Jump to content


Photo

Unknown Program Loading


  • This topic is locked This topic is locked
8 replies to this topic

#1 inetmaster

inetmaster

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 25 October 2005 - 12:15 AM

I have an issue with an unknow program that will show up in my taskbar, then disappear. It loads with the generic white window Icon, and no name in the title bar. This program is gone in less than a second, so checking the task manager seems futile.

I have run scans using current versions of Spybot, Ad-Aware, and use AVG Antivirus. None of these programs suggest any threat. I am behind an IPCop firewall. I have manually looked in the Startup folders, Registry Run section, and Scheduled Tasks.

I'm concerned that this is a malicious program - it certainly behaves that way.

I could use some suggestions on nailing this one down.

Here's a HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:44:32 AM, on 10/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\kxmixer.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Wayne\Desktop\temp\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\system32\kxmixer.exe --startup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O4 - Global Startup: VPN Client.lnk.disabled
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124923166704
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one...ransferCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{76903C5D-CB5E-4D1B-BC69-0CFDDD18EF0B}: NameServer = 172.16.1.10,192.168.0.200
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dtndev.data-trak.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = dtndev.data-trak.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = dtndev.data-trak.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dtndev.data-trak.net
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: HookDLL.DLL
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

#2 viccy

viccy

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 832 posts

Posted 27 October 2005 - 08:06 AM

Welcome to SWI. I am analyzing your log now and will have instructions for you shortly.
Keep this forum alive - I'm a volunteer, it's my pleasure to serve, but the SWI site needs your donations to operate. For more information click here. Thank you for your support.

#3 viccy

viccy

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 832 posts

Posted 27 October 2005 - 08:53 AM

Please download SilentRunners from here:
http://www.silentrun...ent Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.
Keep this forum alive - I'm a volunteer, it's my pleasure to serve, but the SWI site needs your donations to operate. For more information click here. Thank you for your support.

#4 inetmaster

inetmaster

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 30 October 2005 - 12:51 AM

Please download SilentRunners from here:
http://www.silentrun...ent Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.

View Post



Here's the requested log.

Thanks for looking in to this!



