Solved Sophos shows svchostnt.exe as Mal/Generic message

DeepakSharma · 2009/07/30

[Resolved] Sophos shows svchostnt.exe as Mal/Generic message

Hi ,
My Sophos is identifying svhostnt.exe as Mal/Generic. And system is crashing when i close ie 8.
I'm not able update Security patches as it says "Access Denied" at update.exe

following is my dds.txt

DDS (Ver_09-06-26.01) - NTFSx86
Run by Sureshg at 11:20:24.53 on Thu 07/30/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.395 [GMT 4:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {41425613-C89B-4DE8-9A58-DB3E57CC85D9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Quest Software\Benchmark Factory for Databases\Repository\MySQL\bin\mysqld-max-nt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\sureshg\My Documents\usbdlm\USBDLM\USBDLM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Analog Devices\ADSL USB MODEM\dslmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\Documents and Settings\sureshg\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindow Title = Microsoft Internet Explorer
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy1.corp.cplmg.local:80
uInternet Settings,ProxyOverride = lm*;intranet*;domsrv*;128*;ctx*;192.168.*.*;lmdevrms.cplmg.local;<local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\program files\windows desktop search\dsWebAllow.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: AL2Spy Class: {dc200356-0864-4f66-8964-5d43a19300f5} - c:\windows\autolo~1\AL2DLL.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Nymgo] c:\documents and settings\sureshg\local settings\application data\nymgo\Nymgo.exe
uRun: [fsm]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AtiCwd32] Aticwd32.exe
mRun: [AtiQiPcl] AtiQiPcl.exe
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [9xadiras] 9xadiras.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe "
mRun: [SYS1] c:\windows\system32\system.exe
mRun: [SYS2] c:\windows\system32\bad1.exe
mRun: [SYS3] c:\windows\system32\bad2.exe
mRun: [SYS4] c:\windows\system32\bad3.exe
mRun: [LSA Shellu] c:\documents and settings\sureshg\lsass.exe
mRun: [runner1] c:\windows\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [etisalat] c:\program files\etisalat\esupport\bin\sprtcmd.exe /P etisalat
mRun: [CTFMOON] c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\regedit.sys
mRun: [svchost] c:\windows\system32\svchostnt.exe
mRun: [regdeit] c:\windows\system32\svchostnt.exe
StartupFolder: c:\docume~1\sureshg\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\dslmon.lnk - c:\program files\analog devices\adsl usb modem\dslmon.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnlite\PsnLite.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoFind = 1 (0x1)
uPolicies-system: SetVisualStyle = c:\windows\resources\themes\vista\Vista.msstyles
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0a454840-7232-11d5-b63d-00c04faedb18} - hxxp://lmrtldev.cplmg.local:7783/jinitiator/jinit11814.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233224577006
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243664982916
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - hxxp://www.ooxtv.com/livetv.ocx
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxp://domsrvae2.cplmg.com/dwa7W.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab
Handler: qrev - {9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} - c:\progra~1\quests~1\toadfo~2\RNetPin.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - d:\coreftp\pftpns.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\yayxuuUL

============= SERVICES / DRIVERS ===============

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-2-20 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-2-20 38528]
R2 BMFMySQL;BMFMySQL;c:\program files\quest software\benchmark factory for databases\repository\mysql\bin\mysqld-max-nt.exe [2005-10-22 4431872]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-3-24 216552]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-11-20 46112]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-5-28 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-10-2 98304]
R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2009-4-2 266240]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-7-1 172032]
R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2009-4-2 794624]
R2 USBDLM;USBDLM;c:\documents and settings\sureshg\my documents\usbdlm\usbdlm\USBDLM.exe [2008-11-17 156160]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-2-5 33840]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\hotspot shield\bin\HssTrayService.exe [2009-6-1 34352]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2007-4-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2007-4-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2007-4-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s125mgmt.sys [2007-4-24 100488]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-10-2 14976]

=============== Created Last 30 ================

2009-07-30 10:59 32,783 a--shr-- c:\windows\system32\svchostnt.exe
2009-07-28 11:47 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\RegCure
2009-07-27 11:49 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-07-27 11:46 <DIR> --d----- c:\documents and settings\sureshg\.housecall6.6
2009-07-26 18:01 272,798 a--shr-- c:\windows\system32\regedit.sys
2009-07-26 18:01 272,798 a--shr-- C:\pagefiles.sys
2009-07-26 18:01 204 a--shr-- C:\autorun.inf
2009-07-07 18:10 <DIR> --d----- c:\program files\common files\SupportSoft
2009-07-07 18:10 <DIR> --d----- c:\program files\Etisalat

==================== Find3M ====================

2009-06-23 18:36 0 a------- c:\docume~1\sureshg\applic~1\FileStore.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-04 09:50 24,984 ac------ c:\docume~1\sureshg\applic~1\GDIPFONTCACHEV1.DAT
2009-01-08 19:18 14,588 a------- c:\windows\inf\yl5vf.zip
2009-01-04 03:15 28,964 a------- c:\windows\inf\kl1f7.zip
2008-11-22 11:24 3,416 a------- c:\windows\inf\jlt3c.zip
2008-07-31 18:15 87,608 a------- c:\docume~1\sureshg\applic~1\inst.exe
2008-07-31 18:15 47,360 a------- c:\docume~1\sureshg\applic~1\pcouffin.sys
2007-09-09 11:39 8 a------- c:\docume~1\sureshg\applic~1\usb.dat.bin
2006-11-20 09:01 163,840 a------- c:\program files\common files\AMCap.exe
2008-06-15 16:35 1,387 a--sh--- c:\windows\system32\LUuuxyay.ini2
2008-05-08 15:24 155,648 a--shr-- c:\windows\system32\wscript.exe
2008-07-02 11:35 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070220080703\index.dat
2009-04-25 03:17 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-04-25 03:17 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-04-25 03:17 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 11:20:53.57 ===============

thanks pals.

Juliet · 2009/07/30

Hi and welcome

I see a lot of infection here will take several passes to get it all removed.

Let's start.

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================

Please download Malwarebytes' Anti-Malware to your desktop

Additional Link
Here also

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:

o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Trend Micro Hijack Thisâ„¢ and save to desktop.
It is important that you uninstall any previous versions by using Add/Remove programs in your control panel before installing a newer version.
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.

It will look like this

Accept the license agreement by clicking the "I Accept" button.
Click on the "Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click "Save log" to save the log file and then the log will open in Notepad.
Click on Edit-> Select All then click on "Edit -> Copy " to copy the entire contents of the log.

In your next reply post:
Malwarebytes' Anti-Malware log
New HJT log

DeepakSharma · 2009/08/02

Dear Mam Juliet,

Thanks for your references. I have done the following steps.

1) Ran the ATF-Cleaner in Normal mode where it freed some 436mb.

2) Not able to install the MalwareBytes in the normal mode, so installed it in safe mode with networking where it updated the latest definitons.

3) Instead of doing a quick scan , accidentally did a full scan in safe mode with networking and it showed 2300+ odd infections.

4) I ran HiJackthis in Normal mode.

5) The Mal ware message is still popping.

Pls find below pasted log files data as per request.

Malwarebytes' Anti-Malware 1.39
Database version: 2544
Windows 5.1.2600 Service Pack 3

8/2/2009 11:34:34 AM
mbam-log-2009-08-02 (11-34-33).txt

Scan type: Full Scan (C:\|D:\|O:\|)
Objects scanned: 229734
Time elapsed: 1 hour(s), 3 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 185
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 7
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APVXDWIN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avginet.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\runtime (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RUNTIME (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTI-Trojan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPCC.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPM.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKICE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER3.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FRW.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMAPP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMSERV.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICLOAD95.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICLOADNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICMON.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICSUPP95.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICSUPPNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IFACE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVwsc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LOCKDOWN2000.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MOOLIVE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAVSCHED.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SPHINX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TCA.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSECOMR.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSHWIN32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSTAT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WEBSCANX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_AVP32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_AVPCC.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_AVPM.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icesword.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2FREE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SERVICE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGAS.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCAN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVSERVER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPROTTRAY.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWIN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVTRAY.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngLdr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCSHIELD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCVSESCN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAVFNSVR.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAVSRV51.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSCTRLS.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSIMSVC.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavService.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCHED.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHSTAT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TPSRV.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WEBPROXY.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebscd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderml.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spidernt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spml_set.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\preupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32arkit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcdash.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcdetect.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mghtml.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naprdmgr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oasclnt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vstskmgr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcinsupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdmgr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udaterui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avciman.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmnhdlr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavprsrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PskSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\System.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcmserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcons.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wradmin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wrctrl.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsa shellu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYS2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYS3 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYS4 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind (Hijack.Find) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\networkservice.nt authority\local settings\application data\Bron.tok-10-18 (Trojan.Brontok) -> Quarantined and deleted successfully.
c:\documents and settings\sureshg\local settings\application data\Bron.tok-10-16 (Trojan.Brontok) -> Quarantined and deleted successfully.
c:\documents and settings\sureshg\local settings\application data\Bron.tok-10-17 (Trojan.Brontok) -> Quarantined and deleted successfully.
c:\documents and settings\sureshg\local settings\application data\Bron.tok-10-18 (Trojan.Brontok) -> Quarantined and deleted successfully.
c:\documents and settings\sureshg\local settings\application data\Bron.tok-10-19 (Trojan.Brontok) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\g5 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\all users.windows\application data\Sophos\sophos anti-virus\Temp\5eeb1e98.$$$ (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
c:\SYSTEM\s-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Jakki\favorites\MP3 Download, music mp3 downloads. ALLOFMP3..url (Rogue.Link) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\csrcs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svchostnt.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\BM4780761b.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\BM4780761b.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\END (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\0_exception.nls (Trojan.Tibs) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bad1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bad2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bad3.exe (Trojan.Agent) -> Quarantined and deleted successfully.

