Here is the startuplist.log
StartupList report, 5/30/2005, 4:19:49 PM
StartupList version: 1.52.2
Started from : C:\Program Files\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\wjkxbhq\bbxcln.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ybvdenni\rqxfkwno.exe
C:\WINDOWS\system32\xvkwciub\dhwli.exe
C:\WINDOWS\system32\nquhop\oabl.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\qjdt\xcrkvu.exe
C:\WINDOWS\System32\bhohktor\odihfl.exe
C:\WINDOWS\System32\chvuxco\doupdxwv.exe
C:\WINDOWS\System32\jcplxih\mwtugl.exe
C:\WINDOWS\system32\vmiehp\fxcgr.exe
C:\WINDOWS\System32\mgft\pjubdprf.exe
C:\WINDOWS\System32\onwvixlj\rlqka.exe
C:\WINDOWS\System32\kpphqn\fdqy.exe
C:\WINDOWS\System32\pwxkysx\qalkc.exe
C:\WINDOWS\System32\kevxy\vpnogrfg.exe
C:\WINDOWS\System32\hctycvyj\ovyft.exe
C:\WINDOWS\System32\nwxdmhx\rxlg.exe
C:\WINDOWS\System32\iduvfc\ldkgco.exe
C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
C:\WINDOWS\System32\kgxpv\xqpyix.exe
C:\WINDOWS\System32\jffrknf\twehfrag.exe
C:\WINDOWS\System32\dbdexge\vropfh.exe
C:\WINDOWS\System32\haxjkjf\lpxjns.exe
C:\WINDOWS\system32\bwtl\srsg.exe
C:\WINDOWS\System32\fejlai\fcykrqae.exe
C:\WINDOWS\System32\otqyprha\aiyygr.exe
C:\WINDOWS\System32\aqwf\keqfe.exe
C:\WINDOWS\System32\mdcsar\quknrc.exe
C:\WINDOWS\System32\cdocmugl\jehddo.exe
C:\WINDOWS\System32\dsso\sqtnm.exe
C:\WINDOWS\System32\jimi\rcyjii.exe
C:\WINDOWS\System32\mnwrfwj\oqpkn.exe
C:\WINDOWS\System32\pafpk\ihdqj.exe
C:\WINDOWS\System32\pirs\rnlt.exe
C:\WINDOWS\System32\bqclh\vysma.exe
C:\WINDOWS\System32\hocaeqgj\gvoktn.exe
C:\WINDOWS\system32\uvknmz.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\gmas\itjfwe.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\wsqnbl.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
c:\windows\system32\ufgwef.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HJT\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
S3TRAY2 = S3tray2.exe
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
HPHmon03 = C:\WINDOWS\System32\hphmon03.exe
CXMon = "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
checktime = c:\program files\HPSelect\Frontend\ct.exe
Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
vptray = C:\Program Files\NavNT\vptray.exe
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
sjkp = C:\WINDOWS\System32\oxsaynow\sjkp.exe
ntmcq = C:\WINDOWS\System32\moqsgf\ntmcq.exe
jtutu = C:\WINDOWS\System32\ybuxb\jtutu.exe
hshatpb = C:\WINDOWS\System32\qboa\hshatpb.exe
evrad = C:\WINDOWS\System32\ynuul\evrad.exe
wsagu = C:\WINDOWS\System32\hahm\wsagu.exe
mhxo = C:\WINDOWS\System32\tlmtptg\mhxo.exe
mefc = C:\WINDOWS\System32\yojsco\mefc.exe
rgif = C:\WINDOWS\System32\hxrkgr\rgif.exe
xcrkvu = C:\WINDOWS\System32\qjdt\xcrkvu.exe
odihfl = C:\WINDOWS\System32\bhohktor\odihfl.exe
oocdnjj = C:\WINDOWS\System32\bpapj\oocdnjj.exe
doupdxwv = C:\WINDOWS\System32\chvuxco\doupdxwv.exe
eimn = C:\WINDOWS\System32\iocotj\eimn.exe
phvxbd = C:\WINDOWS\System32\pxdx\phvxbd.exe
yqxjee = C:\WINDOWS\System32\xjwsh\yqxjee.exe
ZMFGXAox = C:\PROGRA~1\wutorsr\pvptqr.exe
vhodigq = C:\WINDOWS\System32\pwjrjuqe\vhodigq.exe
qivgboox = C:\WINDOWS\System32\fnxfp\qivgboox.exe
mwtugl = C:\WINDOWS\System32\jcplxih\mwtugl.exe
pjubdprf = C:\WINDOWS\System32\mgft\pjubdprf.exe
rlqka = C:\WINDOWS\System32\onwvixlj\rlqka.exe
cexawejh = C:\WINDOWS\System32\amdhfp\cexawejh.exe
reiu = C:\WINDOWS\System32\yslecioe\reiu.exe
klqf = C:\WINDOWS\System32\kaxkgh\klqf.exe
fdqy = C:\WINDOWS\System32\kpphqn\fdqy.exe
ckbu = C:\WINDOWS\System32\ankjifjj\ckbu.exe
qalkc = C:\WINDOWS\System32\pwxkysx\qalkc.exe
vpnogrfg = C:\WINDOWS\System32\kevxy\vpnogrfg.exe
dcejfgtk = C:\WINDOWS\System32\epvnb\dcejfgtk.exe
ntqjhb = C:\WINDOWS\System32\wvaqvd\ntqjhb.exe
rjctdjfj = C:\WINDOWS\System32\wmjsvgnj\rjctdjfj.exe
nruewxrl = C:\WINDOWS\System32\bqwhyme\nruewxrl.exe
ovyft = C:\WINDOWS\System32\hctycvyj\ovyft.exe
rxlg = C:\WINDOWS\System32\nwxdmhx\rxlg.exe