"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"kX Mixer" = "C:\WINDOWS\system32\kxmixer.exe --startup" ["Eugene Gavrilov"]
"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"RoxioDragToDisc" = ""C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"" ["Sonic Solutions"]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"Regsister WScript" = "wscript -regserver" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = "bho2gr Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\GetRight\xx2gr.dll" ["Headlight Software, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = "AcroIEToolbarHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{EEB5B6C2-E405-11d0-9318-0004AC946C18}" = "AS/400 Shell Extensions - AS/400 IPL"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunas4.dll" ["IBM Corporation"]
"{38482e00-0ad5-11cf-bc9d-0004ac325a18}" = "AS/400 Network"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunshf.dll" ["IBM Corporation"]
"{DCA251A0-38AC-11d0-82BD-08005AA74F5C}" = "AS/400 Shell Extensions - AS/400 Network"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunshf.dll" ["IBM Corporation"]
"{8CA2EBC1-40C7-4451-AD01-7DEEB4690358}" = "AS/400 Related Tasks"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunshf.dll" ["IBM Corporation"]
"{5E44E520-2F69-11d1-9318-0004AC946C18}" = "AS/400 Shell Extensions - Auto Refresh"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunarf.dll" ["IBM Corporation"]
"{C94AFD20-98C1-11d1-9E01-0004AC760C57}" = "AS/400 Shell Extensions - Drag Drop Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunddh.dll" ["IBM Corporation"]
"{870C83E1-FF73-11cf-B7F1-0004AC7609F6}" = "AS/400 Shell Extensions - File Systems Properties"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunfsf.dll" ["IBM Corporation"]
"{1827A857-9C20-11d1-96C3-00062912C9B2}" = "AS/400 Shell Extensions - Java Components"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunjav.dll" ["IBM Corporation"]
"{DCAF7D81-60C4-11d1-9E01-0004AC760C57}" = "AS/400 Shell Extensions - Send Message"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunmgs.dll" ["IBM Corporation"]
"{C60EF841-2F98-11d1-A19A-08005A4F659F}" = "AS/400 Shell Extensions - NFS Server"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunnfs.dll" ["IBM Corporation"]
"{040606B2-1C19-11d2-AA12-08005AD17735}" = "AS/400 Shell Extensions - Visual Basic Components"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\cwbunvba.dll" ["IBM Corporation"]
"{D63E20C4-3F6D-11d3-BCE6-002035C0A6DA}" = "AS/400 Shell Extensions - Journaling"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunjrn.dll" ["IBM Corporation"]
"{01FE9570-15A3-11d2-8309-000629AA1859}" = "AS/400 Shell Extensions - Management Central"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunypc.dll" ["IBM Corporation"]
"{7D7E1B60-0EF8-11d2-8307-000629AA1859}" = "AS/400 Shell Extensions - Management Central Task Activity/Scheduled Tasks"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunypc.dll" ["IBM Corporation"]
"{3B453C20-21CD-11d2-8318-000629AA1859}" = "AS/400 Shell Extensions - Management Central SW Inventory"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyiv.dll" ["IBM Corporation"]
"{4CE18940-3E8B-11d2-834B-000629AA1859}" = "AS/400 Shell Extensions - Management Central HW Inventory"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyiv.dll" ["IBM Corporation"]
"{B08B7EAD-2FD4-11d3-917F-00203531488C}" = "AS/400 Shell Extensions - Management Central Inventory Tasks"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyiv.dll" ["IBM Corporation"]
"{90BE6B50-1041-11d2-8307-000629AA1859}" = "AS/400 Shell Extensions - Management Central Endpoint Systems"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunypg.dll" ["IBM Corporation"]
"{E4C59510-1050-11d2-8307-000629AA1859}" = "AS/400 Shell Extensions - Management Central System Groups"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunypg.dll" ["IBM Corporation"]
"{C2661801-FFE8-11cf-B14B-08005AA7218E}" = "AS/400 Shell Extensions - Messages"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunmgf.dll" ["IBM Corporation"]
"{22982561-EEC8-11cf-B14B-08005AA7218E}" = "AS/400 Shell Extensions - Spool Files"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunouf.dll" ["IBM Corporation"]
"{8514E881-FF45-11cf-B14B-08005AA7218E}" = "AS/400 Shell Extensions - Printers"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunprf.dll" ["IBM Corporation"]
"{FF142762-FAB1-11cf-B14B-08005AA7218E}" = "AS/400 Shell Extensions - Jobs"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunjbf.dll" ["IBM Corporation"]
"{85142F21-87FA-11cf-B7F1-0004AC7609F6}" = "AS/400 Shell Extensions - Hardware Inventory"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunhwf.dll" ["IBM Corporation"]