-----------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:56 PM, on 8/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Quest Software\Benchmark Factory for Databases\Repository\MySQL\bin\mysqld-max-nt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Documents and Settings\sureshg\My Documents\usbdlm\USBDLM\USBDLM.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Analog Devices\ADSL USB MODEM\dslmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.corp.cplmg.local:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = lm*;intranet*;domsrv*;128*;ctx*;192.168.*.*;lmdevrms.cplmg.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 128.10.10.10 domsrvae1 domsrvae1/cplmg domsrvae1.cplmg.com mail.cplmg.com www.cplmg.com
O1 - Hosts: 128.10.10.15 domsrvae2 domsrvae2/cplmg domsrvae2.cplmg.com
O1 - Hosts: 128.10.10.20 stmtsms stmtsms/cplmg
O1 - Hosts: 128.10.10.25 smtp smtp.cplmg.com
O1 - Hosts: 128.10.0.15 cplmg
O1 - Hosts: 128.10.0.176 lmrtldev lmrtldev.cplmg.local
O1 - Hosts: 128.10.0.192 lmgdev2.lmg.co.ae lmgdev2
O1 - Hosts: 128.10.0.172 lmrtlrdw.cplmg.local lmrtlrdw
O1 - Hosts: 128.10.20.52 lmg-oracle
O1 - Hosts: 128.10.0.170 lmrtlrms.cplmg.local lmrtlrms
O1 - Hosts: 128.10.29.11 FA
O1 - Hosts: 128.10.29.12 HCTERM
O1 - Hosts: 128.10.29.13 HCDMS
O1 - Hosts: 128.10.29.14 HCBOSS
O1 - Hosts: 128.10.29.16 HCBBS
O1 - Hosts: 128.10.29.20 HCHQ
O1 - Hosts: 128.10.0.208 lmdevrms.cplmg.local lmdevrms
O1 - Hosts: 128.10.0.209 lmdevwms.cplmg.local lmdevwms
O1 - Hosts: 128.10.0.210 lmdevrdw.cplmg.local lmdevrdw
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: AL2Spy Class - {DC200356-0864-4F66-8964-5D43A19300F5} - C:\WINDOWS\AUTOLO~1\AL2DLL.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "
O4 - HKLM\..\Run: [SYS1] C:\WINDOWS\system32\system.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [etisalat] C:\Program Files\Etisalat\eSupport\bin\sprtcmd.exe /P etisalat
O4 - HKLM\..\Run: [CTFMOON] C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\regedit.sys
O4 - HKLM\..\Run: [regdeit] C:\WINDOWS\system32\svchostnt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Nymgo] C:\Documents and Settings\sureshg\Local Settings\Application Data\Nymgo\Nymgo.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0a454840-7232-11d5-b63d-00c04faedb18} - http://lmrtldev.cplmg.local:7783/jinitiator/jinit11814.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1233224577006
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243664982916
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/livetv.ocx
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://domsrvae2.cplmg.com/dwa7W.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.cplmg.local
O17 - HKLM\Software\..\Telephony: DomainName = corp.cplmg.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.cplmg.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.cplmg.local
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: BMFMySQL - Unknown owner - C:\Program Files\Quest Software\Benchmark Factory for Databases\Repository\MySQL\bin\mysqld-max-nt.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: USBDLM - Uwe Sieber - www.uwe-sieber.de - C:\Documents and Settings\sureshg\My Documents\usbdlm\USBDLM\USBDLM.exe

--
End of file - 16370 bytes

Awaiting your reply on the same, thank you.

Juliet · 2009/08/02

Welcome back

We might be in trouble here....
It's possible this infection has attached itself to legitimate system and program files.
When this happens, and tools/scans delete the infected files, there may be programs that do not run or work as expected.

We will try to continue.

Download Combofix© by sUBs from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

Example:

* IamNotMalware.exe
* PleaseDontEatMe.exe

If you are using Firefox, make sure that your download settings are as follows:

Tools->Options->Main tab

Set to "Always ask me where to Save the files ".

--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

On the Configure menu, click On-access scanning.
In the On-access scan settings for this computer dialog box, click the Scanning tab.
To turn on-access scanning on for the computer, select Enable on-access scanning for this computer, and click OK. The Sophos Anti-Virus system tray icon turns blue.

To turn on-access scanning off for the computer, deselect Enable on-access scanning for this computer, and click OK. The Sophos Anti-Virus system tray icon turns gray.

In the Sophos Anti-Virus window, the Status menu is updated.

Note: Sophos Anti-Virus retains the settings you make here, even after you restart the computer. If you have turned on-access scanning off, it remains inactive until you turn it on again.

Note: If you turn on-access protection off, you can still run on-demand scans of your computer.
Click to expand...

(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html

Please leave the flash drive plugged in while completing the following.

Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

** Please Note:
At times ComboFix may appear to stall, please be patient.

When finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.

DeepakSharma · 2009/08/06

Dear Mam Juliet,

Juliet · 2009/08/06

"DeepakSharma said: ↑

Dear Mam Juliet,
Click to expand...

Were you able to run the scan?

DeepakSharma · 2009/08/10

Dear Mam Juliet,

Thank you for the links. I have done the following steps

1) Downloaded the Combofix.
2) Rename it to SimpleFx. disable my sophos as mentioned.
3) Couldn't able to run it in Normal mode as the blue console window never popped
so ran in Safe mode with networking.
4) It ran but it was not able to connect to internet due to unknown reasons.
5) It gave message saying "do you want to continue running Combofix.
6) selected 'yes'.
7) It ran and showed "Completed Stage1....and so on.
8) Restarted the system in normal mode.
9)Generate the file in C:\Combofix.txt and popped a file name "Log.txt "
10) I was not able to run Hijack after that in Normal and Safe mode with Networking.
and couldn't generate the new Hijackthis log.

Please find the below details of Combofix.txt
ComboFix 09-08-01.09 - Sureshg 08/06/2009 12:42.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.715 [GMT 4:00]
Running from: c:\documents and settings\sureshg\Desktop\SimpleFx.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {41425613-C89B-4DE8-9A58-DB3E57CC85D9}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\sureshg\Application Data\inst.exe
c:\recycler\S-1-5-21-1214440339-484763869-725345543-1005
C:\System
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\Installer\a8be95c.msi
c:\windows\system32\ackdkfwr.ini
c:\windows\system32\Cache
c:\windows\system32\cttrtaid.ini
c:\windows\system32\deuhyrxk.ini
c:\windows\system32\emgpdygo.ini
c:\windows\system32\hpdhwdvk.ini
c:\windows\system32\ildybexk.ini
c:\windows\system32\ilybyykk.ini
c:\windows\system32\jvegjrkp.ini
c:\windows\system32\lbjfenuj.ini
c:\windows\system32\LUuuxyay.ini2
c:\windows\system32\nhkskuig.ini
c:\windows\system32\office.exe
c:\windows\system32\p1
c:\windows\system32\thuohnhb.ini
c:\windows\system32\tmp.reg
c:\windows\system32\xciijvfv.ini
c:\windows\system32\xfuqxqst.ini
c:\windows\system32\yjspvvfg.ini
c:\windows\system32\ylboudnk.ini
D:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Ias
-------\Service_Iprip
-------\Service_NWCWorkstation

((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))
.

2009-08-03 19:19 . 2009-08-06 08:46 32783 --sha-r- c:\windows\system32\svchostnt.exe
2009-08-02 07:54 . 2009-08-02 07:54 -------- d-----w- c:\program files\Trend Micro
2009-08-02 05:42 . 2009-08-02 05:42 -------- d-----w- c:\documents and settings\sureshg\Application Data\Malwarebytes
2009-08-02 05:42 . 2009-07-13 09:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-02 05:42 . 2009-08-02 05:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-08-02 05:18 . 2009-08-02 05:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-02 05:18 . 2009-07-13 09:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-30 14:25 . 2009-07-30 14:27 -------- d-----w- C:\php
2009-07-30 14:16 . 2009-07-30 14:16 -------- d-----w- c:\windows\IIS Temporary Compressed Files
2009-07-30 14:14 . 2006-02-28 12:00 9216 -c--a-w- c:\windows\system32\dllcache\wamps51.dll
2009-07-27 07:49 . 2009-07-27 07:47 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-27 07:46 . 2009-07-27 07:54 -------- d-----w- c:\documents and settings\sureshg\.housecall6.6
2009-07-26 14:01 . 2009-08-06 08:46 272798 --sha-r- c:\windows\system32\regedit.sys
2009-07-26 14:01 . 2009-08-06 08:46 272798 --sha-r- C:\pagefiles.sys
2009-07-07 14:10 . 2009-07-07 14:10 -------- d-----w- c:\documents and settings\sureshg\Local Settings\Application Data\SupportSoft
2009-07-07 14:10 . 2009-07-07 14:10 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-07-07 14:10 . 2009-07-07 14:10 -------- d-----w- c:\program files\Etisalat
2009-07-07 14:10 . 2009-07-07 14:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-02 19:48 . 2008-03-28 13:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-02 07:33 . 2008-07-31 18:17 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-30 14:23 . 2008-03-24 08:58 -------- d-----w- c:\program files\FTPUPLOAD
2009-07-30 06:38 . 2005-10-18 21:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-30 06:34 . 2009-04-08 07:37 -------- d-----w- c:\program files\Micromax
2009-07-29 08:26 . 2009-04-19 05:42 -------- d-----w- c:\documents and settings\sureshg\Application Data\Free Download Manager
2009-07-29 05:21 . 2007-11-23 08:51 -------- d-----w- c:\documents and settings\sureshg\Application Data\Azureus
2009-07-19 10:01 . 2009-02-07 16:16 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-06-23 14:36 . 2009-06-23 14:36 0 ----a-w- c:\documents and settings\sureshg\Application Data\FileStore.dll
2009-06-23 14:36 . 2009-06-23 14:36 0 ----a-w- c:\documents and settings\sureshg\Application Data\FileStore.dll
2009-06-11 21:03 . 2005-10-18 22:05 -------- d-----w- c:\program files\Java
2009-06-11 21:02 . 2009-06-11 21:02 152576 ----a-w- c:\documents and settings\sureshg\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-08 19:20 . 2008-08-29 07:51 -------- d-----w- c:\program files\LimeWire
2009-05-27 19:25 . 2009-05-27 19:25 390664 ----a-w- c:\documents and settings\sureshg\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-21 07:33 . 2009-04-14 09:20 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 19:54 . 2009-02-05 19:18 33840 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2006-11-20 05:01 . 2006-11-20 05:01 163840 ----a-w- c:\program files\Common Files\AMCap.exe
2008-06-06 16:22 . 2008-06-06 16:22 1546119 --sha-w- c:\windows\system32\emgpdygo.tmp
2008-05-08 11:24 . 2004-08-04 12:00 155648 --sha-r- c:\windows\system32\wscript.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-04-03 16:08 215528 ----a-w- c:\program files\Hotspot Shield\HssIE\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-15 68856]
"Messenger (Yahoo!) "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-28 4363504]
"Nymgo "= "c:\documents and settings\sureshg\Local Settings\Application Data\Nymgo\Nymgo.exe" [2008-12-11 933888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
"eabconfg.cpl "= "c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"NeroCheck "= "c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-02-08 282624]
"SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"googletalk "= "c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-30 185896]
"PWRISOVM.EXE "= "c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"CoolSwitch "= "c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"etisalat "= "c:\program files\Etisalat\eSupport\bin\sprtcmd.exe" [2008-06-04 200384]
"CTFMOON "= "c:\windows\system32\wscript.exe" [2008-05-08 155648]
"regdeit "= "c:\windows\system32\svchostnt.exe" [2009-08-06 32783]