ldkgco = C:\WINDOWS\System32\iduvfc\ldkgco.exe
xbhgbw = C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
xqpyix = C:\WINDOWS\System32\kgxpv\xqpyix.exe
cdpbfu = C:\WINDOWS\System32\eypo\cdpbfu.exe
twehfrag = C:\WINDOWS\System32\jffrknf\twehfrag.exe
vropfh = C:\WINDOWS\System32\dbdexge\vropfh.exe
eyytvw = C:\WINDOWS\System32\jelmu\eyytvw.exe
smrr = C:\WINDOWS\System32\vwwskbjg\smrr.exe
yvay = C:\WINDOWS\System32\anfpsx\yvay.exe
lpxjns = C:\WINDOWS\System32\haxjkjf\lpxjns.exe
fcykrqae = C:\WINDOWS\System32\fejlai\fcykrqae.exe
hiujt = C:\WINDOWS\System32\nucy\hiujt.exe
jyumtrt = C:\WINDOWS\System32\tsjbins\jyumtrt.exe
aiyygr = C:\WINDOWS\System32\otqyprha\aiyygr.exe
keqfe = C:\WINDOWS\System32\aqwf\keqfe.exe
quknrc = C:\WINDOWS\System32\mdcsar\quknrc.exe
jehddo = C:\WINDOWS\System32\cdocmugl\jehddo.exe
xnllgwgh = C:\WINDOWS\System32\eejyvmnd\xnllgwgh.exe
sqtnm = C:\WINDOWS\System32\dsso\sqtnm.exe
rcyjii = C:\WINDOWS\System32\jimi\rcyjii.exe
qqeqw = C:\WINDOWS\System32\fbaceoar\qqeqw.exe
oqpkn = C:\WINDOWS\System32\mnwrfwj\oqpkn.exe
ihdqj = C:\WINDOWS\System32\pafpk\ihdqj.exe
rnlt = C:\WINDOWS\System32\pirs\rnlt.exe
vysma = C:\WINDOWS\System32\bqclh\vysma.exe
gvoktn = C:\WINDOWS\System32\hocaeqgj\gvoktn.exe
demvb = C:\WINDOWS\System32\ywrfy\demvb.exe
rtdbk = C:\WINDOWS\System32\xgfbnlo\rtdbk.exe
KavSvc = C:\WINDOWS\system32\uvknmz.exe reg_run
sunasDTServ = C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
(Default) =
sunasServ = C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
PS2 = C:\WINDOWS\system32\ps2.exe
gxhglii = C:\WINDOWS\system32\vqtyuymk\gxhglii.exe
pfoug = C:\WINDOWS\system32\smjvktve\pfoug.exe
Nsv = C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
picsvr = C:\WINDOWS\system32\picsvr\picsvr.exe
version = C:\WINDOWS\system32\wsqnbl.exe
rqxfkwno = C:\WINDOWS\system32\ybvdenni\rqxfkwno.exe
fxcgr = C:\WINDOWS\system32\vmiehp\fxcgr.exe
dhwli = C:\WINDOWS\system32\xvkwciub\dhwli.exe
itjfwe = C:\WINDOWS\system32\gmas\itjfwe.exe
bbxcln = C:\WINDOWS\system32\wjkxbhq\bbxcln.exe
srsg = C:\WINDOWS\system32\bwtl\srsg.exe
oabl = C:\WINDOWS\system32\nquhop\oabl.exe
xpnkrom = c:\windows\system32\ufgwef.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Acme.PCHButton = C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
Extreme Messenger for AIM = C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
NoAds = "C:\Program Files\NoAds\NoAds.exe"
MoneyAgent = "c:\Program Files\Microsoft Money\System\Money Express.exe"
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
AOLCC = "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
Microsoft Works Update Detection = c:\Program Files\Microsoft Works\WkDetect.exe
Adaware Bootup = C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\Ad-aware.exe /Auto /Log "C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\"
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Web Offer = C:\DOCUME~1\Owner\LOCALS~1\Temp\rlkh.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[158d0f5a-75dc-4029-b857-b4f2e1b10cb7] *
StubPath = C:\WINDOWS\System32\dbnorad.exe
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe C:\WINDOWS\Nail.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\ssmypics.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\WINDOWS\systb.dll (file missing) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E}
(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
--------------------------------------------------
Enumerating Task Scheduler jobs:
*No jobs found*
--------------------------------------------------
Enumerating Download Program Files:
[Microsoft XML Parser for Java]
CODEBASE =
file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE =
http://www.apple.com/qtactivex/qtplugin.cab
[BrowseFolderPopup Class]
InProcServer32 = C:\WINDOWS\MCBin\Shared\MGBrwFld.dll
CODEBASE =
http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE =
http://messenger.zone.msn.com/binary/Me ... b28578.cab