"{D2EF10E6-1DB9-11d2-BA43-0006296A8ED2}" = "AS/400 Shell Extensions - Collection Services"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunpmf.dll" ["IBM Corporation"]
"{38E423E4-2F35-11d3-917F-00203531488C}" = "AS/400 Shell Extensions - Management Central Collection Services Tasks"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunpmf.dll" ["IBM Corporation"]
"{07173161-93C3-11cf-B7F1-0004AC7609F6}" = "AS/400 Shell Extensions - Software Inventory"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunswf.dll" ["IBM Corporation"]
"{94D923E0-20E3-11d2-8317-000629AA1859}" = "AS/400 Shell Extensions - Management Central Fixes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunypt.dll" ["IBM Corporation"]
"{07AF64BD-3000-11d3-917F-00203531488C}" = "AS/400 Shell Extensions - Management Central Fixes Tasks"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunypt.dll" ["IBM Corporation"]
"{2FE31D81-A5C8-11d0-82BD-08005AA74F5C}" = "AS/400 Shell Extensions - Internet"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbuninf.dll" ["IBM Corporation"]
"{525FE6D1-D3A2-11d0-8F5A-08005ACF81FE}" = "AS/400 Shell Extensions - Socks"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunisf.dll" ["IBM Corporation"]
"{5D5D8AC1-AC35-11d0-8E51-444553540000}" = "AS/400 Shell Extensions - TCPIPServers"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbuntca.dll" ["IBM Corporation"]
"{46184AE1-AAA4-11d0-8E51-444553540000}" = "AS/400 Shell Extensions - BaseTCPIP"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\shared\cwbuntcb.dll" ["IBM Corporation"]
"{E7CA4E41-AB46-11d0-8E51-444553540000}" = "AS/400 Shell Extensions - DHCP"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\shared\cwbuntcd.dll" ["IBM Corporation"]
"{A206FAC3-B636-11d0-8E51-444553540000}" = "AS/400 Shell Extensions - Remote Access Services"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\shared\cwbuntcp.dll" ["IBM Corporation"]
"{847FF4A1-AB61-11d0-8E51-444553540000}" = "AS/400 Shell Extensions - DNS"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\shared\cwbuntcs.dll" ["IBM Corporation"]
"{F8AB7201-C6FE-11d0-A16D-08005A4F659F}" = "AS/400 Shell Extensions - WinNetHood"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunzls.dll" ["IBM Corporation"]
"{044E2A21-BFBD-11d0-B776-0004AC940D52}" = "AS/400 Shell Extensions - RPC Server"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunrpc.dll" ["IBM Corporation"]
"{3BA92222-0F54-11d1-BB98-0004AC946B70}" = "AS/400 Shell Extensions - Directory Server"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbungld.dll" ["IBM Corporation"]
"{AA3B74D8-481F-11d2-BD9F-0006296A7BFD}" = "AS/400 Shell Extensions - Server Subsystem Configuration"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunjbs.dll" ["IBM Corporation"]
"{5F058520-C229-11d1-A2D8-0004ACEA99C1}" = "AS/400 Shell Extensions - SecWiz"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunwzd.dll" ["IBM Corporation"]
"{BF5B0321-6793-11CF-8877-444553540000}" = "AS/400 Shell Extensions - Users and Groups"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunugf.dll" ["IBM Corporation"]
"{4360EE25-EB84-11d2-9145-00203531916D}" = "AS/400 Shell Extensions - Management Central User Admin (Inventory)"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyua.dll" ["IBM Corporation"]
"{26CA5BB1-0318-11d3-914C-00203531916D}" = "AS/400 Shell Extensions - Management Central User Admin (Definition)"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyua.dll" ["IBM Corporation"]
"{A7CE1A9B-5991-11d3-9195-002035AE9862}" = "AS/400 Shell Extensions - Management Central User Admin (Tasks)"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyua.dll" ["IBM Corporation"]
"{333195D9-CE4E-11d1-B33D-0004AC760C57}" = "AS/400 Shell Extensions - File Shares Properties"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunfss.dll" ["IBM Corporation"]
"{DF99C160-B894-11cf-BB91-08005ACECA20}" = "AS/400 Shell Extensions - Backup"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunbkf.dll" ["IBM Corporation"]
"{DAB1B0F0-0F7A-11d2-8307-000629AA1859}" = "AS/400 Shell Extensions - Management Central Command"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyrs.dll" ["IBM Corporation"]
"{2AC4CC1B-2A53-11d3-917A-00203531488C}" = "AS/400 Shell Extensions - Management Central Command Tasks"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyrs.dll" ["IBM Corporation"]
"{1BE914D0-217E-11d2-8318-000629AA1859}" = "AS/400 Shell Extensions - Management Central Packages"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyds.dll" ["IBM Corporation"]
"{3C6D4FB0-1F53-11d3-9169-00203531917D}" = "AS/400 Shell Extensions - Management Central Products"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyds.dll" ["IBM Corporation"]