c:\documents and settings\sureshg\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-1 245760]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-8-16 577597]
DSLMON.lnk - c:\program files\Analog Devices\ADSL USB MODEM\dslmon.exe [2007-4-28 929889]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 262944]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-11-21 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit "= "c:\windows\system32\userinit.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-15 14:46 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\00hoeav.com]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\0w.com]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360rpt.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safe.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safebox.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\6.bat]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\6fnlpetp.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\6x8be16.cmd]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a2cmd.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a2free.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a2service.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a2upd.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\abk.bat]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Adobe Gamma Loader.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\algsrvs.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\algssl.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Angry.bat]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Anti-Trojan.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ANTIARP.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\antihost.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ANTS.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\APVXDWIN.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArSwp.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashDisp.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashEnhcd.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashLogV.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashMaiSv.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashPopWz.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashQuick.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashServ.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashSkPcc.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashUpd.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashWebSv.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ast.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\aswBoot.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\aswRegSvr.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\aswUpdSv.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autorun.bin]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRun.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Autorun.ini]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autorun.reg]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autorun.txt]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autorun.wsh]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AutoRunKiller.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autoruns.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\autorunsc.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avadmin.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvastSS.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcenter.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Avciman.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avconfig.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVCONSOL.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVENGINE.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgamsvr.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgas.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgcc.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgcc32.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgemc.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avginet.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgnt.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgrssvc.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgrsx.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgscan.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgserv.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avguard.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgupsvc.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgw.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgwdsvc.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avltd.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avmailc.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvMonitor.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avnotify.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVP32.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVPCC.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AVPM.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avscan.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bad1.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bad2.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bad3.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdagent.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdsubwiz.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\BDSurvey.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\BIOSREAD.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\blackd.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\blackice.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caiss.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caissdt.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cauninst.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CavApp.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cavasm.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CavAUD.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CAVCmd.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CAVCtx.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CavEmSrv.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Cavmr.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CavMUD.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Cavoar.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CavQ.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CAVRep.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CAVRid.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CAVSCons.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cavse.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CavSn.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CavSub.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CAVSubmit.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CavUMAS.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CavUserUpd.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Cavvl.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CCenter.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CEmRep.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cleaner.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cleaner3.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\CMain.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\copy.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cpe17antiautorun.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cpe17antiautoruna.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\destrukto.vbs]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DF5Serv.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwadins.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drweb32w.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drweb386.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwebscd.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwebupw.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwebwcl.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwreg.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwtsn32.exe]
"Debugger "=c:\windows\system32\wscript.exe /E:vbs c:\windows\system32\regedit.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dwwin.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\e.cmd]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\e9ehn1m8.com]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\egui.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ekrn.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EMDISK.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\f0.cmd]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FileKan.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\flashy.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPAVServer.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FProtTray.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fpscan.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fptrayproc.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPWin.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FrameworkService.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Frameworkservice.EXE ]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FRW.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FrzState2k.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fs6519.dll.vbs]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fssf.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fwcagent.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\g2pfnid.com]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GFUpd.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guard.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GuardField.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardgui.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxkickoff.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxkickoff_x64.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxservice.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxup.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\h3.bat]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\HijackThis.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\hookinst.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\host.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\i.bat]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iamapp.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iamserv.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ICLOAD95.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ICLOADNT.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ICMON.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ICSUPP95.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ICSUPPNT.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Identity.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iefqwp.cmd]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IEShow.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IFACE.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ij.bat]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\InstallCAVS.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\InstLsp.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Iparmor.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iSafe.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iSafInst.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KASARP.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kav32.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KAVPFW.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavstart.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ker.vbs]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KeyMgr.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\killVBS.vbs]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kissvc.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kmailmon.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KPfwSvc.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KRegEx.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVSrvXP.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVWSC.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kwatch.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\licmgr.ex]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\licreg.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\lky.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\lockdown2000.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\m2nl.bat]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcagent.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcappins.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcaupdate.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcdash.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Mcdetect.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcinfo.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcinsupd.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcmnhdlr.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcregwiz.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\McShield.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Mctray.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcupdmgr.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcupdui.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\McVSEscn.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcvsftsn.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcvsmap.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mghtml.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Mmsk.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MooLive.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MSConfig.exe]
"Debugger "=c:\windows\system32\wscript.exe /E:vbs c:\windows\system32\regedit.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\msdos.pif]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\msfir80.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MSGrc32.vbs]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\msime80.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\msizap.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\msmsgs.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\msvcr71.dll]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\naiavfin.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\naPrdMgr.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Navapsvc.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVAPW32.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVW32.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\new folder.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\njibyekk.com]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\nod32kui.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\oasclnt.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\olb1iimw.bat]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\OnAccessInstaller.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Pagent.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Pagentwd.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PavFnSvr.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pavprsrv.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PavReport.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pavsched.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PAVSRV51.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pctsAuxs.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

DeepakSharma · 2009/08/10

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pctsSvc.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pctsTray.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFW.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\preupd.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\procexp.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PsCtrlS.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PSHost.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PsImSvc.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pskmssvc.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\psksvc.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QQDoctor.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\QtnMaint.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RAV.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ravmon.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Ravservice.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RavStub.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RAVTRAY.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rcukd.cmd]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe]
"Debugger "=c:\windows\system32\wscript.exe /E:vbs c:\windows\system32\regedit.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\reload.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Rfwstub.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rose.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RSTray.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rstrui.exe]
"Debugger "=c:\windows\system32\wscript.exe /E:vbs c:\windows\system32\regedit.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Runiep.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\safeboxTray.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sal.xls.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sched.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SCVHOST.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\scvhosts.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SCVHSOT.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SCVVHOST.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\scvvhosts.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SCVVHSOT.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\seccenter.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SendLogs.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\session.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\shstat.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SocksA.ex]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SOLOCFG.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SOLOLITE.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SOLOSCAN.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SOLOSENT.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Sphinx.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spidercpl.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spiderml.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spidernt.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spiderui.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spml_set.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SREngLdr.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ssvichosst.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sxs.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\system.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe]
"Debugger "=c:\windows\system32\wscript.exe /E:vbs c:\windows\system32\regedit.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\tca.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\temp.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\temp2.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\toy.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TPSrv.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojanDetector.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Trojanwall.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.KXP]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UdaterUI.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\uiscan.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\unp_test.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\update.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UPSDbMaker.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\userdump.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UUpd.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\v.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32Act.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32arkit.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32ECM.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32ifs.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vba32ldr.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32PP3.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32Qtn.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vbcmserv.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vbcons.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vbglobal.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vbimport.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vbinst.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vbscan.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vbsystry.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VetMsg.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\virusutilities.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VisthAux.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VPC32.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VPTRAY.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VSECOMR.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VSHWIN32.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vsmon.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vsserv.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VSSTAT.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VsTskMgr.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WEBPROXY.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WEBSCANX.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\whi.com]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WinGrc32.dll]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WOPTILITIES.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WrAdmin.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WrCtrl.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\wscntfy.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\wsctool.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\yannh.cmd]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ybj8df.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zonealarm.exe]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\_AVP32.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\_AVPCC.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\_AVPM.EXE]
"Debugger "=c:\windows\system32\svchostnt.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@= "service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"d:\\Vuze\\Azureus.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Java\\jdk1.6.0_02\\jre\\bin\\java.exe "=
"c:\\Documents and Settings\\sureshg\\Local Settings\\Application Data\\Nymgo\\Nymgo.exe "=
"c:\\Documents and Settings\\sureshg\\Local Settings\\Application Data\\Nymgo\\gup.exe "=
"c:\\Program Files\\Java\\jdk1.6.0_02\\bin\\java.exe "=
"c:\\Program Files\\Free Download Manager\\fdmwi.exe "=

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2/20/2008 12:29 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2/20/2008 12:29 PM 38528]
R2 BMFMySQL;BMFMySQL;c:\program files\Quest Software\Benchmark Factory for Databases\Repository\MySQL\bin\mysqld-max-nt.exe [10/22/2005 11:35 PM 4431872]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [3/24/2009 1:31 AM 216552]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [11/20/2007 5:02 PM 46112]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [5/28/2009 2:19 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [10/2/2008 9:59 AM 98304]
R2 USBDLM;USBDLM;c:\documents and settings\sureshg\My Documents\usbdlm\USBDLM\USBDLM.exe [11/17/2008 3:54 PM 156160]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2/5/2009 11:18 PM 33840]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [6/1/2009 10:58 PM 34352]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [10/2/2008 9:59 AM 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{27AB0758-F8E8-3AFE-8A4B-A08AB9658382}]
c:\windows\system32\svchostnt.exe
.
Contents of the 'Scheduled Tasks' folder

2009-08-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-10-10 19:25]

2009-08-06 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 13:04]

2009-08-06 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 13:04]

2009-08-02 c:\windows\Tasks\Server Scheduled Scan.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-02-26 12:24]

2009-08-06 c:\windows\Tasks\User_Feed_Synchronization-{B152A6FD-DBA7-4757-82A4-BE2219AC1067}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 00:31]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-fsm - (no file)
HKLM-Run-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
HKLM-Run-AtiCwd32 - Aticwd32.exe
HKLM-Run-AtiQiPcl - AtiQiPcl.exe
HKLM-Run-9xadiras - 9xadiras.exe

