Malware infection w/ HJT and other log files attached

Those items in red are temporary files that could not be deleted by ATF due to being in use. The utility uses the PendingFileRenameOperation to complete it's work upon reboot. Quite normal.

It appears that you did not check the boxes next to the Generate StartupList Log button before clicking it. Please redo it and post the new log.

 

Okay, good to know it's legit. It just looked suspicious.

These boxes?:
http://www.patcostello.com/images/startuplist.gif

Here are the results after hitting "Generate StartupList Log ":

StartupList report, 6/9/2007, 10:54:37 PM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\jakers.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\XiMeta\NetDisk\LDServ.exe
C:\Program Files\XiMeta\NetDisk\Admin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\jakers.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
NetDisk Administrator.lnk = C:\Program Files\XiMeta\NetDisk\Admin.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nwiz = nwiz.exe /install
CamMonitor = c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
KBD = C:\HP\KBD\KBD.EXE
checktime = c:\program files\HPSelect\Frontend\ct.exe
StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
AlcxMonitor = ALCXMNTR.EXE
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
RemoteControl = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Yahoo!\Common\yiesrvc.dll - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
(no name) - C:\Program Files\Yahoo!\Common\YIeTagBm.dll - {65D886A2-7CA7-479B-BB95-14D1EFB7946A}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.9362731481

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 4,702 bytes
Report generated in 0.016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

Yep, those are the ones. Not sure why we're not getting a complete log, and everything looks fine in it. Lets do some snooping with another tool.

Download WinPFind3U.exe by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Close ALL OTHER PROGRAMS.
Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.

• In the Processes group click All
• In the Win32 Services group click Non-Microsoft
• In the Driver Services group click Non-Microsoft
• In the Registry group click Non-Microsoft
• In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED
• In the Files Modified Within group select 30 days Make sure Non-Microsoft only is CHECKED
• In the File String Search group select Non-Microsoft

In the Additional scans section to the right, check Non-Microsoft
Scroll down and check the box for;

• Reg-Desktop Components
• Reg-Disabled Ms Config Items

Now click the Run Scan button on the toolbar.

The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.

When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file and post the results here. It may take more than one post, as there is a max character limit per post on this forum.

 

Wow. Just wow. LOL

Here ya go. PART 1!

WinPFind3 logfile created on: 6/10/2007 12:27:15 AM
WinPFind3U by OldTimer - Version 1.0.38 Folder = C:\Documents and Settings\Owner\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

511.48 Mb Total Physical Memory | 336.54 Mb Available Physical Memory | 65.80% Memory free
1.22 Gb Paging File | 1.08 Gb Available in Paging File | 88.68% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.53 Gb Total Space | 44.73 Gb Free Space | 64.34% Space Free
Drive D: | 5.02 Gb Total Space | 0.92 Gb Free Space | 18.28% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: HP-PAVILION
Current User Name: Owner
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - All]
smss.exe -> %System32%\smss.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 50688 bytes | Modified Date = 8/4/2004 3:56:56 AM | Attr = ]
csrss.exe -> %System32%\csrss.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 6144 bytes | Modified Date = 8/4/2004 3:56:48 AM | Attr = ]
winlogon.exe -> %System32%\winlogon.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 502272 bytes | Modified Date = 8/4/2004 3:56:58 AM | Attr = ]
services.exe -> %System32%\services.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 108032 bytes | Modified Date = 8/4/2004 3:56:56 AM | Attr = ]
lsass.exe -> %System32%\lsass.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13312 bytes | Modified Date = 8/4/2004 3:56:50 AM | Attr = ]
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST -K DCOMLAUNCH] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 3:56:58 AM | Attr = ]
-> %System32%\rpcss.dll [DcomLaunch] -> Microsoft Corporation [Ver = 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Size = 397824 bytes | Modified Date = 7/26/2005 12:39:50 AM | Attr = ]
-> %System32%\termsrv.dll [TermService] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 295424 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> %System32%\termsrv.dll [TermService] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 295424 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> %System32%\termsrv.dll [TermService] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 295424 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> [Wmi] -> File not found
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST -K RPCSS] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 3:56:58 AM | Attr = ]
-> %System32%\rpcss.dll [RpcSs] -> Microsoft Corporation [Ver = 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Size = 397824 bytes | Modified Date = 7/26/2005 12:39:50 AM | Attr = ]
-> [Wmi] -> File not found
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 3:56:58 AM | Attr = ]
-> %System32%\appmgmts.dll [AppMgmt] -> File not found
-> %System32%\audiosrv.dll [AudioSrv] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 42496 bytes | Modified Date = 8/4/2004 3:56:42 AM | Attr = ]
-> %System32%\qmgr.dll [BITS] -> Microsoft Corporation [Ver = 6.6.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 382464 bytes | Modified Date = 8/4/2004 3:56:44 AM | Attr = ]
-> %System32%\browser.dll [Browser] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 77312 bytes | Modified Date = 8/4/2004 3:56:42 AM | Attr = ]
-> %System32%\cryptsvc.dll [CryptSvc] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 60416 bytes | Modified Date = 8/4/2004 3:56:42 AM | Attr = ]
-> %System32%\dhcpcsvc.dll [Dhcp] -> Microsoft Corporation [Ver = 5.1.2600.2912 (xpsp_sp2_gdr.060519-0003) | Size = 111616 bytes | Modified Date = 5/19/2006 8:59:42 AM | Attr = ]
-> %System32%\dmserver.dll [dmserver] -> Microsoft Corp. [Ver = 2600.2180.503.0 | Size = 23552 bytes | Modified Date = 8/4/2004 3:56:42 AM | Attr = ]
-> %System32%\ersvc.dll [ERSvc] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 23040 bytes | Modified Date = 8/4/2004 3:56:42 AM | Attr = ]
-> %System32%\es.dll [EventSystem] -> Microsoft Corporation [Ver = 2001.12.4414.308 | Size = 243200 bytes | Modified Date = 7/26/2005 12:39:46 AM | Attr = ]
-> %System32%\shsvcs.dll [FastUserSwitchingCompatibility] -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 134656 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> %WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll [helpsvc] -> File not found
-> %System32%\hidserv.dll [HidServ] -> File not found
-> %System32%\srvsvc.dll [lanmanserver] -> Microsoft Corporation [Ver = 5.1.2600.2577 (xpsp_sp2_gdr.041130-1729) | Size = 96768 bytes | Modified Date = 12/7/2004 3:32:34 PM | Attr = ]
-> %System32%\wkssvc.dll [lanmanworkstation] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 132096 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> %System32%\msgsvc.dll [Messenger] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 33792 bytes | Modified Date = 8/4/2004 3:56:44 AM | Attr = ]
-> %System32%\netman.dll [Netman] -> Microsoft Corporation [Ver = 5.1.2600.2743 (xpsp_sp2_gdr.050819-1525) | Size = 197632 bytes | Modified Date = 8/22/2005 2:29:46 PM | Attr = ]
-> %System32%\mswsock.dll [Nla] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 245248 bytes | Modified Date = 8/4/2004 3:56:44 AM | Attr = ]
-> %System32%\ntmssvc.dll [NtmsSvc] -> Microsoft Corporation [Ver = 5.1.2400.2180 | Size = 435200 bytes | Modified Date = 8/4/2004 3:56:44 AM | Attr = ]
-> %System32%\rasauto.dll [RasAuto] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 89088 bytes | Modified Date = 8/4/2004 3:56:44 AM | Attr = ]
-> %System32%\rasmans.dll [RasMan] -> Microsoft Corporation [Ver = 5.1.2600.2908 (xpsp_sp2_gdr.060513-0343) | Size = 181248 bytes | Modified Date = 5/14/2006 4:44:08 AM | Attr = ]
-> %System32%\mprdim.dll [RemoteAccess] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 49152 bytes | Modified Date = 8/18/2001 8:00:00 AM | Attr = ]
-> %System32%\schedsvc.dll [Schedule] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 190976 bytes | Modified Date = 8/4/2004 3:56:44 AM | Attr = ]
-> %System32%\seclogon.dll [seclogon] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 18944 bytes | Modified Date = 8/4/2004 3:56:44 AM | Attr = ]
-> %System32%\sens.dll [SENS] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 38912 bytes | Modified Date = 8/4/2004 3:56:44 AM | Attr = ]
-> %System32%\ipnathlp.dll [SharedAccess] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 331264 bytes | Modified Date = 8/4/2004 3:56:42 AM | Attr = ]
-> %System32%\shsvcs.dll [ShellHWDetection] -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 134656 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> %System32%\srsvc.dll [srservice] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 170496 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> %System32%\tapisrv.dll [TapiSrv] -> Microsoft Corporation [Ver = 5.1.2600.2716 (xpsp_sp2_gdr.050707-1657) | Size = 249344 bytes | Modified Date = 7/8/2005 12:27:56 PM | Attr = ]
-> %System32%\shsvcs.dll [Themes] -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 134656 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> %System32%\trkwks.dll [TrkWks] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 90624 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> %System32%\w32time.dll [W32Time] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 174592 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> %System32%\wbem\WMIsvc.dll [winmgmt] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 144896 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> %System32%\mspmsnsv.dll [WmdmPmSN] -> Microsoft Corporation [Ver = 10.0.3790.3646 | Size = 25088 bytes | Modified Date = 9/22/2004 7:45:54 PM | Attr = ]
-> %System32%\wscsvc.dll [wscsvc] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 81408 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> %System32%\wuauserv.dll [wuauserv] -> Microsoft Corporation [Ver = 5.4.3790.2180 (xpsp_sp2_rtm.040803-2158) | Size = 6656 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> %System32%\wzcsvc.dll [WZCSVC] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 359936 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> %System32%\xmlprov.dll [xmlprov] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> [Wmi] -> File not found
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETWORKSERVICE] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 3:56:58 AM | Attr = ]
-> %System32%\dnsrslvr.dll [Dnscache] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 45568 bytes | Modified Date = 8/4/2004 3:56:42 AM | Attr = ]
-> [Wmi] -> File not found
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 3:56:58 AM | Attr = ]
-> %System32%\alrsvc.dll [Alerter] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 17408 bytes | Modified Date = 8/4/2004 3:56:42 AM | Attr = ]
-> %System32%\lmhsvc.dll [LmHosts] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13824 bytes | Modified Date = 8/4/2004 3:56:42 AM | Attr = ]
-> %System32%\ssdpsrv.dll [SSDPSRV] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 71680 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> %System32%\upnphost.dll [upnphost] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 185344 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> %System32%\webclnt.dll [WebClient] -> Microsoft Corporation [Ver = 5.1.2600.2821 (xpsp_sp2_gdr.060103-1536) | Size = 68096 bytes | Modified Date = 1/3/2006 11:35:06 PM | Attr = ]
-> [Wmi] -> File not found
spoolsv.exe -> %System32%\spoolsv.exe -> Microsoft Corporation [Ver = 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519) | Size = 57856 bytes | Modified Date = 6/10/2005 7:53:32 PM | Attr = ]
explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1032192 bytes | Modified Date = 8/4/2004 3:56:50 AM | Attr = ]
hpqcmon.exe -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe -> [Ver = 1.1.0.121 | Size = 69632 bytes | Modified Date = 6/18/2002 2:11:24 AM | Attr = ]
kbd.exe -> %SystemDrive%\hp\KBD\KBD.EXE -> Hewlett-Packard Company [Ver = 1.0.2.0 | Size = 61440 bytes | Modified Date = 7/7/2001 12:56:56 AM | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr = ]
pdvdserv.exe -> %ProgramFiles%\CyberLink\PowerDVD\PDVDServ.exe -> Cyberlink Corp. [Ver = 6.00.1027 | Size = 32768 bytes | Modified Date = 11/2/2004 9:24:46 PM | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.6693 | Size = 127043 bytes | Modified Date = 10/29/2004 5:50:00 PM | Attr = ]
svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K IMGSVC] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Modified Date = 8/4/2004 3:56:58 AM | Attr = ]
-> %System32%\wiaservc.dll [stisvc] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 333312 bytes | Modified Date = 8/4/2004 3:56:46 AM | Attr = ]
-> [Wmi] -> File not found
wdfmgr.exe -> %System32%\wdfmgr.exe -> Microsoft Corporation [Ver = 5.2.3790.1230 built by: DNSRV(bld4act) | Size = 38912 bytes | Modified Date = 9/22/2004 7:46:10 PM | Attr = ]
ldserv.exe -> %ProgramFiles%\XiMeta\NetDisk\LDServ.exe -> [Ver = | Size = 81920 bytes | Modified Date = 7/30/2003 1:02:58 PM | Attr = ]
admin.exe -> %ProgramFiles%\XiMeta\NetDisk\Admin.exe -> XiMeta, Inc. [Ver = 1, 2, 21, 0 | Size = 1441792 bytes | Modified Date = 7/30/2003 1:02:24 PM | Attr = ]
wscntfy.exe -> %System32%\wscntfy.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13824 bytes | Modified Date = 8/4/2004 3:56:58 AM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 318976 bytes | Modified Date = 5/22/2007 6:27:40 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 3:56:48 AM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 1:41:10 AM | Attr = ]
(NetDisk_Service) NetDisk Service [Win32_Own | Auto | Running] -> %ProgramFiles%\XiMeta\NetDisk\LDServ.exe -> [Ver = | Size = 81920 bytes | Modified Date = 7/30/2003 1:02:58 PM | Attr = ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.6693 | Size = 127043 bytes | Modified Date = 10/29/2004 5:50:00 PM | Attr = ]
(OKI OPHD DCS Loader) OKI OPHD DCS Loader [Win32_Own | On_Demand | Stopped] -> %System32%\spool\drivers\w32x86\3\OPHDLDCS.EXE -> Oki Data Corporation [Ver = 1, 0, 3, 0 | Size = 24576 bytes | Modified Date = 9/30/2005 5:35:42 PM | Attr = ]
(SNMPTRAP) SNMP Trap Service [Win32_Own | On_Demand | Stopped] -> %System32%\snmptrap.exe -> File not found

