still the same result? Here are the two returns:


[HKEY_USERS\S-1-5-21-3529363498-689911805-3147829007-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}]

[HKEY_USERS\S-1-5-21-3529363498-689911805-3147829007-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\iexplore]

YES! That did restore my desktop back to the way it was. There WAS a URL there, which I deleted. Now there are no more black lines around the icons. For all intents and purposes, the desktop looks "normal. "

BUT... I have not rebooted yet.
I fear the same Windows' splash screen will re-appear on start-up, and perhaps the desktop will be replaced again. The "02" line comes back with ComboFix, but not with a standard re-boot. Odd? I'm not sure the bug is completely gone.

 

Go ahead and reboot, then do another regsrch.vbs for that CLSID and post a new HijackThis log.

 

Okay, I rebooted. Here are the new results:

[HKEY_USERS\S-1-5-21-3529363498-689911805-3147829007-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}]

[HKEY_USERS\S-1-5-21-3529363498-689911805-3147829007-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\iexplore]



Logfile of HijackThis v1.99.1
Scan saved at 2:04:30 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\XiMeta\NetDisk\LDServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\XiMeta\NetDisk\Admin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\jakers.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://www.google.com/ "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\1sgmifpi.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\1sgmifpi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &NetDisk Tools - {6BB8F8F1-EFD5-45A0-87BA-74A0E7AFD10B} - C:\Program Files\XiMeta\NetDisk\Drivers\NDExpTool.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: NetDisk Administrator.lnk = C:\Program Files\XiMeta\NetDisk\Admin.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetDisk Service (NetDisk_Service) - Unknown owner - C:\Program Files\XiMeta\NetDisk\LDServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OKI OPHD DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHDLDCS.EXE
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)


The desktop is back to normal, but the start-up is still... klunky, for lack of a better word. It's slower than normal, and the "welcome" splash screen is still different from the original one that used to say "Welcome, Windows starting," or something to that effect. This may all just be residual foul-ups and not be an actual problem any more per se, but I'd still like to be sure by getting it back to the way it was before the infection. Any suggestions going forward?

 

I'd like to get this CLSID out of the way before we proceed, so please edit the remCLSID.bat, replacing everything in it with the contents of the code box using copy/paste (just to make sure we got it right ).

Code:

[COLOR="Blue"][B]REGEDIT4

[-HKEY_USERS\S-1-5-21-3529363498-689911805-3147829007-1003\Software\Microsoft\[COLOR="Blue"]Windows\CurrentVersion\Ext\Stats[/COLOR]\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}][/B]

[/COLOR]

Close and save the changes. Run the bat then do another regsrch. If it's still present, it's likely a permissions problem on that key/subkey and we'll take a different approach.

 

I was standing at the deli counter a few moments ago when suddenly MY mistake hit me, and I had to slap my head a few times. I have no idea what I was thinking ...... I've done this procedure countless number of times. My apologies

Right click remCLSID.bat and rename. Change the bat extension to reg and click OK to the prompt. Double click to run and allow it to merge with the registry.

Not to worry ..... running as a bat didn't hurt anything, just didn't do what it was supposed to.

 

That did it. Regsrch couldn't find the string after that.

Now, the computer still boots up with the splash screen being replaced, but I think I'm narrowing in on where it might be. After running ATF Cleaner (with all boxes checked), the legit splash screen returns ( "Windows is starting "), but just for a moment. So there's a command *somewhere* telling the computer to replace the real Window's splash screen on start-up and carry out unknown commands behind the curtain.

See? I can talk tech too. lol J/K I'm glad the problem is slowly being resolved and can't thank you guys enough.

 

Open HijackThis to the Misc Tools section. Under the Startup list section, check the boxes to list minor and empty sections, then click Generate Startuplist Log. Post the contents of that log.

 

The following is the startuplist run in regular mode:

StartupList report, 6/9/2007, 9:38:30 PM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\jakers.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\XiMeta\NetDisk\LDServ.exe
C:\Program Files\XiMeta\NetDisk\Admin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\jakers.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
NetDisk Administrator.lnk = C:\Program Files\XiMeta\NetDisk\Admin.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nwiz = nwiz.exe /install
CamMonitor = c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
KBD = C:\HP\KBD\KBD.EXE
checktime = c:\program files\HPSelect\Frontend\ct.exe
StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
AlcxMonitor = ALCXMNTR.EXE
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
RemoteControl = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Yahoo!\Common\yiesrvc.dll - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
(no name) - C:\Program Files\Yahoo!\Common\YIeTagBm.dll - {65D886A2-7CA7-479B-BB95-14D1EFB7946A}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.9362731481

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 4,701 bytes
Report generated in 0.078 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only




This is the startup list run in safe mode, *after* ATF Cleaner was run (also in safe mode). Something about the bolded red text doesn't sound right:

StartupList report, 6/9/2007, 9:43:36 PM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\jakers.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\jakers.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
NetDisk Administrator.lnk = C:\Program Files\XiMeta\NetDisk\Admin.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nwiz = nwiz.exe /install
CamMonitor = c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
KBD = C:\HP\KBD\KBD.EXE
checktime = c:\program files\HPSelect\Frontend\ct.exe
StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
AlcxMonitor = ALCXMNTR.EXE
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
RemoteControl = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Yahoo!\Common\yiesrvc.dll - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
(no name) - C:\Program Files\Yahoo!\Common\YIeTagBm.dll - {65D886A2-7CA7-479B-BB95-14D1EFB7946A}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.9362731481

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Documents and Settings\Owner\Local Settings\temp\~DF17B.tmp||C:\Documents and Settings\Owner\Cookies\index.dat||C:\Documents and Settings\Owner\Local Settings\temp\~DF17B.tmp||C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\content.ie5\index.dat||C:\Documents and Settings\Owner\cookies\index.dat|||\
--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 4,845 bytes
Report generated in 0.062 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only