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uWindow Title = Microsoft Internet Explorer
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy1.corp.cplmg.local:80
uInternet Settings,ProxyOverride = lm*;intranet*;domsrv*;128*;ctx*;192.168.*.*;lmdevrms.cplmg.local;<local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - d:\coreftp\pftpns.dll
DPF: {0a454840-7232-11d5-b63d-00c04faedb18} - hxxp://lmrtldev.cplmg.local:7783/jinitiator/jinit11814.exe
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-06 13:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AtiCwd32 = Aticwd32.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
AtiQiPcl = AtiQiPcl.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
svchost = c:\windows\system32\svchostnt.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Sophos Message Router]
"ImagePath "= "\ "c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1840)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(1896)
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(3996)
c:\windows\system32\SynTPFcs.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [1536]
??\c:\windows\system32\csrss.exe [1816]
??\c:\windows\system32\winlogon.exe [1840]
c:\windows\system32\services.exe [1884]
c:\windows\system32\lsass.exe [1896]
c:\windows\system32\svchost.exe [136]
c:\windows\system32\svchost.exe [236]
c:\windows\System32\svchost.exe [324]
c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [368]
c:\windows\system32\svchost.exe [644]
c:\windows\system32\svchost.exe [760]
c:\windows\system32\spoolsv.exe [744]
c:\windows\system32\svchost.exe [904]
c:\program files\Quest Software\Benchmark Factory for Databases\Repository\MySQL\bin\mysqld-max-nt.exe [1048]
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [1068]
c:\program files\Hotspot Shield\bin\openvpnas.exe [1128]
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [1328]
c:\windows\system32\inetsrv\inetinfo.exe [1352]
c:\program files\Java\jre6\bin\jqs.exe [1400]
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [1428]
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe [1472]
c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [660]
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe [812]
c:\program files\Sophos\AutoUpdate\ALsvc.exe [856]
c:\program files\Sophos\Remote Management System\RouterNT.exe [1380]
c:\windows\system32\svchost.exe [1644]
c:\documents and settings\sureshg\My Documents\usbdlm\USBDLM\USBDLM.exe [1060]
c:\program files\Canon\CAL\CALMAIN.exe [1368]
c:\windows\System32\alg.exe [2808]
c:\windows\system32\CF29457.exe [4048]
c:\windows\system32\igfxtray.exe [2996]
c:\windows\system32\hkcmd.exe [2300]
c:\program files\HPQ\Quick Launch Buttons\EabServr.exe [204]
c:\program files\HP\HP Software Update\HPWuSchd2.exe [2264]
c:\program files\QuickTime\qttask.exe [3204]
c:\program files\Synaptics\SynTP\SynTPLpr.exe [2460]
c:\program files\Synaptics\SynTP\SynTPEnh.exe [3480]
c:\program files\Google\Google Talk\googletalk.exe [3356]
c:\program files\Common Files\Real\Update_OB\realsched.exe [300]
c:\program files\PowerISO\PWRISOVM.EXE [4028]
c:\windows\system32\taskswitch.exe [4032]
c:\program files\Java\jre6\bin\jusched.exe [2632]
c:\program files\Etisalat\eSupport\bin\sprtcmd.exe [2972]
c:\windows\system32\wscript.exe [3064]
c:\program files\Messenger\msmsgs.exe [3348]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2728]
c:\program files\Sophos\AutoUpdate\ALMon.exe [2392]
c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2052]
c:\program files\Analog Devices\ADSL USB MODEM\dslmon.exe [2232]
c:\program files\Windows Desktop Search\WindowsSearch.exe [3740]
c:\program files\Windows Desktop Search\WindowsSearchIndexer.exe [1732]
c:\windows\explorer.exe [3996]
c:\simplefx\catchme.cfexe [3992]
.
**************************************************************************
.
Completion time: 2009-08-06 13:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-06 09:44

Pre-Run: 2,750,554,112 bytes free
Post-Run: 1,549,897,728 bytes free

1033 --- E O F --- 2008-12-05 06:55

Juliet · 2009/08/10

Welcome back

Serious infection here, we'll attempt to remove more but must warn you it may not go well.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.
Code:
File:: 
c:\windows\system32\svchostnt.exe
c:\windows\system32\emgpdygo.tmp
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "CTFMOON "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360safebox.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\00hoeav.com]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\0w.com]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360rpt.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{27AB0758-F8E8-3AFE-8A4B-A08AB9658382}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ybj8df.exe]
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If there are internet issues afterward:

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

Please post the new ComboFix.txt

DeepakSharma · 2009/08/11

Dear Mam,

Thanks for help and cooperation.

Can i run the combox fix in "Safe Mode with networking" instead of disabling all onboard security programs?

Juliet · 2009/08/11

"DeepakSharma said: ↑

Dear Mam,

Thanks for help and cooperation.

Can i run the combox fix in "Safe Mode with networking" instead of disabling all onboard security programs?
Click to expand...

It's always best to try and disable the antivirus and firewall so that they may not interfere with the tool running.

Will Combofix not run in normal mode?
I would attempt to run the special script created in normal mode first, if it cannot run as expected then try to run it again in Safe mode.

DeepakSharma · 2009/08/15

Hi Mam Juilet,

I was able to complete the operations in Normal mode. The system restarted.The Windows recovery didnot install again.

Pls find the attached log details.

ComboFix 09-08-01.09 - Sureshg 08/15/2009 13:14.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.545 [GMT 4:00]
Running from: c:\documents and settings\sureshg\Desktop\SimpleFx.exe
Command switches used :: c:\documents and settings\sureshg\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {41425613-C89B-4DE8-9A58-DB3E57CC85D9}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
"c:\windows\system32\emgpdygo.tmp "
"c:\windows\system32\svchostnt.exe "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\windows\system32\emgpdygo.tmp
D:\Autorun.inf
.
---- Previous Run -------
.
C:\autorun.inf
c:\documents and settings\sureshg\Application Data\inst.exe
c:\temp\1cb\syscheck.log
c:\windows\Installer\a8be95c.msi
c:\windows\system32\ackdkfwr.ini
c:\windows\system32\cttrtaid.ini
c:\windows\system32\deuhyrxk.ini
c:\windows\system32\emgpdygo.ini
c:\windows\system32\hpdhwdvk.ini
c:\windows\system32\ildybexk.ini
c:\windows\system32\ilybyykk.ini
c:\windows\system32\jvegjrkp.ini
c:\windows\system32\lbjfenuj.ini
c:\windows\system32\LUuuxyay.ini2
c:\windows\system32\nhkskuig.ini
c:\windows\system32\office.exe
c:\windows\system32\thuohnhb.ini
c:\windows\system32\tmp.reg
c:\windows\system32\xciijvfv.ini
c:\windows\system32\xfuqxqst.ini
c:\windows\system32\yjspvvfg.ini
c:\windows\system32\ylboudnk.ini
D:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Ias
-------\Service_Iprip
-------\Service_NWCWorkstation

((((((((((((((((((((((((( Files Created from 2009-07-15 to 2009-08-15 )))))))))))))))))))))))))))))))
.