[Driver Services - Non-Microsoft Only]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] -> -> File not found
(abp480n5) abp480n5 [Kernel | Disabled | Stopped] -> -> File not found
(adpu160m) adpu160m [Kernel | Disabled | Stopped] -> -> File not found
(AFS2K) AFS2K [Kernel | System | Running] -> %System32%\drivers\AFS2K.SYS -> Oak Technology Inc. [Ver = 3.1.21.1103 | Size = 35840 bytes | Modified Date = 10/7/2004 9:16:04 PM | Attr = ]
(Aha154x) Aha154x [Kernel | Disabled | Stopped] -> -> File not found
(aic78u2) aic78u2 [Kernel | Disabled | Stopped] -> -> File not found
(aic78xx) aic78xx [Kernel | Disabled | Stopped] -> -> File not found
(ALCXWDM) Service for Realtek AC97 Audio (WDM) [Kernel | On_Demand | Running] -> %System32%\drivers\ALCXWDM.SYS -> Realtek Semiconductor Corp. [Ver = 5.10.5730 built by: WinDDK | Size = 2279424 bytes | Modified Date = 10/1/2004 10:24:02 AM | Attr = ]
(AliIde) AliIde [Kernel | Disabled | Stopped] -> -> File not found
(amsint) amsint [Kernel | Disabled | Stopped] -> -> File not found
(asc) asc [Kernel | Disabled | Stopped] -> -> File not found
(asc3350p) asc3350p [Kernel | Disabled | Stopped] -> -> File not found
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> -> File not found
(Atdisk) Atdisk [Kernel | Disabled | Stopped] -> -> File not found
(AVG Anti-Spyware Driver) AVG Anti-Spyware Driver [Kernel | System | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.sys -> [Ver = | Size = 11000 bytes | Modified Date = 5/30/2007 8:10:42 AM | Attr = ]
(AvgAsCln) AVG Anti-Spyware Clean Driver [Kernel | System | Running] -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Modified Date = 5/30/2007 8:10:42 AM | Attr = ]
(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] -> -> File not found
(Changer) Changer [Kernel | System | Stopped] -> -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> -> File not found
(Cpqarray) Cpqarray [Kernel | Disabled | Stopped] -> -> File not found
(dac960nt) dac960nt [Kernel | Disabled | Stopped] -> -> File not found
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 799744 bytes | Modified Date = 8/4/2004 2:07:18 AM | Attr = ]
(dmio) dmio [Kernel | Disabled | Stopped] -> %System32%\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153344 bytes | Modified Date = 8/4/2004 2:07:16 AM | Attr = ]
(dmload) dmload [Kernel | Disabled | Stopped] -> %System32%\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 8/18/2001 8:00:00 AM | Attr = ]
(dpti2o) dpti2o [Kernel | Disabled | Stopped] -> -> File not found
(drvmcdb) drvmcdb [Kernel | Boot | Running] -> %System32%\drivers\drvmcdb.sys -> VERITAS Software, Inc. [Ver = 3.21.29a | Size = 81552 bytes | Modified Date = 6/5/2002 1:21:00 PM | Attr = ]
(drvnddm) drvnddm [File_System | Auto | Running] -> %System32%\drivers\drvnddm.sys -> VERITAS Software, Inc. [Ver = 2.56.25a | Size = 40368 bytes | Modified Date = 6/6/2002 12:56:00 PM | Attr = ]
(E100B) Intel(R) PRO Adapter Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\e100b325.sys -> Intel Corporation [Ver = 5.41.22.0000 built by: WinDDK | Size = 117760 bytes | Modified Date = 8/17/2001 3:12:10 PM | Attr = ]
(hpn) hpn [Kernel | Disabled | Stopped] -> -> File not found
(hpt3xx) hpt3xx [Kernel | Disabled | Stopped] -> -> File not found
(i2omgmt) i2omgmt [Kernel | System | Stopped] -> -> File not found
(i2omp) i2omp [Kernel | Disabled | Stopped] -> -> File not found
(i81x) i81x [Kernel | On_Demand | Stopped] -> %System32%\drivers\i81xnt5.sys -> Intel(R) Corporation [Ver = 6.13.01.2872 | Size = 158140 bytes | Modified Date = 8/8/2001 4:13:36 PM | Attr = ]
(iAimFP0) iAimFP0 [Kernel | On_Demand | Stopped] -> %System32%\drivers\wADV01nt.sys -> Intel(R) Corporation [Ver = 6.13.01.2872 | Size = 12479 bytes | Modified Date = 8/8/2001 4:13:30 PM | Attr = ]
(iAimFP1) iAimFP1 [Kernel | On_Demand | Stopped] -> %System32%\drivers\wADV02NT.sys -> Intel(R) Corporation [Ver = 6.13.01.2872 | Size = 12031 bytes | Modified Date = 8/8/2001 4:13:30 PM | Attr = ]
(iAimFP2) iAimFP2 [Kernel | On_Demand | Stopped] -> %System32%\drivers\wADV05NT.sys -> Intel(R) Corporation [Ver = 6.13.01.2872 | Size = 11679 bytes | Modified Date = 8/8/2001 4:13:30 PM | Attr = ]
(iAimFP3) iAimFP3 [Kernel | On_Demand | Stopped] -> %System32%\drivers\wSiINTxx.sys -> Intel(R) Corporation [Ver = 6.13.01.2872 | Size = 11999 bytes | Modified Date = 8/8/2001 4:13:28 PM | Attr = ]
(iAimFP4) iAimFP4 [Kernel | On_Demand | Stopped] -> %System32%\drivers\wVchNTxx.sys -> Intel(R) Corporation [Ver = 6.13.01.2872 | Size = 19359 bytes | Modified Date = 8/8/2001 4:13:28 PM | Attr = ]
(iAimTV0) iAimTV0 [Kernel | On_Demand | Stopped] -> %System32%\drivers\wATV01nt.sys -> Intel(R) Corporation [Ver = 6.13.01.2872 | Size = 29215 bytes | Modified Date = 8/8/2001 4:13:24 PM | Attr = ]
(iAimTV1) iAimTV1 [Kernel | On_Demand | Stopped] -> %System32%\drivers\wATV02NT.sys -> Intel(R) Corporation [Ver = 6.13.01.2872 | Size = 19199 bytes | Modified Date = 8/8/2001 4:13:24 PM | Attr = ]
(iAimTV3) iAimTV3 [Kernel | On_Demand | Stopped] -> %System32%\drivers\wATV04nt.sys -> Intel(R) Corporation [Ver = 6.13.01.2872 | Size = 33503 bytes | Modified Date = 8/8/2001 4:13:26 PM | Attr = ]
(iAimTV4) iAimTV4 [Kernel | On_Demand | Stopped] -> %System32%\drivers\wCh7xxNT.sys -> Intel(R) Corporation [Ver = 6.13.01.2872 | Size = 23519 bytes | Modified Date = 8/8/2001 4:13:24 PM | Attr = ]
(ialm) ialm [Kernel | On_Demand | Stopped] -> %System32%\drivers\ialmnt5.sys -> Intel Corporation [Ver = 6.13.01.3119 | Size = 78045 bytes | Modified Date = 5/22/2002 10:42:54 PM | Attr = ]
(ini910u) ini910u [Kernel | Disabled | Stopped] -> -> File not found
(LanscsiBus) Lanscsi Bus Enumerator [Kernel | On_Demand | Running] -> %System32%\drivers\LanscsiBus.sys -> Windows (R) 2000 DDK provider [Ver = 5.00.2195.5438 | Size = 27264 bytes | Modified Date = 7/30/2003 1:03:26 PM | Attr = ]
(lanscsiminiport) Lanscsi SCSI Miniport Driver for NetDisk [Kernel | On_Demand | Running] -> %System32%\drivers\lanscsiminiport.sys -> Windows (R) 2000 DDK provider [Ver = 5.00.2195.5438 | Size = 5760 bytes | Modified Date = 7/30/2003 1:03:34 PM | Attr = ]
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] -> -> File not found
(Lpx) XiMeta Lpx Protocol [Kernel | Auto | Running] -> %System32%\drivers\Lpx.sys -> Windows (R) 2000 DDK provider [Ver = 5.00.2195.5438 | Size = 108288 bytes | Modified Date = 7/30/2003 1:03:40 PM | Attr = ]
(ltmodem5) LT Modem Driver [Kernel | On_Demand | Running] -> %System32%\drivers\ltmdmnt.sys -> LT [Ver = 8.28 | Size = 625537 bytes | Modified Date = 3/31/2003 2:29:00 PM | Attr = ]
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> -> File not found