"{4B8388FD-2FF9-11d3-917F-00203531488C}" = "AS/400 Shell Extensions - Management Central Packages Tasks"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyds.dll" ["IBM Corporation"]
"{64B95947-1759-11d2-ABC8-000629AB3FA1}" = "AS/400 Shell Extensions - System Monitors"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunyme.dll" ["IBM Corporation"]
"{0637AEF4-4998-11d1-B4BF-0004ACEA60A2}" = "AS/400 Shell Extensions - Application Administration"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunplf.dll" ["IBM Corporation"]
"{8C190250-D9F1-11d1-9EBB-00062912CA23}" = "AS/400 User Page Extension - Application Wiz"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunugw.dll" ["IBM Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}" = "Registered ActiveX Controls"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{D545EBD1-BD92-11CF-8772-00A0C9039735}" = "Developer Studio Components"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{658B579F-26F7-4f28-83E4-2D1301FBC10B}" = "iSeries Navigator Data Server - ANSI plug-ins"
-> {CLSID}\InProcServer32\(Default) = "cwbunapi.dll" ["IBM Corporation"]
"{806756FB-CC6D-42cd-A6AE-F7F4916C5E22}" = "iSeries Navigator Shell Extensions - ANSI plug-ins"
-> {CLSID}\InProcServer32\(Default) = "cwbunapi.dll" ["IBM Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{30351348-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{30351347-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{3035134A-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{3035134C-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{30351346-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{30351349-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{3035134B-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{3035134D-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{3035134E-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{D120D80B-BD26-4A74-8E43-2C2AF0966139}" = "QuickPar ContextMenu extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\QuickPar\QuickParShlExt.dll" ["Peter B Clements"]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{0873D142-79EF-49fa-81B5-211AAC0B0A7F}" = "Target Finder Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Creator Classic\TargetFinder.dll" [empty string]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll" ["Sonic Solutions"]
"{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}" = "RXDCExtShlExt extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Disc Image Loader\DC_ShellExt.dll" ["Sonic Solutions"]
"{147C4760-0B2C-11D0-BD4A-00001C5002DB}" = "Peek Text Extraction"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\peek.dll" ["Martin Lubich"]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{9DED7A30-D572-4D21-8D82-6945EA697400}" = "Macromedia FlashPaper Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Macromedia\FlashPaper 2\FlashPaperContextMenu.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "HookDLL.DLL" ["Wise Solutions, Inc."]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "PDBoot.exe autocheck autochk *" [file not found], [file not found], [MS], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! PCANotify\DLLName = "PCANotify.dll" ["Symantec Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
FileEncrypt\(Default) = "{90A07ACC-0331-4aee-9AAD-A854A9C37667}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Advanced System Optimizer\ShellExt.dll" ["Systweak Inc"]
Macromedia.FlashPaper.ContextMenu\(Default) = "{9DED7A30-D572-4D21-8D82-6945EA697400}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Macromedia\FlashPaper 2\FlashPaperContextMenu.dll" [null data]
PeekContext\(Default) = "{147C4760-0B2C-11D0-BD4A-00001C5002DB}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\peek.dll" ["Martin Lubich"]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]
Quick Par\(Default) = "{D120D80B-BD26-4A74-8E43-2C2AF0966139}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\QuickPar\QuickParShlExt.dll" ["Peter B Clements"]
TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinUHA\(Default) = "{095177B8-8097-4D32-9081-A8949C47020E}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinUHA\SHELLW~1.DLL" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
FileEncrypt\(Default) = "{90A07ACC-0331-4aee-9AAD-A854A9C37667}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Advanced System Optimizer\ShellExt.dll" ["Systweak Inc"]
TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]
TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinUHA\(Default) = "{095177B8-8097-4D32-9081-A8949C47020E}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinUHA\SHELLW~1.DLL" [null data]