2009-08-12 12:05 . 2009-08-12 12:05 -------- d-----w- c:\documents and settings\sureshg\Application Data\Scooter Software
2009-08-10 10:19 . 2009-08-10 10:20 1758 ----a-w- c:\documents and settings\sureshg\testprg.zip
2009-08-07 15:21 . 2009-05-11 18:38 4608 ----a-w- c:\documents and settings\sureshg\Application Data\DAZ 3D\Studio3\DAZ Built-in Content\Runtime\libraries\!DAZ\w9xpopen.exe
2009-08-07 15:21 . 2009-05-11 18:38 348160 ----a-w- c:\documents and settings\sureshg\Application Data\DAZ 3D\Studio3\DAZ Built-in Content\Runtime\libraries\!DAZ\MSVCR71.dll
2009-08-07 15:21 . 2009-05-11 18:38 36 ----a-w- c:\documents and settings\sureshg\Application Data\DAZ 3D\Studio3\DAZ Built-in Content\Runtime\libraries\!DAZ\DzCreateExPFiles-V4.bat
2009-08-07 15:21 . 2009-05-11 18:38 2341923 ----a-w- c:\documents and settings\sureshg\Application Data\DAZ 3D\Studio3\DAZ Built-in Content\Runtime\libraries\!DAZ\DzCreateExPFiles.exe
2009-08-07 15:21 . 2009-08-07 15:21 -------- d-----w- c:\documents and settings\sureshg\Application Data\DAZ 3D
2009-08-07 15:20 . 2009-08-07 15:20 -------- d-----w- c:\program files\Common Files\DAZ
2009-08-02 07:54 . 2009-08-02 07:54 -------- d-----w- c:\program files\Trend Micro
2009-08-02 05:42 . 2009-08-02 05:42 -------- d-----w- c:\documents and settings\sureshg\Application Data\Malwarebytes
2009-08-02 05:42 . 2009-07-13 09:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-02 05:42 . 2009-08-02 05:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-08-02 05:18 . 2009-08-02 05:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-02 05:18 . 2009-07-13 09:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-30 14:25 . 2009-07-30 14:27 -------- d-----w- C:\php
2009-07-30 14:16 . 2009-07-30 14:16 -------- d-----w- c:\windows\IIS Temporary Compressed Files
2009-07-30 14:14 . 2006-02-28 12:00 9216 -c--a-w- c:\windows\system32\dllcache\wamps51.dll
2009-07-27 07:49 . 2009-07-27 07:47 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-27 07:46 . 2009-07-27 07:54 -------- d-----w- c:\documents and settings\sureshg\.housecall6.6
2009-07-26 14:01 . 2009-08-15 09:15 272798 --sha-r- C:\pagefiles.sys
2009-07-26 14:01 . 2009-08-13 09:27 272798 --sha-r- c:\windows\system32\regedit.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-09 04:52 . 2007-11-23 08:51 -------- d-----w- c:\documents and settings\sureshg\Application Data\Azureus
2009-08-06 09:53 . 2008-07-31 18:17 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-02 19:48 . 2008-03-28 13:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-30 14:23 . 2008-03-24 08:58 -------- d-----w- c:\program files\FTPUPLOAD
2009-07-30 06:38 . 2005-10-18 21:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-30 06:34 . 2009-04-08 07:37 -------- d-----w- c:\program files\Micromax
2009-07-29 08:26 . 2009-04-19 05:42 -------- d-----w- c:\documents and settings\sureshg\Application Data\Free Download Manager
2009-07-19 10:01 . 2009-02-07 16:16 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-07-07 14:10 . 2009-07-07 14:10 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-07-07 14:10 . 2009-07-07 14:10 -------- d-----w- c:\program files\Etisalat
2009-07-07 14:10 . 2009-07-07 14:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SupportSoft
2009-06-23 14:36 . 2009-06-23 14:36 0 ----a-w- c:\documents and settings\sureshg\Application Data\FileStore.dll
2009-06-23 14:36 . 2009-06-23 14:36 0 ----a-w- c:\documents and settings\sureshg\Application Data\FileStore.dll
2009-06-11 21:02 . 2009-06-11 21:02 152576 ----a-w- c:\documents and settings\sureshg\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-05-27 19:25 . 2009-05-27 19:25 390664 ----a-w- c:\documents and settings\sureshg\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-21 07:33 . 2009-04-14 09:20 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 19:54 . 2009-02-05 19:18 33840 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2006-11-20 05:01 . 2006-11-20 05:01 163840 ----a-w- c:\program files\Common Files\AMCap.exe
2008-05-08 11:24 . 2004-08-04 12:00 155648 --sha-r- c:\windows\system32\wscript.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-08-06_09.33.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-15 09:17 . 2008-02-14 13:32 73728 c:\windows\temp\sophos_autoupdate1.dir\xmltok.dll
- 2009-08-06 08:54 . 2008-02-14 13:32 73728 c:\windows\temp\sophos_autoupdate1.dir\xmltok.dll
+ 2009-08-15 09:17 . 2008-02-14 13:32 57344 c:\windows\temp\sophos_autoupdate1.dir\xmlparse.dll
- 2009-08-06 08:54 . 2008-02-14 13:32 57344 c:\windows\temp\sophos_autoupdate1.dir\xmlparse.dll
+ 2009-08-15 09:17 . 2008-02-14 13:32 14336 c:\windows\temp\sophos_autoupdate1.dir\xmlcpp.dll
- 2009-08-06 08:54 . 2008-02-14 13:32 14336 c:\windows\temp\sophos_autoupdate1.dir\xmlcpp.dll
- 2009-08-06 08:54 . 2008-04-14 10:42 18432 c:\windows\temp\sophos_autoupdate1.dir\SharedRes.dll
+ 2009-08-15 09:17 . 2008-04-14 10:42 18432 c:\windows\temp\sophos_autoupdate1.dir\SharedRes.dll
+ 2009-08-15 09:17 . 2008-02-14 13:31 20480 c:\windows\temp\sophos_autoupdate1.dir\crypto.dll
- 2009-08-06 08:54 . 2008-02-14 13:31 20480 c:\windows\temp\sophos_autoupdate1.dir\crypto.dll
- 2009-08-06 08:54 . 2008-02-14 13:32 45056 c:\windows\temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
+ 2009-08-15 09:17 . 2008-02-14 13:32 45056 c:\windows\temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
+ 2009-08-15 09:23 . 2008-08-21 12:22 59392 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinXP_IA64\SophosBootTasks.exe
+ 2009-08-15 09:23 . 2008-05-23 07:38 34816 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinXP_IA64\SophosBootDriver.sys
+ 2009-08-15 09:23 . 2009-01-05 11:45 79360 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinXP_IA64\savonaccessfilter.sys
+ 2009-08-15 09:23 . 2008-08-21 12:25 80896 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinXP_IA64\native.exe
+ 2009-08-15 09:23 . 2008-08-21 12:23 23552 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinXP_i386\SophosBootTasks.exe
+ 2009-08-15 09:23 . 2008-05-23 07:38 14976 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinXP_i386\SophosBootDriver.sys
+ 2009-08-15 09:23 . 2009-01-05 11:41 38528 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinXP_i386\savonaccessfilter.sys
+ 2009-08-15 09:23 . 2008-08-21 12:22 30208 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinXP_AMD64\SophosBootTasks.exe
+ 2009-08-15 09:23 . 2008-05-23 07:38 18944 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinXP_AMD64\SophosBootDriver.sys
+ 2009-08-15 09:23 . 2009-01-05 11:43 43008 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinXP_AMD64\savonaccessfilter.sys
+ 2009-08-15 09:23 . 2008-08-21 12:25 42496 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinXP_AMD64\native.exe
+ 2009-08-15 09:23 . 2008-08-21 12:22 59392 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinLH_IA64\SophosBootTasks.exe
+ 2009-08-15 09:23 . 2009-01-21 15:13 41464 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinLH_IA64\SophosBootDriver.sys
+ 2009-08-15 09:23 . 2008-08-21 12:25 80896 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinLH_IA64\native.exe
+ 2009-08-15 09:23 . 2008-08-21 12:23 23552 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinLH_i386\SophosBootTasks.exe
+ 2009-08-15 09:23 . 2008-05-23 07:39 20288 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinLH_i386\SophosBootDriver.sys
+ 2009-08-15 09:23 . 2009-01-05 11:58 93192 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinLH_i386\savonaccess.sys
+ 2009-08-15 09:23 . 2008-08-21 12:22 30208 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinLH_AMD64\SophosBootTasks.exe
+ 2009-08-15 09:23 . 2008-05-23 07:41 23360 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinLH_AMD64\SophosBootDriver.sys
+ 2009-08-15 09:23 . 2008-08-21 12:25 42496 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinLH_AMD64\native.exe
+ 2009-08-15 09:23 . 2008-08-21 12:23 23552 c:\windows\temp\sophos_autoupdate1.dir\1250327869\Win2K\SophosBootTasks.exe
+ 2009-08-15 09:23 . 2008-05-23 07:38 14976 c:\windows\temp\sophos_autoupdate1.dir\1250327869\Win2K\SophosBootDriver.sys
+ 2009-08-15 09:23 . 2009-01-05 11:40 39552 c:\windows\temp\sophos_autoupdate1.dir\1250327869\Win2K\savonaccessfilter.sys
+ 2009-08-15 09:23 . 2003-04-18 16:29 82432 c:\windows\temp\sophos_autoupdate1.dir\1250327869\System\msxml4r.dll
+ 2009-08-15 09:23 . 2003-04-18 16:29 44544 c:\windows\temp\sophos_autoupdate1.dir\1250327869\System\msxml4a.dll
+ 2009-08-15 09:23 . 2003-04-18 16:29 82432 c:\windows\temp\sophos_autoupdate1.dir\1250327869\SXS\msxml4r.dll
+ 2009-08-15 09:22 . 2009-07-10 12:31 51712 c:\windows\temp\sophos_autoupdate1.dir\1250327869\SDCDevConx64.exe
+ 2009-08-15 09:22 . 2009-07-10 12:31 49152 c:\windows\temp\sophos_autoupdate1.dir\1250327869\SDCDevCon.exe
+ 2009-08-15 09:24 . 2008-04-11 12:48 65536 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SophosBHORes.dll
+ 2009-08-15 09:23 . 2008-08-21 12:04 98304 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SavService.exe
+ 2009-08-15 09:24 . 2008-08-21 12:05 90112 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SAVCleanupService.exe
+ 2009-08-15 09:24 . 2009-05-07 15:12 80936 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
+ 2009-08-15 09:24 . 2007-11-12 16:28 29696 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\ScanEditExports.dll
+ 2009-08-15 09:24 . 2008-08-21 12:14 98304 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\Persistance.dll
+ 2009-08-15 09:24 . 2008-08-21 12:16 98304 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\FSDecomposer.dll
+ 2009-08-15 09:24 . 2009-01-22 15:34 94208 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\DCManagement.dll
+ 2009-08-15 09:24 . 2008-08-21 12:05 90112 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\ComponentManager.dll
+ 2009-08-15 09:24 . 2008-08-21 12:16 77824 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\BackgroundScanning.dll
+ 2009-08-15 09:24 . 2009-01-22 15:45 45608 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\BackgroundScanClient.exe
+ 2009-08-15 09:21 . 2009-07-10 12:31 94208 c:\windows\temp\sophos_autoupdate1.dir\1250327869\ConfigureSAV.exe
+ 2009-08-15 09:17 . 2009-08-15 09:17 16384 c:\windows\temp\Perflib_Perfdata_5f4.dat
+ 2009-08-15 09:18 . 2009-08-15 09:18 16384 c:\windows\temp\Perflib_Perfdata_514.dat
+ 2008-06-28 12:13 . 2009-08-11 05:09 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2008-06-28 12:13 . 2009-07-14 18:17 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2009-08-06 08:54 . 2009-07-27 08:00 2970 c:\windows\temp\sophos_autoupdate1.dir\scf.dat
+ 2009-08-15 09:17 . 2009-07-27 08:00 2970 c:\windows\temp\sophos_autoupdate1.dir\scf.dat
+ 2009-08-15 09:23 . 2009-07-10 12:27 2915 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\scf.dat
+ 2009-08-15 09:24 . 2009-02-26 13:44 7168 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Categories.dll
+ 2009-08-15 09:24 . 2007-08-10 09:16 2812 c:\windows\temp\sophos_autoupdate1.dir\1250327869\HIPSConfig-1-0-4.dat
- 2009-08-06 08:54 . 2009-01-28 13:51 208896 c:\windows\temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-08-15 09:17 . 2009-01-28 13:51 208896 c:\windows\temp\sophos_autoupdate1.dir\retailer.dll
- 2009-08-06 08:54 . 2008-02-14 13:32 348160 c:\windows\temp\sophos_autoupdate1.dir\MSVCR71.DLL
+ 2009-08-15 09:17 . 2008-02-14 13:32 348160 c:\windows\temp\sophos_autoupdate1.dir\MSVCR71.DLL
- 2009-08-06 08:54 . 2008-02-14 13:32 499712 c:\windows\temp\sophos_autoupdate1.dir\MSVCP71.DLL
+ 2009-08-15 09:17 . 2008-02-14 13:32 499712 c:\windows\temp\sophos_autoupdate1.dir\MSVCP71.DLL
+ 2009-08-15 09:17 . 2008-02-14 13:32 745472 c:\windows\temp\sophos_autoupdate1.dir\libeay32.dll
- 2009-08-06 08:54 . 2008-02-14 13:32 745472 c:\windows\temp\sophos_autoupdate1.dir\libeay32.dll
- 2009-08-06 08:54 . 2009-01-28 13:51 159744 c:\windows\temp\sophos_autoupdate1.dir\libcurl.dll
+ 2009-08-15 09:17 . 2009-01-28 13:51 159744 c:\windows\temp\sophos_autoupdate1.dir\libcurl.dll
+ 2009-08-15 09:17 . 2009-07-27 08:00 176128 c:\windows\temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-08-06 08:54 . 2009-07-27 08:00 176128 c:\windows\temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-08-06 08:54 . 2009-07-01 14:08 172032 c:\windows\temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-08-15 09:17 . 2009-07-01 14:08 172032 c:\windows\temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-08-15 09:17 . 2009-07-27 08:00 663552 c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe
- 2009-08-06 08:54 . 2009-07-27 08:00 663552 c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe
+ 2009-08-15 09:23 . 2009-01-05 11:46 239616 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinXP_IA64\savonaccesscontrol.sys
+ 2009-08-15 09:23 . 2009-01-05 11:41 110848 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinXP_i386\savonaccesscontrol.sys
+ 2009-08-15 09:23 . 2009-01-05 11:43 102912 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinXP_AMD64\savonaccesscontrol.sys
+ 2009-08-15 09:23 . 2009-01-05 11:58 247304 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinLH_IA64\savonaccess.sys
+ 2009-08-15 09:23 . 2009-01-05 11:57 111624 c:\windows\temp\sophos_autoupdate1.dir\1250327869\WinLH_AMD64\savonaccess.sys
+ 2009-08-15 09:23 . 2009-01-05 11:41 111872 c:\windows\temp\sophos_autoupdate1.dir\1250327869\Win2K\savonaccesscontrol.sys
+ 2009-08-15 09:22 . 2009-07-10 12:31 164864 c:\windows\temp\sophos_autoupdate1.dir\1250327869\sophos_detoured_x64.dll
+ 2009-08-15 09:22 . 2009-07-10 12:31 307712 c:\windows\temp\sophos_autoupdate1.dir\1250327869\sophos_detoured_ia64.dll
+ 2009-08-15 09:22 . 2009-07-10 12:31 195072 c:\windows\temp\sophos_autoupdate1.dir\1250327869\sophos_detoured.dll
+ 2009-08-15 09:21 . 2009-07-10 12:31 782336 c:\windows\temp\sophos_autoupdate1.dir\1250327869\Setup.dll
+ 2009-08-15 09:22 . 2009-07-10 12:31 393216 c:\windows\temp\sophos_autoupdate1.dir\1250327869\SDCService.exe
+ 2009-08-15 09:22 . 2009-07-10 12:31 104448 c:\windows\temp\sophos_autoupdate1.dir\1250327869\SDCDevConIA64.exe
+ 2009-08-15 09:22 . 2009-07-10 12:31 166456 c:\windows\temp\sophos_autoupdate1.dir\1250327869\sdccoinstallerx64.dll
+ 2009-08-15 09:22 . 2009-07-10 12:31 330808 c:\windows\temp\sophos_autoupdate1.dir\1250327869\sdccoinstallerIA64.dll
+ 2009-08-15 09:22 . 2009-07-10 12:31 130104 c:\windows\temp\sophos_autoupdate1.dir\1250327869\sdccoinstaller.dll
+ 2009-08-15 09:21 . 2009-07-10 12:31 483391 c:\windows\temp\sophos_autoupdate1.dir\1250327869\savi.dll
+ 2009-08-15 09:22 . 2009-07-10 12:31 102400 c:\windows\temp\sophos_autoupdate1.dir\1250327869\rkdisk.dll
+ 2009-08-15 09:24 . 2009-05-26 10:12 149240 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\wsc_x64\WSCClient.exe
+ 2009-08-15 09:24 . 2009-05-26 10:11 128056 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\wsc_win32\WSCClient.exe
+ 2009-08-15 09:24 . 2009-05-26 10:10 287480 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\wsc_ia64\WSCClient.exe
+ 2009-08-15 09:24 . 2009-06-25 10:35 314920 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SophosBHOX64.dll
+ 2009-08-15 09:24 . 2009-06-25 10:35 618536 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SophosBHOIA64.dll
+ 2009-08-15 09:24 . 2009-06-25 10:35 240680 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SophosBHO.dll
+ 2009-08-15 09:23 . 2008-08-21 12:26 746496 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SavShellExtX64.dll
+ 2009-08-15 09:23 . 2009-01-22 15:51 151552 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SavResJap.dll
+ 2009-08-15 09:23 . 2009-01-22 15:51 163840 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SavResIt.dll
+ 2009-08-15 09:23 . 2009-01-22 15:51 167936 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SavResFra.dll
+ 2009-08-15 09:23 . 2009-01-22 15:51 155648 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SavResEsp.dll
+ 2009-08-15 09:23 . 2008-08-21 12:20 151552 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SavResEng.dll
+ 2009-08-15 09:23 . 2009-01-22 15:51 163840 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SavResDeu.dll
+ 2009-08-15 09:23 . 2009-01-22 15:50 151552 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SavResCht.dll
+ 2009-08-15 09:23 . 2009-01-22 15:50 151552 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SavResChs.dll
+ 2009-08-15 09:23 . 2009-06-25 10:29 548864 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SavRes.dll
+ 2009-08-15 09:23 . 2007-03-09 07:52 651264 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SavNeutralRes.dll
+ 2009-08-15 09:23 . 2009-06-26 13:34 131072 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SAVMSCM.DLL
+ 2009-08-15 09:24 . 2009-06-26 13:23 232488 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\sav32cli.exe
+ 2009-08-15 09:24 . 2003-02-21 12:42 348160 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\msvcr71.dll
+ 2009-08-15 09:24 . 2003-03-19 04:14 499712 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\msvcp71.dll
+ 2009-08-15 09:24 . 2009-05-26 11:55 466944 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\VirusDetection.dll
+ 2009-08-15 09:24 . 2008-08-21 12:04 204800 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\Translators.dll
+ 2009-08-15 09:24 . 2009-02-26 13:39 598016 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\ThreatManagement.dll
+ 2009-08-15 09:24 . 2009-04-30 10:17 491520 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\ThreatDetection.dll
+ 2009-08-15 09:24 . 2008-08-21 12:15 147456 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\SystemInformation.dll
+ 2009-08-15 09:24 . 2008-08-21 12:15 110592 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\SophtainerAdapter.dll
+ 2009-08-15 09:24 . 2009-02-26 13:27 499712 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\SIPSManagement.dll
+ 2009-08-15 09:24 . 2008-08-21 12:04 114688 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\Security.dll
+ 2009-08-15 09:24 . 2009-02-26 13:37 237568 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\ScanManagement.dll
+ 2009-08-15 09:24 . 2009-02-26 13:37 188416 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\ScanEditFacade.dll
+ 2009-08-15 09:24 . 2008-08-21 12:10 315392 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\SavShellExt.dll
+ 2009-08-15 09:24 . 2009-02-26 13:39 556072 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\SavProgress.exe
+ 2009-08-15 09:24 . 2009-02-26 13:29 675840 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\SavAdapter.dll
+ 2009-08-15 09:24 . 2008-08-21 12:09 462848 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\Logging.dll
+ 2009-08-15 09:24 . 2008-08-21 12:07 126976 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\Localisation.dll
+ 2009-08-15 09:24 . 2008-08-21 12:07 139264 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\LegacyConsumers.dll
+ 2009-08-15 09:24 . 2009-02-26 13:28 258048 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\ICProcessors.dll
+ 2009-08-15 09:24 . 2009-05-26 11:54 299008 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\ICManagement.dll
+ 2009-08-15 09:24 . 2009-01-22 15:34 102400 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\ICAdapter.dll
+ 2009-08-15 09:24 . 2009-07-08 07:43 233472 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\FilterProcessors.dll
+ 2009-08-15 09:24 . 2008-08-21 12:09 110592 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\EEConsumer.dll
+ 2009-08-15 09:24 . 2008-08-21 12:03 147456 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\DriveProcessor.dll
+ 2009-08-15 09:24 . 2008-08-21 12:10 331776 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\DesktopMessaging.dll
+ 2009-08-15 09:24 . 2009-02-26 13:30 286720 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\Configuration.dll
+ 2009-08-15 09:24 . 2009-02-26 13:26 180224 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\BHOManagement.dll
+ 2009-08-15 09:24 . 2008-08-21 12:04 147456 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\AuthorisedLists.dll
+ 2009-08-15 09:21 . 2009-07-10 12:31 118847 c:\windows\temp\sophos_autoupdate1.dir\1250327869\osdp.dll
+ 2009-08-15 09:23 . 2007-03-09 07:28 102400 c:\windows\temp\sophos_autoupdate1.dir\1250327869\Common\Cisco Systems\CiscoTrustAgent\Plugins\Install\SAVPosturePlugin.dll
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-07-30 14:15 . 2009-08-15 09:19 214234 c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-08-15 09:21 . 2009-07-10 12:31 1744959 c:\windows\temp\sophos_autoupdate1.dir\1250327869\veex.dll
+ 2009-08-15 09:21 . 2009-07-08 15:43 1300191 c:\windows\temp\sophos_autoupdate1.dir\1250327869\vdl.dat
+ 2009-08-15 09:23 . 2003-04-18 16:46 1233920 c:\windows\temp\sophos_autoupdate1.dir\1250327869\System\msxml4.dll
+ 2009-08-15 09:23 . 2003-04-18 16:46 1233920 c:\windows\temp\sophos_autoupdate1.dir\1250327869\SXS\msxml4.dll
+ 2009-08-15 09:21 . 2009-07-10 12:31 1728512 c:\windows\temp\sophos_autoupdate1.dir\1250327869\Sophos Anti-Virus.msi
+ 2009-08-15 09:23 . 2008-08-21 12:27 1189888 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\SavShellExtIa64.dll
+ 2009-08-15 09:24 . 2009-02-26 13:39 2010152 c:\windows\temp\sophos_autoupdate1.dir\1250327869\program files\Sophos\Sophos Anti-Virus\Module Retargetable Folder\SavMain.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