(ntgrip) Gravis GamePort device driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\ntgrip.sys -> Kensington Technology Group [Ver = 1.00 | Size = 51552 bytes | Modified Date = 8/17/2001 1:49:04 PM | Attr = ]
(nv) nv [Kernel | On_Demand | Running] -> %System32%\drivers\nv4_mini.sys -> NVIDIA Corporation [Ver = 6.14.10.6693 | Size = 2826944 bytes | Modified Date = 10/29/2004 5:50:00 PM | Attr = ]
(nv4) nv4 [Kernel | On_Demand | Stopped] -> %System32%\drivers\nv4.sys -> NVIDIA Corporation [Ver = 5.01.2001.1240 (ReleasedBinaries.010717-0141) | Size = 731648 bytes | Modified Date = 8/17/2001 3:50:26 PM | Attr = ]
(nv_agp) NVIDIA nForce AGP Bus Filter [Kernel | Boot | Running] -> %System32%\drivers\nv_agp.SYS -> NVIDIA Corporation [Ver = 4.12.01.0217 | Size = 13502 bytes | Modified Date = 12/8/2001 12:26:00 AM | Attr = ]
(PCIDump) PCIDump [Kernel | System | Stopped] -> -> File not found
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] -> -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] -> -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(perc2) perc2 [Kernel | Disabled | Stopped] -> -> File not found
(perc2hib) perc2hib [Kernel | Disabled | Stopped] -> -> File not found
(pfc) Padus ASPI Shell [Kernel | On_Demand | Running] -> %System32%\drivers\pfc.sys -> Padus, Inc. [Ver = 2, 5, 0, 196 | Size = 13780 bytes | Modified Date = 3/9/2002 12:40:10 AM | Attr = ]
(Ps2) Ps2 [Kernel | On_Demand | Running] -> %System32%\drivers\PS2.sys -> Hewlett-Packard Company [Ver = 1.0.2.0 | Size = 14112 bytes | Modified Date = 6/4/2001 5:00:00 PM | Attr = ]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %System32%\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 8/18/2001 8:00:00 AM | Attr = ]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %System32%\drivers\pxhelp20.sys -> Sonic Solutions [Ver = 2.02.62a | Size = 20016 bytes | Modified Date = 5/19/2004 12:33:44 PM | Attr = ]
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> -> File not found
(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] -> -> File not found
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> -> File not found
(ql1240) ql1240 [Kernel | Disabled | Stopped] -> -> File not found
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> -> File not found
(ROFilt) ROFilt [Kernel | Auto | Running] -> %System32%\drivers\ROFilt.sys -> XiMeta, Inc. [Ver = 1.0.0 | Size = 33792 bytes | Modified Date = 7/30/2003 1:03:56 PM | Attr = ]
(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [Kernel | On_Demand | Running] -> %System32%\drivers\rtl8139.sys -> Realtek Semiconductor Corporation [Ver = 5.398.613.2003 built by: WinDDK | Size = 20992 bytes | Modified Date = 8/4/2004 1:31:32 AM | Attr = ]
(S3Psddr) S3Psddr [Kernel | On_Demand | Stopped] -> %System32%\drivers\s3gnbm.sys -> S3 Graphics, Inc. [Ver = 6.13.10.1083-13.93.48 | Size = 155008 bytes | Modified Date = 7/13/2002 7:27:04 AM | Attr = ]
(Secdrv) Secdrv [Kernel | Auto | Running] -> %System32%\drivers\secdrv.sys -> [Ver = | Size = 27440 bytes | Modified Date = 8/18/2001 8:00:00 AM | Attr = ]
(Simbad) Simbad [Kernel | Disabled | Stopped] -> -> File not found
(SiS315) SiS315 [Kernel | On_Demand | Stopped] -> %System32%\drivers\sisgrp.sys -> Silicon Integrated Systems Corporation [Ver = 6.13.10.2072 built by: WinDDK | Size = 188032 bytes | Modified Date = 4/9/2002 1:44:56 AM | Attr = ]
(SISAGP) SiS AGP Filter [Kernel | Boot | Running] -> %System32%\drivers\SISAGP.SYS -> Silicon Integrated Systems Corporation [Ver = 6.1.2091.0 built by: WinDDK | Size = 27136 bytes | Modified Date = 12/27/2001 6:52:58 AM | Attr = ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> -> File not found
(sscdbhk5) sscdbhk5 [File_System | System | Running] -> %System32%\drivers\sscdbhk5.sys -> VERITAS Software, Inc. [Ver = 1.10.57a | Size = 5589 bytes | Modified Date = 6/19/2002 7:43:44 PM | Attr = ]
(ssrtln) ssrtln [File_System | System | Running] -> %System32%\drivers\ssrtln.sys -> VERITAS Software, Inc. [Ver = 1.10.57a | Size = 22995 bytes | Modified Date = 6/19/2002 7:42:58 PM | Attr = ]
(symc810) symc810 [Kernel | Disabled | Stopped] -> -> File not found
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> -> File not found
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> -> File not found
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> -> File not found
(tfsnboio) tfsnboio [File_System | Auto | Running] -> %System32%\dla\tfsnboio.sys -> VERITAS Software, Inc. [Ver = 1.03.37a | Size = 23701 bytes | Modified Date = 7/16/2002 11:03:00 AM | Attr = ]
(tfsncofs) tfsncofs [File_System | Auto | Running] -> %System32%\dla\tfsncofs.sys -> VERITAS Software, Inc. [Ver = 1.03.37a | Size = 34805 bytes | Modified Date = 7/16/2002 11:03:00 AM | Attr = ]
(tfsndrct) tfsndrct [File_System | Auto | Running] -> %System32%\dla\tfsndrct.sys -> VERITAS Software, Inc. [Ver = 1.03.37a | Size = 4117 bytes | Modified Date = 7/16/2002 11:03:00 AM | Attr = ]
(tfsndres) tfsndres [File_System | Auto | Running] -> %System32%\dla\tfsndres.sys -> VERITAS Software, Inc. [Ver = 1.03.37a | Size = 2201 bytes | Modified Date = 7/16/2002 11:03:00 AM | Attr = ]
(tfsnifs) tfsnifs [File_System | Auto | Running] -> %System32%\dla\tfsnifs.sys -> VERITAS Software, Inc. [Ver = 1.03.37a | Size = 54900 bytes | Modified Date = 7/16/2002 11:03:00 AM | Attr = ]
(tfsnopio) tfsnopio [File_System | Auto | Running] -> %System32%\dla\tfsnopio.sys -> VERITAS Software, Inc. [Ver = 1.03.37a | Size = 14421 bytes | Modified Date = 7/16/2002 11:03:00 AM | Attr = ]
(tfsnpool) tfsnpool [File_System | Auto | Running] -> %System32%\dla\tfsnpool.sys -> VERITAS Software, Inc. [Ver = 1.03.37a | Size = 6325 bytes | Modified Date = 7/16/2002 11:03:00 AM | Attr = ]
(tfsnudf) tfsnudf [File_System | Auto | Running] -> %System32%\dla\tfsnudf.sys -> VERITAS Software, Inc. [Ver = 1.03.37a | Size = 91156 bytes | Modified Date = 7/16/2002 11:03:00 AM | Attr = ]
(tfsnudfa) tfsnudfa [File_System | Auto | Running] -> %System32%\dla\tfsnudfa.sys -> VERITAS Software, Inc. [Ver = 1.03.37a | Size = 95125 bytes | Modified Date = 7/16/2002 11:03:00 AM | Attr = ]
(TnIDriver) TnIDriver [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\Owner\LOCALS~1\Temp\tni705.tmp -> File not found
(TosIde) TosIde [Kernel | Disabled | Stopped] -> -> File not found
(ultra) ultra [Kernel | Disabled | Stopped] -> -> File not found
(viaagp1) VIA AGP Filter [Kernel | Boot | Running] -> %System32%\drivers\VIAAGP1.SYS -> VIA Technologies, Inc. [Ver = 5.00.00.2410 built by: VIA | Size = 27648 bytes | Modified Date = 3/4/2002 2:10:00 PM | Attr = ]