Default executables:
--------------------

.SCR: HKLM\SOFTWARE\Classes\ipffile\shell\open\command\
INFECTION WARNING! "Default" = "C:\WDSC\CODEEDIT.EXE "%1"" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Wayne\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Wayne" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
INFECTION WARNING! "Acrobat Assistant.lnk.disabled" [null data]
INFECTION WARNING! "Adobe Gamma Loader.lnk.disabled" [null data]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
INFECTION WARNING! "HP Image Zone Fast Start.lnk.disabled" [null data]
INFECTION WARNING! "VPN Client.lnk.disabled" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\ = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 2 domain names to IP addresses,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
PDScheduler, PDSched, ""C:\Program Files\Raxco\PerfectDisk\PDSched.exe"" ["Raxco Software, Inc."]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\system32\MsPMSPSv.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "aw_host" [file not found]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
hpzlnt10\Driver = "hpzlnt10.dll" ["HP"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 460 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 56 seconds.
---------- (total run time: 607 seconds)

#5 viccy

viccy

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 832 posts

Posted 01 November 2005 - 10:35 AM

Open Hijack This, then go to misc. tools, and click on generate startup list and post the results in your reply, please.
Keep this forum alive - I'm a volunteer, it's my pleasure to serve, but the SWI site needs your donations to operate. For more information click here. Thank you for your support.

#6 inetmaster

inetmaster

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 01 November 2005 - 01:12 PM

StartupList report, 11/1/2005, 2:11:47 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Wayne\Desktop\temp\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\kxmixer.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\SpamRip\spamrip.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Wayne\Desktop\temp\HijackThis.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk.disabled
Adobe Gamma Loader.lnk.disabled
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk.disabled
VPN Client.lnk.disabled

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
HPDJ Taskbar Utility = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
CTHelper = CTHELPER.EXE
kX Mixer = C:\WINDOWS\system32\kxmixer.exe --startup
HP Component Manager = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
RoxioDragToDisc = "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Regsister WScript = wscript -regserver

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\ipffile\shell\open\command

(Default) = C:\WDSC\CODEEDIT.EXE "%1"

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=HookDLL.DLL

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\GetRight\xx2gr.dll - {31FF080D-12A3-439A-A2EF-4BA95A3148E8}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}

--------------------------------------------------

Enumerating Download Program Files:

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ntent/opuc3.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.micros...b?1124923166704

[DLC Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\grTransferCtrl.dll
CODEBASE = http://transfers.one...ransferCtrl.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 7,227 bytes
Report generated in 0.631 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#7 viccy

viccy

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 832 posts

Posted 01 November 2005 - 01:53 PM

I have found nothing in your logs or reports that you submitted that would indicate malware. However, if you are having any specific problems, we can do some further diagnostics.
Keep this forum alive - I'm a volunteer, it's my pleasure to serve, but the SWI site needs your donations to operate. For more information click here. Thank you for your support.

#8 inetmaster

inetmaster

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 02 November 2005 - 05:37 AM

I have found nothing in your logs or reports that you submitted that would indicate malware.  However, if you are having any specific problems, we can do some further diagnostics.

View Post



Thanks - I guess it is good I don't seem to be infected. The question remains now, what is this software that is showing up? I'd like to be able to disable it, but a full reload is not an option right now.....

How can I find out what piece of software this is? Is there some tool that can log every application opened?

#9 viccy

viccy

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 832 posts

Posted 02 November 2005 - 06:51 AM

The 04 entries in your Hijack This log load at startup and the list that Hijack This generated is also what starts. It most likely is related to one of these.
Keep this forum alive - I'm a volunteer, it's my pleasure to serve, but the SWI site needs your donations to operate. For more information click here. Thank you for your support.




Member of UNITE
Support SpywareInfo Forum - click the button