DeepakSharma · 2009/08/15

.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-04-03 16:08 215528 ----a-w- c:\program files\Hotspot Shield\HssIE\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-15 68856]
"Messenger (Yahoo!) "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-28 4363504]
"Nymgo "= "c:\documents and settings\sureshg\Local Settings\Application Data\Nymgo\Nymgo.exe" [2008-12-11 933888]
"fsm "=" " [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
"eabconfg.cpl "= "c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"NeroCheck "= "c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-02-08 282624]
"SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"googletalk "= "c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"LogMeIn GUI "= "c:\program files\LogMeIn\x86\LogMeInSystray.exe" [BU]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-30 185896]
"PWRISOVM.EXE "= "c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"CoolSwitch "= "c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"etisalat "= "c:\program files\Etisalat\eSupport\bin\sprtcmd.exe" [2008-06-04 200384]
"AtiCwd32 "= "Aticwd32.exe" [BU]
"AtiQiPcl "= "AtiQiPcl.exe" [BU]
"9xadiras "= "9xadiras.exe" [BU]

c:\documents and settings\sureshg\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-1 245760]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-8-16 577597]
DSLMON.lnk - c:\program files\Analog Devices\ADSL USB MODEM\dslmon.exe [2007-4-28 929889]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 262944]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-11-21 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit "= "c:\windows\system32\userinit.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-15 14:46 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@= "service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"d:\\Vuze\\Azureus.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Java\\jdk1.6.0_02\\jre\\bin\\java.exe "=
"c:\\Documents and Settings\\sureshg\\Local Settings\\Application Data\\Nymgo\\Nymgo.exe "=
"c:\\Documents and Settings\\sureshg\\Local Settings\\Application Data\\Nymgo\\gup.exe "=
"c:\\Program Files\\Java\\jdk1.6.0_02\\bin\\java.exe "=
"c:\\Program Files\\Free Download Manager\\fdmwi.exe "=

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2/20/2008 12:29 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2/20/2008 12:29 PM 38528]
R2 BMFMySQL;BMFMySQL;c:\program files\Quest Software\Benchmark Factory for Databases\Repository\MySQL\bin\mysqld-max-nt.exe [10/22/2005 11:35 PM 4431872]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [3/24/2009 1:31 AM 216552]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [11/20/2007 5:02 PM 46112]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [5/28/2009 2:19 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [10/2/2008 9:59 AM 98304]
R2 USBDLM;USBDLM;c:\documents and settings\sureshg\My Documents\usbdlm\USBDLM\USBDLM.exe [11/17/2008 3:54 PM 156160]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2/5/2009 11:18 PM 33840]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [6/1/2009 10:58 PM 34352]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [10/2/2008 9:59 AM 14976]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - wscript.exe /e:vbs pagefiles.sys
\Shell\open\Command - wscript.exe /e:vbs pagefiles.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - wscript.exe /e:vbs pagefiles.sys
\Shell\open\Command - wscript.exe /e:vbs pagefiles.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{261f6c29-299b-11dd-8dce-00c09fc95834}]
\Shell\AutoRun\command - wscript.exe /e:vbs pagefiles.sys
\Shell\open\Command - wscript.exe /e:vbs pagefiles.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d5a2df7-709c-11de-8e80-0012f0dd2bd6}]
\Shell\AutoRun\command - wscript.exe /e:vbs pagefiles.sys
\Shell\open\Command - wscript.exe /e:vbs pagefiles.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64366388-ef2d-11dc-8dc1-0010c6c3bfb9}]
\Shell\AutoRun\command - wscript.exe /e:vbs pagefiles.sys
\Shell\open\Command - wscript.exe /e:vbs pagefiles.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9be91f70-e5ed-11dd-8e44-0012f0dd2bd6}]
\Shell\AutoRun\command - wscript.exe /e:vbs pagefiles.sys
\Shell\open\Command - wscript.exe /e:vbs pagefiles.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbdf9301-84a3-11de-8e95-0010c6c3bfb9}]
\Shell\AutoRun\command - wscript.exe /e:vbs pagefiles.sys
\Shell\open\Command - wscript.exe /e:vbs pagefiles.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ffe63c03-a6df-11dc-8dad-00c09fc95834}]
\Shell\AutoRun\command - wscript.exe /e:vbs pagefiles.sys
\Shell\open\Command - wscript.exe /e:vbs pagefiles.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-10-10 19:25]