(cont.)

 

Part 2!

(WDICA) WDICA [Kernel | On_Demand | Stopped] -> -> File not found
({6080A529-897E-4629-A488-ABA0C29B635E}) Intel(R) Graphics Platform (SoftBIOS) Driver [Kernel | System | Stopped] -> %System32%\drivers\ialmsbw.sys -> Intel Corporation [Ver = 6.13.01.3119 | Size = 90336 bytes | Modified Date = 5/22/2002 10:43:56 PM | Attr = ]
({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) Intel(R) Graphics Chipset (KCH) Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\ialmkchw.sys -> Intel Corporation [Ver = 6.13.01.3119 | Size = 69504 bytes | Modified Date = 5/22/2002 10:44:06 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AlcxMonitor -> %SystemRoot%\ALCXMNTR.EXE -> Realtek Semiconductor Corp. [Ver = 1.5 | Size = 57344 bytes | Modified Date = 9/7/2004 1:47:52 PM | Attr = ]
CamMonitor -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe -> [Ver = 1.1.0.121 | Size = 69632 bytes | Modified Date = 6/18/2002 2:11:24 AM | Attr = ]
checktime -> %ProgramFiles%\HPSelect\frontend\ct.exe -> [Ver = | Size = 45056 bytes | Modified Date = 1/26/2002 4:05:46 PM | Attr = ]
KBD -> %SystemDrive%\hp\KBD\KBD.EXE -> Hewlett-Packard Company [Ver = 1.0.2.0 | Size = 61440 bytes | Modified Date = 7/7/2001 12:56:56 AM | Attr = ]
NvCplDaemon -> %System32%\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.10.6693 | Size = 4620288 bytes | Modified Date = 10/29/2004 5:50:00 PM | Attr = ]
nwiz -> %System32%\nwiz.exe -> NVIDIA Corporation [Ver = 6.14.10.6693 | Size = 921600 bytes | Modified Date = 10/29/2004 5:50:00 PM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.0.3 | Size = 155648 bytes | Modified Date = 12/5/2005 9:33:04 PM | Attr = ]
RemoteControl -> %ProgramFiles%\CyberLink\PowerDVD\PDVDServ.exe -> Cyberlink Corp. [Ver = 6.00.1027 | Size = 32768 bytes | Modified Date = 11/2/2004 9:24:46 PM | Attr = ]
StorageGuard -> %ProgramFiles%\VERITAS Software\Update Manager\sgtray.exe -> VERITAS Software, Inc. [Ver = 1.01.01a | Size = 155648 bytes | Modified Date = 5/9/2002 11:01:00 AM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\NetDisk Administrator.lnk -> %ProgramFiles%\XiMeta\NetDisk\Admin.exe -> XiMeta, Inc. [Ver = 1, 2, 21, 0 | Size = 1441792 bytes | Modified Date = 7/30/2003 1:02:24 PM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 8:29:58 AM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
igfxcui -> %System32%\igfxsrvc.dll -> Intel Corporation [Ver = 3,0,0,1607 | Size = 307200 bytes | Modified Date = 5/15/2002 6:20:14 AM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
< HOSTS File > (686 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://www.comcast.net ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> about:blank ->
HKCU: ProxyEnable -> 0 ->
HKCU: ProxyOverride -> localhost ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< Trusted Sites > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
aol.com [ - ] -> ->
free_aol.com [ - ] -> ->
free_aol.com [http] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [AcroIEHlprObj Class] -> [Ver = 1, 0, 0, 1 | Size = 37808 bytes | Modified Date = 3/2/2001 10:02:04 PM | Attr = ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [UberButton Class] -> Yahoo! [Ver = 2005, 5, 26, 1 | Size = 181352 bytes | Modified Date = 5/26/2005 11:38:44 AM | Attr = ]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A} [HKLM] -> %ProgramFiles%\Yahoo!\Common\YIeTagBm.dll [YahooTaggedBM Class] -> Yahoo! Inc. [Ver = 2005, 1, 24, 1 | Size = 115832 bytes | Modified Date = 1/24/2005 9:55:32 AM | Attr = ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> %ProgramFiles%\Yahoo!\Common\yhexbmesus.dll [&Yahoo! Messenger] -> Yahoo! Inc. [Ver = 2005, 5, 11, 1 | Size = 316552 bytes | Modified Date = 5/11/2005 5:06:02 PM | Attr = ]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> %ProgramFiles%\Yahoo!\Common\yhexbmesus.dll [&Yahoo! Messenger] -> Yahoo! Inc. [Ver = 2005, 5, 11, 1 | Size = 316552 bytes | Modified Date = 5/11/2005 5:06:02 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{6BB8F8F1-EFD5-45A0-87BA-74A0E7AFD10B} [HKLM] -> %ProgramFiles%\XiMeta\NetDisk\Drivers\NDExpTool.dll [&NetDisk Tools] -> XiMeta Technology, Inc. [Ver = 0, 0, 3, 0 | Size = 94208 bytes | Modified Date = 7/30/2003 1:03:48 PM | Attr = ]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} [HKLM] -> %SystemDrive%\hp\EXPLOREBAR\HPTOOLKT.DLL [hp toolkit] -> Hewlett-Packard Company [Ver = 1.0.0.3 | Size = 86016 bytes | Modified Date = 6/5/2002 1:03:12 AM | Attr = ]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2005, 8, 4, 2 | Size = 343112 bytes | Modified Date = 8/4/2005 9:54:42 PM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
ShellBrowser\\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} [HKLM] -> %SystemDrive%\hp\EXPLOREBAR\HPTOOLKT.DLL [hp toolkit] -> Hewlett-Packard Company [Ver = 1.0.0.3 | Size = 86016 bytes | Modified Date = 6/5/2002 1:03:12 AM | Attr = ]
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2005, 8, 4, 2 | Size = 343112 bytes | Modified Date = 8/4/2005 9:54:42 PM | Attr = ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{4B30061A-5B39-11D3-80F8-0090276F843F} -> %ProgramFiles%\Net2Phone\Net2fone.exe [ButtonText: Net2Phone] -> Net2Phone [Ver = 10.6.2.0 | Size = 1148416 bytes | Modified Date = 6/19/2001 2:06:00 PM | Attr = ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -> Reg Data - Value does not exist [ButtonText: Yahoo! Services] -> File not found
{6224f700-cba3-4071-b251-47cb894244cd} -> %ProgramFiles%\ICQ\Icq.exe [ButtonText: ICQ] -> ICQ Inc. [Ver = 2002a Beta | Size = 2054213 bytes | Modified Date = 6/19/2002 9:22:56 AM | Attr = ]
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
&Yahoo! Search -> %ProgramFiles%\Yahoo!\Common\YCSRCH.HTM -> [Ver = | Size = 605 bytes | Modified Date = 6/3/2005 7:07:38 PM | Attr = ]
Yahoo! &Dictionary -> %ProgramFiles%\Yahoo!\Common\YCDICT.HTM -> [Ver = | Size = 616 bytes | Modified Date = 6/3/2005 7:07:16 PM | Attr = ]
Yahoo! &Maps -> %ProgramFiles%\Yahoo!\Common\ycmap.htm -> [Ver = | Size = 690 bytes | Modified Date = 6/3/2005 7:07:44 PM | Attr = ]
Yahoo! &SMS -> %ProgramFiles%\Yahoo!\Common\YCsms.htm -> [Ver = | Size = 1006 bytes | Modified Date = 8/1/2005 6:43:00 PM | Attr = ]
< Internet Explorer Plugins [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\
.spop -> %ProgramFiles%\Internet Explorer\PLUGINS\NPDocBox.dll [Reg Data - Value does not exist] -> InterTrust Technologies Corporation, Inc. [Ver = 1.0.30.95 | Size = 225280 bytes | Modified Date = 1/30/2001 11:56:24 PM | Attr = ]
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{997EE817-FCE7-4741-8092-283664E6CF7F} -> (Realtek RTL8139 Family PCI Fast Ethernet NIC) ->
{9BD8D485-BDE3-4875-A320-ABA6BE8F4516} -> () ->
{AB661CA8-EF85-4901-957C-1204ACA633AF} -> (1394 Net Adapter) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{33564D57-9980-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab ->
{41F17733-B041-4099-A042-B518BB6A408C} -> - CodeBase = http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe ->
{9F1C11AA-197B-4942-BA54-47A8489BB47F} -> - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.9362731481 ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab ->
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->