2009-08-13 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 13:04]

2009-08-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 13:04]

2009-08-13 c:\windows\Tasks\Server Scheduled Scan.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-02-26 12:24]

2009-08-15 c:\windows\Tasks\User_Feed_Synchronization-{B152A6FD-DBA7-4757-82A4-BE2219AC1067}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 00:31]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-regdeit - c:\windows\system32\svchostnt.exe

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy1.corp.cplmg.local:80
uInternet Settings,ProxyOverride = lm*;intranet*;domsrv*;128*;ctx*;192.168.*.*;lmdevrms.cplmg.local;<local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - d:\coreftp\pftpns.dll
DPF: {0a454840-7232-11d5-b63d-00c04faedb18} - hxxp://lmrtldev.cplmg.local:7783/jinitiator/jinit11814.exe
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-15 13:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AtiCwd32 = Aticwd32.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
AtiQiPcl = AtiQiPcl.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

c:\windows\TEMP\sophos_autoupdate1.dir\1250327869\graybi-r.ide 61508 bytes
c:\windows\TEMP\sophos_autoupdate1.dir\1250327869\hupig-bb.ide 123383 bytes
c:\windows\TEMP\sophos_autoupdate1.dir\1250327869\injec-ig.ide 150866 bytes
c:\windows\TEMP\sophos_autoupdate1.dir\1250327869\injec-in.ide 96238 bytes
c:\windows\TEMP\sophos_autoupdate1.dir\1250327869\jsredi-u.ide 131874 bytes
c:\windows\TEMP\sophos_autoupdate1.dir\1250327869\mdro-cds.ide 11974 bytes

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Sophos Message Router]
"ImagePath "= "\ "c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1872)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(1928)
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(3008)
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Windows Desktop Search\WindowsSearchIndexer.exe
c:\program files\Windows Desktop Search\WindowsSearchFilter.exe
.
**************************************************************************
.
Completion time: 2009-08-15 13:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-15 09:32
ComboFix2.txt 2009-08-06 09:44

Pre-Run: 1,211,781,120 bytes free
Post-Run: 1,210,277,888 bytes free

463 --- E O F --- 2008-12-05 06:55

Juliet · 2009/08/15

Welcome back

Download Flash_Disinfector.exe by sUBs from >here<
or from >here< and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.

Your desktop will vanish for a while, and then reappear. This is normal.

Wait until it has finished scanning and then exit the program. If you use more than 1 flash drive, run the tool with each plugged in.

Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Please leave the flash drive plugged in while completing the following.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.
Code:
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{261f6c29-299b-11dd-8dce-00c09fc95834}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d5a2df7-709c-11de-8e80-0012f0dd2bd6}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64366388-ef2d-11dc-8dc1-0010c6c3bfb9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9be91f70-e5ed-11dd-8e44-0012f0dd2bd6}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbdf9301-84a3-11de-8e95-0010c6c3bfb9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ffe63c03-a6df-11dc-8dad-00c09fc95834}]
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If there are internet issues afterward:

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, so please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Ensure your external and/or USB/Flash or Pen drives are inserted during the scan.

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition
files.

After the files have been downloaded on the left side of the page in the Scan section select My Computer.

This will start the program and scan your system.

The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419

In your next reply post:
ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run

You may need several replies to post the requested logs, otherwise they might get cut off.

DeepakSharma · 2009/08/18

Hi Mam,

Please find the attached details

Combox Fix log files
---------------------------------------
ComboFix 09-08-10.06 - Sureshg 08/16/2009 23:56.3.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.713 [GMT 4:00]
Running from: c:\documents and settings\sureshg\Desktop\SimpleFx.exe
Command switches used :: c:\documents and settings\sureshg\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {41425613-C89B-4DE8-9A58-DB3E57CC85D9}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
Q:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://esupport.contactcentre.ae
.
((((((((((((((((((((((((( Files Created from 2009-07-16 to 2009-08-16 )))))))))))))))))))))))))))))))
.

2009-08-15 16:59 . 2004-03-29 11:23 90112 ----a-w- c:\windows\unvise32.exe
2009-08-12 12:05 . 2009-08-12 12:05 -------- d-----w- c:\documents and settings\sureshg\Application Data\Scooter Software
2009-08-10 10:19 . 2009-08-10 10:20 1758 ----a-w- c:\documents and settings\sureshg\testprg.zip
2009-08-07 15:21 . 2009-05-11 18:38 4608 ----a-w- c:\documents and settings\sureshg\Application Data\DAZ 3D\Studio3\DAZ Built-in Content\Runtime\libraries\!DAZ\w9xpopen.exe
2009-08-07 15:21 . 2009-05-11 18:38 348160 ----a-w- c:\documents and settings\sureshg\Application Data\DAZ 3D\Studio3\DAZ Built-in Content\Runtime\libraries\!DAZ\MSVCR71.dll
2009-08-07 15:21 . 2009-05-11 18:38 36 ----a-w- c:\documents and settings\sureshg\Application Data\DAZ 3D\Studio3\DAZ Built-in Content\Runtime\libraries\!DAZ\DzCreateExPFiles-V4.bat
2009-08-07 15:21 . 2009-05-11 18:38 2341923 ----a-w- c:\documents and settings\sureshg\Application Data\DAZ 3D\Studio3\DAZ Built-in Content\Runtime\libraries\!DAZ\DzCreateExPFiles.exe
2009-08-07 15:21 . 2009-08-07 15:21 -------- d-----w- c:\documents and settings\sureshg\Application Data\DAZ 3D
2009-08-07 15:20 . 2009-08-15 16:59 -------- d-----w- c:\program files\Common Files\DAZ
2009-08-02 07:54 . 2009-08-02 07:54 -------- d-----w- c:\program files\Trend Micro
2009-08-02 05:42 . 2009-08-02 05:42 -------- d-----w- c:\documents and settings\sureshg\Application Data\Malwarebytes
2009-08-02 05:42 . 2009-07-13 09:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-02 05:42 . 2009-08-02 05:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-08-02 05:18 . 2009-08-02 05:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-02 05:18 . 2009-07-13 09:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-30 14:25 . 2009-07-30 14:27 -------- d-----w- C:\php
2009-07-30 14:16 . 2009-07-30 14:16 -------- d-----w- c:\windows\IIS Temporary Compressed Files
2009-07-30 14:14 . 2006-02-28 12:00 9216 -c--a-w- c:\windows\system32\dllcache\wamps51.dll
2009-07-27 07:49 . 2009-07-27 07:47 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-27 07:46 . 2009-07-27 07:54 -------- d-----w- c:\documents and settings\sureshg\.housecall6.6
2009-07-26 14:01 . 2009-08-15 09:15 272798 --sha-r- C:\pagefiles.sys
2009-07-26 14:01 . 2009-08-13 09:27 272798 --sha-r- c:\windows\system32\regedit.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 05:04 . 2007-11-23 08:51 -------- d-----w- c:\documents and settings\sureshg\Application Data\Azureus
2009-08-15 19:14 . 2009-02-07 16:16 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-08-06 09:53 . 2008-07-31 18:17 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-02 19:48 . 2008-03-28 13:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-30 14:23 . 2008-03-24 08:58 -------- d-----w- c:\program files\FTPUPLOAD
2009-07-30 06:38 . 2005-10-18 21:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-30 06:34 . 2009-04-08 07:37 -------- d-----w- c:\program files\Micromax
2009-07-29 08:26 . 2009-04-19 05:42 -------- d-----w- c:\documents and settings\sureshg\Application Data\Free Download Manager
2009-07-07 14:10 . 2009-07-07 14:10 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-07-07 14:10 . 2009-07-07 14:10 -------- d-----w- c:\program files\Etisalat
2009-07-07 14:10 . 2009-07-07 14:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SupportSoft
2009-06-23 14:36 . 2009-06-23 14:36 0 ----a-w- c:\documents and settings\sureshg\Application Data\FileStore.dll
2009-06-23 14:36 . 2009-06-23 14:36 0 ----a-w- c:\documents and settings\sureshg\Application Data\FileStore.dll
2009-06-11 21:02 . 2009-06-11 21:02 152576 ----a-w- c:\documents and settings\sureshg\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-05-27 19:25 . 2009-05-27 19:25 390664 ----a-w- c:\documents and settings\sureshg\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-21 07:33 . 2009-04-14 09:20 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 19:54 . 2009-02-05 19:18 33840 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2006-11-20 05:01 . 2006-11-20 05:01 163840 ----a-w- c:\program files\Common Files\AMCap.exe
2008-05-08 11:24 . 2004-08-04 12:00 155648 --sha-r- c:\windows\system32\wscript.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-08-15_09.20.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-30 14:15 . 2009-08-16 19:43 214258 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-04-03 16:08 215528 ----a-w- c:\program files\Hotspot Shield\HssIE\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-15 68856]
"Messenger (Yahoo!) "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-28 4363504]
"Nymgo "= "c:\documents and settings\sureshg\Local Settings\Application Data\Nymgo\Nymgo.exe" [2008-12-11 933888]
"fsm "=" " [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
"eabconfg.cpl "= "c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"NeroCheck "= "c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-02-08 282624]
"SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"googletalk "= "c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"LogMeIn GUI "= "c:\program files\LogMeIn\x86\LogMeInSystray.exe" [BU]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-30 185896]
"PWRISOVM.EXE "= "c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"CoolSwitch "= "c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"etisalat "= "c:\program files\Etisalat\eSupport\bin\sprtcmd.exe" [2008-06-04 200384]
"AtiCwd32 "= "Aticwd32.exe" [BU]
"AtiQiPcl "= "AtiQiPcl.exe" [BU]
"9xadiras "= "9xadiras.exe" [BU]

c:\documents and settings\sureshg\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-1 245760]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-8-16 577597]
DSLMON.lnk - c:\program files\Analog Devices\ADSL USB MODEM\dslmon.exe [2007-4-28 929889]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 262944]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-11-21 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-15 14:46 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@= "service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

DeepakSharma · 2009/08/18

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"d:\\Vuze\\Azureus.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Java\\jdk1.6.0_02\\jre\\bin\\java.exe "=
"c:\\Documents and Settings\\sureshg\\Local Settings\\Application Data\\Nymgo\\Nymgo.exe "=
"c:\\Documents and Settings\\sureshg\\Local Settings\\Application Data\\Nymgo\\gup.exe "=
"c:\\Program Files\\Java\\jdk1.6.0_02\\bin\\java.exe "=
"c:\\Program Files\\Free Download Manager\\fdmwi.exe "=

R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [10/2/2008 9:59 AM 98304]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2/5/2009 11:18 PM 33840]
S1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2/20/2008 12:29 PM 110848]
S1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2/20/2008 12:29 PM 38528]
S2 BMFMySQL;BMFMySQL;c:\program files\Quest Software\Benchmark Factory for Databases\Repository\MySQL\bin\mysqld-max-nt.exe [10/22/2005 11:35 PM 4431872]
S2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [3/24/2009 1:31 AM 216552]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [11/20/2007 5:02 PM 46112]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [5/28/2009 2:19 PM 80936]
S2 USBDLM;USBDLM;c:\documents and settings\sureshg\My Documents\usbdlm\USBDLM\USBDLM.exe [11/17/2008 3:54 PM 156160]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [6/1/2009 10:58 PM 34352]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [10/2/2008 9:59 AM 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-10-10 19:25]

2009-08-16 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 13:04]

2009-08-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 13:04]

2009-08-16 c:\windows\Tasks\Server Scheduled Scan.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-02-26 12:24]

2009-08-16 c:\windows\Tasks\User_Feed_Synchronization-{B152A6FD-DBA7-4757-82A4-BE2219AC1067}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 00:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy1.corp.cplmg.local:80
uInternet Settings,ProxyOverride = lm*;intranet*;domsrv*;128*;ctx*;192.168.*.*;lmdevrms.cplmg.local;<local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - d:\coreftp\pftpns.dll
DPF: {0a454840-7232-11d5-b63d-00c04faedb18} - hxxp://lmrtldev.cplmg.local:7783/jinitiator/jinit11814.exe
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 00:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AtiCwd32 = Aticwd32.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
AtiQiPcl = AtiQiPcl.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Sophos Message Router]
"ImagePath "= "\ "c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1480)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-08-16 0:11
ComboFix-quarantined-files.txt 2009-08-16 20:10
ComboFix2.txt 2009-08-15 09:33
ComboFix3.txt 2009-08-06 09:44

Pre-Run: 2,230,046,720 bytes free
Post-Run: 2,207,432,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

219 --- E O F --- 2008-12-05 06:55

DeepakSharma · 2009/08/18

Kaspersky Log Details
---------------------------------------------------------------
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, August 18, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 17, 2009 19:12:41
Records in database: 2642062
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\
M:\
O:\
Q:\
W:\

Scan statistics:
Objects scanned: 229295
Threats found: 13
Infected objects found: 20
Suspicious objects found: 0
Scan duration: 09:00:34

File name / Threat / Threats count
C:\pagefiles.sys Infected: Worm.VBS.Autorun.fh 1
C:\WINDOWS\inf\kl1f7.zip Infected: Backdoor.IRC.Agent.m 1
C:\WINDOWS\inf\yl5vf.zip Infected: Backdoor.IRC.Agent.n 1
C:\WINDOWS\system32\regedit.sys Infected: Worm.VBS.Autorun.fh 1
D:\my doc\vssetup.exe Infected: Virus.Win32.Parite.b 1
D:\pagefiles.sys Infected: Worm.VBS.Autorun.fh 1
G:\pagefiles.sys Infected: Worm.VBS.Autorun.fh 1
G:\FOUND.000\FILE0000.CHK Infected: Trojan.Win32.StartPage.cue 1
Q:\System Volume Information\_restore{A6363092-E51D-4F12-A91F-E99027D6A812}\RP314\A0067391.exe Infected: not-a-virus:Monitor.Win32.PowerSpy.abe 1
Q:\System Volume Information\_restore{A6363092-E51D-4F12-A91F-E99027D6A812}\RP314\A0067391.exe Infected: not-a-virus:Monitor.Win32.PowerSpy.abf 1
Q:\System Volume Information\_restore{A6363092-E51D-4F12-A91F-E99027D6A812}\RP314\A0067391.exe Infected: not-a-virus:Monitor.Win32.PowerSpy.pt 1
Q:\System Volume Information\_restore{A6363092-E51D-4F12-A91F-E99027D6A812}\RP314\A0067391.exe Infected: not-a-virus:Monitor.Win32.PCSpy.aa 1
Q:\System Volume Information\_restore{A6363092-E51D-4F12-A91F-E99027D6A812}\RP314\A0067393.exe Infected: not-a-virusSWTool.Win32.ProductKey.b 1
Q:\System Volume Information\_restore{A6363092-E51D-4F12-A91F-E99027D6A812}\RP314\A0067394.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.n 3
Q:\System Volume Information\_restore{A6363092-E51D-4F12-A91F-E99027D6A812}\RP314\A0067396.exe Infected: not-a-virus:Monitor.Win32.KeyLoggerLite.i 1
Q:\System Volume Information\_restore{A6363092-E51D-4F12-A91F-E99027D6A812}\RP314\A0067648.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1
Q:\pagefiles.sys Infected: Worm.VBS.Autorun.fh 1
W:\pagefiles.sys Infected: Worm.VBS.Autorun.fh 1

Selected area has been scanned.

----------------------------------------------------
HJT LOG Details
-----------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:20 AM, on 8/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Quest Software\Benchmark Factory for Databases\Repository\MySQL\bin\mysqld-max-nt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\sureshg\My Documents\usbdlm\USBDLM\USBDLM.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Analog Devices\ADSL USB MODEM\dslmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.corp.cplmg.local:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = lm*;intranet*;domsrv*;128*;ctx*;192.168.*.*;lmdevrms.cplmg.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: AL2Spy Class - {DC200356-0864-4F66-8964-5D43A19300F5} - C:\WINDOWS\AUTOLO~1\AL2DLL.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [etisalat] C:\Program Files\Etisalat\eSupport\bin\sprtcmd.exe /P etisalat
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Nymgo] C:\Documents and Settings\sureshg\Local Settings\Application Data\Nymgo\Nymgo.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0a454840-7232-11d5-b63d-00c04faedb18} - http://lmrtldev.cplmg.local:7783/jinitiator/jinit11814.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1233224577006
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243664982916
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/livetv.ocx
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://domsrvae2.cplmg.com/dwa7W.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.cplmg.local
O17 - HKLM\Software\..\Telephony: DomainName = corp.cplmg.local
O23 - Service: BMFMySQL - Unknown owner - C:\Program Files\Quest Software\Benchmark Factory for Databases\Repository\MySQL\bin\mysqld-max-nt.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: USBDLM - Uwe Sieber - www.uwe-sieber.de - C:\Documents and Settings\sureshg\My Documents\usbdlm\USBDLM\USBDLM.exe

--
End of file - 14563 bytes

Juliet · 2009/08/18

Welcome back

Kaspersky has confirmed my suspicions

Infected: Virus.Win32.Parite.b 1
you have Parite.B - Virut infection.

You have a nasty infection on your system. Parite.B is a memory-resident polymorphic file infector which infects .exe, and .scr files and can download more malicious files to your system. Looking back over the logs already posted I can see where this has attached itself to a very many software/program files on your computer.
In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. When disinfection is attempted, the files become corrupted and the system may become irreparable, unusable and non-responsive.

There is no guarantee the infection can be completely removed. In some instances the infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. In those cases, recovery is not possible and the only option is to reformat, wipe your drive clean and reinstall install the OS. If you take this route, which I advise if in fact you have Parite.B on this machine, I would not restore from any backup any .exe or .scr files.

Again, with pe file infectors, a format is almost always the best and safest solution.

Flash (usb, pen, thumb, jump) drive infections usually involve malware that modifies and loads an autorun.inf (text-based configuration) file into the root folder of all drives (internal, external, removable) along with a malicious executable. When removable media such as a CD/DVD is inserted (mounted), autorun looks for autorun.inf and automatically executes the malicious file to run silently on your computer. For flash drives and other USB storage, autorun.ini uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command starts the file. Malware modifies the context menu (adds a new default command) and redirects to executing the malicious file if the "Open" command is used or double-clicking on the drive icon. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

However, many security experts recommend you disable Autorun asap as a method of prevention.

There is tutorial in link below on how to format.
http://web.mit.edu/ist/products/winxp/adva...all-format.html

How best to protect yourself online.
http://users.telenet.be/bluepatchy/miekiem...prevention.html

http://www.michaelstevenstech.com/cleanxpinstall.html
Clean Install Windows XP

http://spyware-free.us/tutorials/reformat/
Reformatting Windows XP

I am so sorry to give nothing but bad news.

Log in or Sign up

Solved Sophos shows svchostnt.exe as Mal/Generic message

DeepakSharma Inactive Thread Starter

Juliet Well-Known Member

DeepakSharma Inactive Thread Starter

Juliet Well-Known Member

DeepakSharma Inactive Thread Starter

Juliet Well-Known Member

DeepakSharma Inactive Thread Starter

DeepakSharma Inactive Thread Starter

Juliet Well-Known Member

DeepakSharma Inactive Thread Starter

Juliet Well-Known Member

DeepakSharma Inactive Thread Starter

DeepakSharma Inactive Thread Starter

Juliet Well-Known Member

DeepakSharma Inactive Thread Starter

DeepakSharma Inactive Thread Starter

DeepakSharma Inactive Thread Starter

Juliet Well-Known Member

Share This Page

Log in or Sign up

Solved Sophos shows svchostnt.exe as Mal/Generic message

DeepakSharma Inactive Thread Starter

Juliet Well-Known Member

DeepakSharma Inactive Thread Starter

Juliet Well-Known Member

DeepakSharma Inactive Thread Starter

Juliet Well-Known Member

DeepakSharma Inactive Thread Starter

DeepakSharma Inactive Thread Starter

Juliet Well-Known Member

DeepakSharma Inactive Thread Starter

Juliet Well-Known Member

DeepakSharma Inactive Thread Starter

DeepakSharma Inactive Thread Starter

Juliet Well-Known Member

DeepakSharma Inactive Thread Starter

DeepakSharma Inactive Thread Starter

DeepakSharma Inactive Thread Starter

Juliet Well-Known Member

Share This Page

Useful Searches