[Registry - Additional Scans - Non-Microsoft Only]
< Desktop Components > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\
0 -> [Key] ->
0 -> FriendlyName = My Current Home Page ->
0 -> Source = About:Home ->
0 -> SubscribedURL = About:Home ->


[Files/Folders - Created Within 60 days]
!KillBox -> %SystemDrive%\!KillBox -> [Folder | Created Date = 6/6/2007 6:00:56 PM | Attr = ]
ComboFix-quarantined-files.txt -> %SystemDrive%\ComboFix-quarantined-files.txt -> [Ver = | Size = 2687 bytes | Created Date = 6/4/2007 7:34:41 PM | Attr = ]
ComboFix.txt -> %SystemDrive%\ComboFix.txt -> [Ver = | Size = 3596 bytes | Created Date = 6/7/2007 11:52:26 PM | Attr = ]
ComboFix2.txt -> %SystemDrive%\ComboFix2.txt -> [Ver = | Size = 3596 bytes | Created Date = 6/6/2007 9:11:29 AM | Attr = ]
ComboFix3.txt -> %SystemDrive%\ComboFix3.txt -> [Ver = | Size = 3591 bytes | Created Date = 6/6/2007 9:11:29 AM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 536399872 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = HS]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 6/4/2007 3:58:44 PM | Attr = ]
SDFix -> %SystemDrive%\SDFix -> [Folder | Created Date = 6/4/2007 2:53:36 PM | Attr = ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 87040 bytes | Created Date = 6/4/2007 4:15:38 PM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 6/4/2007 4:00:49 PM | Attr = ]
nircmd.exe -> %SystemRoot%\nircmd.exe -> NirSoft [Ver = 1.85 | Size = 49152 bytes | Created Date = 6/4/2007 4:15:37 PM | Attr = ]
ntbtlog.txt -> %SystemRoot%\ntbtlog.txt -> [Ver = | Size = 843368 bytes | Created Date = 6/4/2007 2:56:13 PM | Attr = ]
temp -> %SystemRoot%\temp -> [Folder | Created Date = 6/7/2007 11:53:59 PM | Attr = ]
bopomofo.uce -> %System32%\bopomofo.uce -> [Ver = | Size = 22984 bytes | Created Date = 6/8/2007 12:07:24 AM | Attr = ]
calc.exe -> %System32%\calc.exe -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 114688 bytes | Created Date = 6/8/2007 12:07:23 AM | Attr = ]
charmap.exe -> %System32%\charmap.exe -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 80384 bytes | Created Date = 6/8/2007 12:07:24 AM | Attr = ]
gb2312.uce -> %System32%\gb2312.uce -> [Ver = | Size = 24006 bytes | Created Date = 6/8/2007 12:07:24 AM | Attr = ]
getuname.dll -> %System32%\getuname.dll -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 605696 bytes | Created Date = 6/8/2007 12:07:24 AM | Attr = ]
ideograf.uce -> %System32%\ideograf.uce -> [Ver = | Size = 60458 bytes | Created Date = 6/8/2007 12:07:24 AM | Attr = ]
kanji_1.uce -> %System32%\kanji_1.uce -> [Ver = | Size = 6948 bytes | Created Date = 6/8/2007 12:07:24 AM | Attr = ]
kanji_2.uce -> %System32%\kanji_2.uce -> [Ver = | Size = 8484 bytes | Created Date = 6/8/2007 12:07:24 AM | Attr = ]
korean.uce -> %System32%\korean.uce -> [Ver = | Size = 12876 bytes | Created Date = 6/8/2007 12:07:24 AM | Attr = ]
moveex.exe -> %System32%\moveex.exe -> [Ver = | Size = 38400 bytes | Created Date = 6/4/2007 4:15:37 PM | Attr = ]
MSINET.oca -> %System32%\MSINET.oca -> [Ver = | Size = 29184 bytes | Created Date = 4/26/2007 12:30:14 AM | Attr = ]
shiftjis.uce -> %System32%\shiftjis.uce -> [Ver = | Size = 16740 bytes | Created Date = 6/8/2007 12:07:24 AM | Attr = ]
subrange.uce -> %System32%\subrange.uce -> [Ver = | Size = 93702 bytes | Created Date = 6/8/2007 12:07:24 AM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.6 | Size = 428032 bytes | Created Date = 6/4/2007 4:15:38 PM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 6/4/2007 4:15:37 PM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 6/4/2007 4:15:37 PM | Attr = ]
vfind.exe -> %System32%\vfind.exe -> [Ver = | Size = 49152 bytes | Created Date = 6/4/2007 4:15:37 PM | Attr = ]
calc.exe -> %System32%\dllcache\calc.exe -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 114688 bytes | Created Date = 6/8/2007 12:07:23 AM | Attr = ]
charmap.exe -> %System32%\dllcache\charmap.exe -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 80384 bytes | Created Date = 6/8/2007 12:07:24 AM | Attr = ]
getuname.dll -> %System32%\dllcache\getuname.dll -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 605696 bytes | Created Date = 6/8/2007 12:07:24 AM | Attr = ]
wordpad.exe -> %System32%\dllcache\wordpad.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 214528 bytes | Created Date = 6/8/2007 12:10:51 AM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 6/4/2007 12:31:24 PM | Attr = ]

[Files/Folders - Modified Within 30 days]
!KillBox -> %SystemDrive%\!KillBox -> [Folder | Modified Date = 6/7/2007 9:11:22 AM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 536399872 bytes | Modified Date = 6/9/2007 9:45:14 PM | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 6/7/2007 9:26:26 AM | Attr = R ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Modified Date = 6/4/2007 4:58:46 PM | Attr = ]
SDFix -> %SystemDrive%\SDFix -> [Folder | Modified Date = 6/8/2007 12:08:48 AM | Attr = ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 6/6/2007 4:10:18 PM | Attr = HS]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 6/8/2007 1:04:04 AM | Attr = ]
addins -> %SystemRoot%\addins -> [Folder | Modified Date = 6/7/2007 9:08:16 AM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 6/9/2007 9:45:22 PM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 87040 bytes | Modified Date = 5/28/2007 4:23:12 AM | Attr = ]
Cursors -> %SystemRoot%\Cursors -> [Folder | Modified Date = 6/8/2007 1:07:26 AM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 6/4/2007 5:00:50 PM | Attr = ]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 6/8/2007 1:07:26 AM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 4507 bytes | Modified Date = 6/7/2007 9:21:34 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 5/21/2007 8:53:06 PM | Attr = ]
mozver.dat -> %SystemRoot%\mozver.dat -> [Ver = | Size = 12622 bytes | Modified Date = 5/15/2007 1:59:08 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 6/9/2007 10:09:58 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 6/4/2007 12:25:44 AM | Attr = H ]
security -> %SystemRoot%\security -> [Folder | Modified Date = 6/9/2007 1:59:48 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 6/8/2007 1:07:32 AM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 6/4/2007 5:00:24 PM | Attr = S]
temp -> %SystemRoot%\temp -> [Folder | Modified Date = 6/9/2007 9:47:22 PM | Attr = ]
Winamp.ini -> %SystemRoot%\Winamp.ini -> [Ver = | Size = 121 bytes | Modified Date = 6/4/2007 12:18:00 AM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 6/9/2007 9:45:36 PM | Attr = H ]
Symantec NetDetect.job -> %SystemRoot%\tasks\Symantec NetDetect.job -> [Ver = | Size = 412 bytes | Modified Date = 6/9/2007 9:47:08 PM | Attr = ]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 5/21/2007 8:55:04 PM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 6/8/2007 1:07:18 AM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 6/4/2007 5:06:14 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 6/8/2007 1:10:58 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 6/8/2007 12:53:58 AM | Attr = ]
mapisvc.inf -> %System32%\mapisvc.inf -> [Ver = | Size = 596 bytes | Modified Date = 6/7/2007 9:08:10 AM | Attr = ]
nvapps.xml -> %System32%\nvapps.xml -> [Ver = | Size = 17145 bytes | Modified Date = 6/9/2007 9:46:02 PM | Attr = ]
OP5500.cah -> %System32%\OP5500.cah -> [Ver = | Size = 17492 bytes | Modified Date = 5/21/2007 8:53:18 PM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 40868 bytes | Modified Date = 6/8/2007 1:07:32 AM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 313276 bytes | Modified Date = 6/8/2007 1:07:32 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 357538 bytes | Modified Date = 6/8/2007 1:07:32 AM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 6/6/2007 4:10:18 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 6/9/2007 9:47:12 PM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Modified Date = 5/30/2007 8:10:42 AM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 6/8/2007 12:02:04 AM | Attr = ]

[File String Scan - Non-Microsoft Only]
WSUD , -> %System32%\ALSNDMGR.CPL -> Realtek Semiconductor Corp. [Ver = 2.2.0.34 | Size = 16121856 bytes | Modified Date = 9/20/2004 3:20:44 PM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/18/2001 8:00:00 AM | Attr = ]
Thawte Consulting , -> %System32%\SmartUI2.ocx -> Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com [Ver = 2.00.6553 | Size = 870152 bytes | Modified Date = 3/15/2007 12:22:38 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/18/2001 8:00:00 AM | Attr = ]
Thawte Consulting , -> %System32%\XceedCry.dll -> Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com [Ver = 1.1.6461.0 | Size = 526184 bytes | Modified Date = 3/15/2007 12:19:58 PM | Attr = ]
Thawte Consulting , -> %System32%\XceedZip.dll -> Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com [Ver = 6.0.6621.0 | Size = 497496 bytes | Modified Date = 3/15/2007 12:23:16 PM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/4/2004 1:41:38 AM | Attr = ]

< End of report >

 

I see only a couple of things that I would even bother addressing.

To fix those items, run Winpfind3u again. Copy the bolded blue text below and paste it into the upper right window of Winpfind, then click Run Fix.

[Driver Services - Non-Microsoft Only]
NY -> (TnIDriver) TnIDriver [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\Owner\LOCALS~1\Temp\tni705. tmp
[Registry - Non-Microsoft Only]
< Trusted Sites > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> aol.com [ - ] ->
YN -> free_aol.com [ - ] ->
YN -> free_aol.com [http] ->

Wait for it to complete. Now run ATF Cleaner again, selecting all boxes. Reboot.

If your Internet Explorer is working, go to Panda ActiveScan and run a complete scan on your system. If anything is found, save the report and post it here.

 

Here's the report from Panda. (I deleted all the spaces between the lines to make it easier to read. All line items listed have not been disinfected):

Adware:adware/popper Windows Registry
Adware:adware/netword Windows Registry
Potentially unwanted tool:Application/NirCmd.A C:\Documents and Settings\All Users\Documents\ComboFix.exe[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A C:\Documents and Settings\Owner\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/HideWindow.A C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/KillApp.A C:\hp\bin\Terminator.exe
Potentially unwanted tool:Application/Processor C:\SDFix\apps\Process.exe
Potentially unwanted tool:Application/NirCmd.A C:\WINDOWS\nircmd.exe


Of note, the computer still boots with the splash screen being replaced, but I only see that after I run ATF Cleaner and re-boot. If I reboot w/o running ATF, the new splash screen is already in place; the normal one that says "Windows is starting" etc doesn't appear. So ATF is deleting the bug that causes the splash screen replacement (and whatever else that might be going on after that happens that I can't see), but it re-sets itself on start-up.

Also, for the past few days, I've noticed that I've been getting a duplicate warning that tells me my firewall and other functions are not on. It's a pop-up from the tray that says "Your computer might be at risk" etc, and it comes up twice. I'm used to the warning coming up once because I *don't* use Windows' firewall and have it turned off. (I use a Netgear FVS124G external firewall.) So I attributed the second occurrence of the warning to having turned off the system restore until I could clear up the mess, but when I turned it back on just to test the theory, both warnings still come up.

Something is DEFINITELY still going on, and it's not "normal."

 

RE: the panda scan
The files are fine, and the registry components are non-threat leftovers, but we'll see if we can find them anyway.

Please run regsrch.vbs for each of the following and post any results.

Netword
NetWord Agent
{A16BC1B2-E582-11D4-8757-005004603000}
{6FCCD5A1-8823-476D-B7DE-FEB13D46D9BD}

Lets have a closer look at temp files being created. Please download listtemps.zip from the link below. Save it to the desktop and extract.

http://noahdfear.net/downloads/listtemps.zip

Run ATF cleaner, then run the listtemps.bat
It will create and open tempfiles.txt on the desktop. Close it, then rename to tempfiles1.txt.
Reboot and run listtemps.bat again. Rename to tempfiles2.txt
Reboot and run listtemps.bat again. Rename to tempfiles3.txt, then post the contents of each.

 

"Netword" and "NetWord Agent ":

[HKEY_USERS\S-1-5-21-3529363498-689911805-3147829007-1003\Software\Netword]

[HKEY_USERS\S-1-5-21-3529363498-689911805-3147829007-1003\Software\Netword\Netword Agent]

[HKEY_USERS\S-1-5-21-3529363498-689911805-3147829007-1003\Software\Netword\Netword Agent]
"path "= "C:\\Program Files\\Netword\\ "


"{A16BC1B2-E582-11D4-8757-005004603000}" and "{6FCCD5A1-8823-476D-B7DE-FEB13D46D9BD} "

None

TEMP 1:

Prefetch files

Volume in drive C is HP_PAVILION
Volume Serial Number is 50E2-5DBF

Directory of C:\WINDOWS\prefetch

06/12/2007 12:28 AM <DIR> .
06/12/2007 12:28 AM <DIR> ..
06/12/2007 12:28 AM 15,636 ATF-CLEANER.EXE-343E22FA.pf
06/11/2007 10:30 AM 163,920 layout.ini
2 File(s) 179,556 bytes

Total Files Listed:
2 File(s) 179,556 bytes
2 Dir(s) 48,014,860,288 bytes free

Windows temp files

Volume in drive C is HP_PAVILION
Volume Serial Number is 50E2-5DBF

Directory of C:\WINDOWS\temp

06/12/2007 12:28 AM <DIR> .
06/12/2007 12:28 AM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 48,014,860,288 bytes free

Current User temp files

Volume in drive C is HP_PAVILION
Volume Serial Number is 50E2-5DBF

Directory of C:\DOCUME~1\Owner\LOCALS~1\Temp

06/12/2007 12:28 AM <DIR> .
06/12/2007 12:28 AM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 48,014,860,288 bytes free

Systemprofile temp files

Volume in drive C is HP_PAVILION
Volume Serial Number is 50E2-5DBF

Directory of C:\WINDOWS\system32\config\systemprofile\locals~1\temp

06/04/2007 05:19 PM <DIR> .
06/04/2007 05:19 PM <DIR> ..
06/04/2007 05:19 PM <DIR> VIES7E31
06/04/2007 05:19 PM <DIR> VIES7ED7
0 File(s) 0 bytes

Directory of C:\WINDOWS\system32\config\systemprofile\locals~1\temp\VIES7E31

06/04/2007 05:19 PM <DIR> .
06/04/2007 05:19 PM <DIR> ..
06/04/2007 05:19 PM <DIR> UM
0 File(s) 0 bytes

Directory of C:\WINDOWS\system32\config\systemprofile\locals~1\temp\VIES7E31\UM

06/04/2007 05:19 PM <DIR> .
06/04/2007 05:19 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\WINDOWS\system32\config\systemprofile\locals~1\temp\VIES7ED7

06/04/2007 05:19 PM <DIR> .
06/04/2007 05:19 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
11 Dir(s) 48,014,856,192 bytes free



TEMP 2:

Prefetch files

Volume in drive C is HP_PAVILION
Volume Serial Number is 50E2-5DBF

Directory of C:\WINDOWS\prefetch

06/12/2007 12:33 AM <DIR> .
06/12/2007 12:33 AM <DIR> ..
06/12/2007 12:28 AM 15,636 ATF-CLEANER.EXE-343E22FA.pf
06/12/2007 12:28 AM 9,144 CMD.EXE-034B0549.pf
06/11/2007 10:30 AM 163,920 layout.ini
06/12/2007 12:29 AM 11,904 NOTEPAD.EXE-2F2D61E1.pf
06/12/2007 12:32 AM 383,860 NTOSBOOT-B00DFAAD.pf
06/12/2007 12:32 AM 7,766 WGATRAY.EXE-350D4455.pf
06/12/2007 12:33 AM 24,522 WMIPRVSE.EXE-0D449B4F.pf
06/12/2007 12:32 AM 8,138 WSCNTFY.EXE-0B14C27D.pf
06/12/2007 12:32 AM 18,854 WUAUCLT.EXE-1360D60A.pf
9 File(s) 643,744 bytes

Total Files Listed:
9 File(s) 643,744 bytes
2 Dir(s) 48,014,172,160 bytes free

Windows temp files

Volume in drive C is HP_PAVILION
Volume Serial Number is 50E2-5DBF

Directory of C:\WINDOWS\temp

06/12/2007 12:33 AM <DIR> .
06/12/2007 12:33 AM <DIR> ..
06/12/2007 12:31 AM 255 WGAErrLog.txt
06/12/2007 12:33 AM 409 WGANotify.settings
2 File(s) 664 bytes

Total Files Listed:
2 File(s) 664 bytes
2 Dir(s) 48,014,172,160 bytes free

Current User temp files

Volume in drive C is HP_PAVILION
Volume Serial Number is 50E2-5DBF

Directory of C:\DOCUME~1\Owner\LOCALS~1\Temp

06/12/2007 12:31 AM <DIR> .
06/12/2007 12:31 AM <DIR> ..
06/12/2007 12:31 AM 793 pcf1.tmp
1 File(s) 793 bytes

Total Files Listed:
1 File(s) 793 bytes
2 Dir(s) 48,014,172,160 bytes free

Systemprofile temp files

Volume in drive C is HP_PAVILION
Volume Serial Number is 50E2-5DBF

Directory of C:\WINDOWS\system32\config\systemprofile\locals~1\temp

06/04/2007 05:19 PM <DIR> .
06/04/2007 05:19 PM <DIR> ..
06/04/2007 05:19 PM <DIR> VIES7E31
06/04/2007 05:19 PM <DIR> VIES7ED7
0 File(s) 0 bytes

Directory of C:\WINDOWS\system32\config\systemprofile\locals~1\temp\VIES7E31

06/04/2007 05:19 PM <DIR> .
06/04/2007 05:19 PM <DIR> ..
06/04/2007 05:19 PM <DIR> UM
0 File(s) 0 bytes

Directory of C:\WINDOWS\system32\config\systemprofile\locals~1\temp\VIES7E31\UM

06/04/2007 05:19 PM <DIR> .
06/04/2007 05:19 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\WINDOWS\system32\config\systemprofile\locals~1\temp\VIES7ED7

06/04/2007 05:19 PM <DIR> .
06/04/2007 05:19 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
11 Dir(s) 48,014,168,064 bytes free



TEMP 3:

Prefetch files

Volume in drive C is HP_PAVILION
Volume Serial Number is 50E2-5DBF

Directory of C:\WINDOWS\prefetch

06/12/2007 12:33 AM <DIR> .
06/12/2007 12:33 AM <DIR> ..
06/12/2007 12:28 AM 15,636 ATF-CLEANER.EXE-343E22FA.pf
06/12/2007 12:33 AM 9,146 CMD.EXE-034B0549.pf
06/11/2007 10:30 AM 163,920 layout.ini
06/12/2007 12:33 AM 12,534 NOTEPAD.EXE-2F2D61E1.pf
06/12/2007 12:36 AM 521,424 NTOSBOOT-B00DFAAD.pf
06/12/2007 12:32 AM 7,766 WGATRAY.EXE-350D4455.pf
06/12/2007 12:33 AM 24,522 WMIPRVSE.EXE-0D449B4F.pf
06/12/2007 12:34 AM 7,548 WSCNTFY.EXE-0B14C27D.pf
06/12/2007 12:36 AM 18,730 WUAUCLT.EXE-1360D60A.pf
9 File(s) 781,226 bytes

Total Files Listed:
9 File(s) 781,226 bytes
2 Dir(s) 48,014,045,184 bytes free

Windows temp files

Volume in drive C is HP_PAVILION
Volume Serial Number is 50E2-5DBF

Directory of C:\WINDOWS\temp

06/12/2007 12:33 AM <DIR> .
06/12/2007 12:33 AM <DIR> ..
06/12/2007 12:35 AM 255 WGAErrLog.txt
06/12/2007 12:36 AM 409 WGANotify.settings
2 File(s) 664 bytes

Total Files Listed:
2 File(s) 664 bytes
2 Dir(s) 48,014,045,184 bytes free

Current User temp files

Volume in drive C is HP_PAVILION
Volume Serial Number is 50E2-5DBF

Directory of C:\DOCUME~1\Owner\LOCALS~1\Temp

06/12/2007 12:35 AM <DIR> .
06/12/2007 12:35 AM <DIR> ..
06/12/2007 12:31 AM 793 pcf1.tmp
06/12/2007 12:35 AM 793 pcf2.tmp
2 File(s) 1,586 bytes

Total Files Listed:
2 File(s) 1,586 bytes
2 Dir(s) 48,014,045,184 bytes free

Systemprofile temp files

Volume in drive C is HP_PAVILION
Volume Serial Number is 50E2-5DBF

Directory of C:\WINDOWS\system32\config\systemprofile\locals~1\temp

06/04/2007 05:19 PM <DIR> .
06/04/2007 05:19 PM <DIR> ..
06/04/2007 05:19 PM <DIR> VIES7E31
06/04/2007 05:19 PM <DIR> VIES7ED7
0 File(s) 0 bytes

Directory of C:\WINDOWS\system32\config\systemprofile\locals~1\temp\VIES7E31

06/04/2007 05:19 PM <DIR> .
06/04/2007 05:19 PM <DIR> ..
06/04/2007 05:19 PM <DIR> UM
0 File(s) 0 bytes

Directory of C:\WINDOWS\system32\config\systemprofile\locals~1\temp\VIES7E31\UM

06/04/2007 05:19 PM <DIR> .
06/04/2007 05:19 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\WINDOWS\system32\config\systemprofile\locals~1\temp\VIES7ED7

06/04/2007 05:19 PM <DIR> .
06/04/2007 05:19 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
11 Dir(s) 48,014,041,088 bytes free



 

Replace the text in the remCLSID.reg (right click and edit) with the following, close and save, then double click and allow to merge.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Netword]


Try pinpointing which files removed by ATF cleaner result in a 'normal' bootup ........ run ATF selecting ONLY Current User Temp and reboot, then Prefetch only and reboot, etc.

Rename HijackThis back to HijackThis.exe, then create another startup list (check both boxes) and post.


Oh......almost forgot. When you posted the Panda log, you stated those were not disinfected. Was anything found and disinfected, or was that the complete log?

 

PART 1 of 2:

Done. I checked to see if it returned, and it did not.

Looks like it's in the prefetch.

Here's the log:


StartupList report, 6/14/2007, 12:29:37 AM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\hijackthis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\XiMeta\NetDisk\Admin.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\XiMeta\NetDisk\LDServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\hijackthis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
NetDisk Administrator.lnk = C:\Program Files\XiMeta\NetDisk\Admin.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nwiz = nwiz.exe /install
CamMonitor = c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
KBD = C:\HP\KBD\KBD.EXE
checktime = c:\program files\HPSelect\Frontend\ct.exe
StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
AlcxMonitor = ALCXMNTR.EXE
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
RemoteControl = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser

[{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath = rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Yahoo!\Common\yiesrvc.dll - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
(no name) - C:\Program Files\Yahoo!\Common\YIeTagBm.dll - {65D886A2-7CA7-479B-BB95-14D1EFB7946A}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.9362731481

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

(cont.)

 

PART 2 of 2:

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
MAC Bridge: System32\DRIVERS\bridge.sys (manual start)
MAC Bridge Miniport: System32\DRIVERS\bridge.sys (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
drvmcdb: system32\drivers\drvmcdb.sys (system)
drvnddm: system32\drivers\drvnddm.sys (autostart)
Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
SCM Parallel Port SCSI Driver: System32\DRIVERS\epstw2k.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Hid to Joystick Port Enabler: System32\DRIVERS\hidgame.sys (manual start)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
%imapi_ServiceDesc%: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Lanscsi Bus Enumerator: System32\DRIVERS\LanscsiBus.sys (manual start)
Lanscsi SCSI Miniport Driver for NetDisk: System32\DRIVERS\lanscsiminiport.sys (manual start)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
XiMeta Lpx Protocol: System32\DRIVERS\Lpx.sys (autostart)
LT Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Sidewinder HID to Joystick Port Enabler: System32\DRIVERS\msgame.sys (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
NetDisk Service: C:\Program Files\XiMeta\NetDisk\LDServ.exe (autostart)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Gravis GamePort device driver: system32\drivers\ntgrip.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nv4: System32\DRIVERS\nv4.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
OKI OPHD DCS Loader: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHDLDCS.EXE (manual start)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
ROFilt: \??\C:\WINDOWS\system32\drivers\ROFilt.sys (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
S3Psddr: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SCSI Scanner Driver: System32\DRIVERS\scsiscan.sys (manual start)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: System32\DRIVERS\SISAGP.sys (system)
SNMP Trap Service: %SystemRoot%\system32\snmptrap.exe (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
sscdbhk5: system32\drivers\sscdbhk5.sys (system)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
ssrtln: system32\drivers\ssrtln.sys (system)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{13C56707-A75E-427F-A3E7-375956BFF577} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
tfsnboio: system32\dla\tfsnboio.sys (autostart)
tfsncofs: system32\dla\tfsncofs.sys (autostart)
tfsndrct: system32\dla\tfsndrct.sys (autostart)
tfsndres: system32\dla\tfsndres.sys (autostart)
tfsnifs: system32\dla\tfsnifs.sys (autostart)
tfsnopio: system32\dla\tfsnopio.sys (autostart)
tfsnpool: system32\dla\tfsnpool.sys (autostart)
tfsnudf: system32\dla\tfsnudf.sys (autostart)
tfsnudfa: system32\dla\tfsnudfa.sys (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB Root Hub (usbport): System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (system)
Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Documents and Settings\Owner\Local Settings\temp\~DF23F1.tmp||C:\Documents and Settings\Owner\Cookies\index.dat||C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\content.ie5\index.dat||C:\Documents and Settings\LocalService\cookies\index.dat||C:\Documents and Settings\Owner\Local Settings\temp\~DF23F1.tmp||C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\content.ie5\index.dat||C:\Documents and Settings\Owner\cookies\index.dat


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 34,413 bytes
Report generated in 0.078 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


^ I highlighted the part that is there *after* clearing files with ATF. Some of those directories don't even exist. Odd.

That was the complete log. All line items were listed as being "not disinfected," so I just deleted the phrase to make it easier to read. All relevant data is still there; no line items were left out.

 

Now try to pinpoint which file is involved. Start with deleting NTOSBOOT-B00DFAAD.pf from the prefetch folder and reboot. Move on to the CMD.EXE-034B0549.pf, then the others.

Do NOT delete the layout.ini file at any time!!

 

Bingo!! I believe that's it. How do I get rid of that sucker?

 

Please copy the following to a blank text file and name it ntos.bat (on the desktop)

@echo off
dir /a /s %systemdrive%\ntoskrnl.exe >>ntos.txt
start notepad ntos.txt
cls
exit

Run the batch and post the results.

 

Here ya go:

Volume in drive C is HP_PAVILION
Volume Serial Number is 50E2-5DBF

Directory of C:\WINDOWS\$hf_mig$\KB890859\SP2GDR

03/01/2005 08:59 PM 2,179,328 ntoskrnl.exe
1 File(s) 2,179,328 bytes

Directory of C:\WINDOWS\$hf_mig$\KB890859\SP2QFE

03/01/2005 09:04 PM 2,179,456 ntoskrnl.exe
1 File(s) 2,179,456 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

03/01/2005 09:33 PM 2,040,832 ntoskrnl.exe
1 File(s) 2,040,832 bytes

Directory of C:\WINDOWS\$NtUninstallKB885835_0$

04/24/2003 08:57 AM 1,925,760 ntoskrnl.exe
1 File(s) 1,925,760 bytes

Directory of C:\WINDOWS\$NtUninstallKB890859$

08/04/2004 02:19 AM 2,180,992 ntoskrnl.exe
1 File(s) 2,180,992 bytes

Directory of C:\WINDOWS\$NtUninstallKB890859_0$

10/22/2004 04:33 AM 2,088,448 ntoskrnl.exe
1 File(s) 2,088,448 bytes

Directory of C:\WINDOWS\$NtUninstallQ317277$

08/18/2001 08:00 AM 1,982,208 ntoskrnl.exe
1 File(s) 1,982,208 bytes

Directory of C:\WINDOWS\$NtUninstallQ811493$

08/29/2002 05:03 AM 2,042,240 ntoskrnl.exe
1 File(s) 2,042,240 bytes

Directory of C:\WINDOWS\Driver Cache\i386

03/01/2005 08:59 PM 2,179,328 ntoskrnl.exe
1 File(s) 2,179,328 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 02:19 AM 2,180,992 ntoskrnl.exe
1 File(s) 2,180,992 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989

08/04/2004 02:19 AM 2,180,992 ntoskrnl.exe
1 File(s) 2,180,992 bytes

Directory of C:\WINDOWS\system32

03/01/2005 08:59 PM 2,179,328 ntoskrnl.exe
1 File(s) 2,179,328 bytes

Total Files Listed:
12 File(s) 25,339,904 bytes
0 Dir(s) 47,943,356,416 bytes free


I have not rebooted yet.

 

I was hoping to see the ntoskrnl.exe file in the system32 folder as having been recently modified, which might explain the behavior you're noticing and lead to a quicker solution. In lieu of that, lets try something else.

Please navigate to the C:\Windows\Prefetch folder and right click>Send To>Compressed (zipped) folder, the layout.ini file, then attach the layout.zip file to an email to me.

noahdfear@msn.com

Now delete everything in the Prefetch folder except for the layout.ini file.
Click Start, then right click My Computer and select Manage to open the Computer Management console.
Expand the Services and Applications entry in the left pane, then click the Services entry.
Scroll down the list in the right pane and double click the Task Scheduler service.
Click Stop, then set the Startup Type to manual and click Apply. Click OK to close, then close the Computer Management console.
Reboot. Note that bootup time may take a bit longer, but is it a normal boot otherwise?
After a bit of use, reboot again and see if boot is still normal. If so, do a few more reboots to see if it remains normal.
If and when repeated normal bootups are established, set the Task Scheduler service back to Automatic and see if bootup remains normal after a few reboots.