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE =
http://download.macromedia.com/pub/shoc ... tor/sw.cab
[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE =
http://messenger.zone.msn.com/binary/Mi ... b28578.cab
[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE =
http://download.yahoo.com/dl/installs/yinstc.cab
[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE =
http://download.microsoft.com/download/ ... mv9VCM.CAB
[AOL Content Update]
InProcServer32 = C:\Program Files\Common Files\AolCoach\en_en\GTDownAO_106.ocx
CODEBASE =
http://esupport.aol.com/help/acp2/engin ... core_1.cab
[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE =
http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\System32\mcinsctl.dll
CODEBASE =
http://download.mcafee.com/molbin/share ... insctl.cab
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE =
http://v5.windowsupdate.microsoft.com/v ... 7392481625
[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE =
http://messenger.zone.msn.com/binary/Me ... b28578.cab
[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE =
http://fpdownload.macromedia.com/get/sh ... rashim.cab
[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE =
http://messenger.zone.msn.com/binary/ZI ... b28578.cab
[HpodPCFileCtrl2 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\hpodpcfc2.dll
CODEBASE =
file://E:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\flash.ocx
CODEBASE =
http://fpdownload.macromedia.com/pub/sh ... wflash.cab
[iTunesDetector Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ITDetector.ocx
CODEBASE =
http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
[WheelofFortune Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WoF.ocx
CODEBASE =
http://messenger.zone.msn.com/binary/WoF.cab28578.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
aaplxwc: \??\C:\WINDOWS\System32\fvwnrh\aaplxwc (manual start)
Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD AGP Bus Filter Driver: System32\DRIVERS\amdagp.sys (system)
AOL Connectivity Service: C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (autostart)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
bbxclnwjkxbhq: C:\WINDOWS\system32\wjkxbhq\bbxcln.exe (autostart)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
cdwygit: \??\C:\WINDOWS\System32\wvaqvd\cdwygit (manual start)
cgeapepfc: C:\WINDOWS\System32\epfc\cgeap.exe (disabled)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
coxialg: \??\C:\WINDOWS\system32\bwtl\coxialg (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
cwpgvyo: \??\C:\WINDOWS\System32\knpp\cwpgvyo (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DefWatch: C:\Program Files\NavNT\defwatch.exe (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Diskeeper: C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe (autostart)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
MS IEEE-1284.4 Driver: System32\DRIVERS\Dot4.sys (manual start)
Dot4 HPH09: System32\DRIVERS\hphid409.sys (manual start)
Print Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Prt.sys (manual start)
Print Class Driver for IEEE-1284.4 HPH09: System32\DRIVERS\hphipr09.sys (manual start)
Storage Class Driver for IEEE-1284.4 (HPH09): System32\Drivers\hphs2k09.sys (manual start)
Dot4USB Filter Dot4USB Filter: System32\DRIVERS\dot4usb.sys (manual start)
Dot4Usb HPH09: System32\drivers\hphius09.sys (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
euuofbmcufmyo: C:\WINDOWS\System32\cufmyo\euuofbm.exe (disabled)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Program Files\ewido\security suite\guard.sys (system)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (disabled)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
floextc: \??\C:\WINDOWS\System32\unobi\floextc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
FREEDOM Miniport: System32\DRIVERS\FREEDOM.SYS (manual start)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
fvhqcxt: \??\C:\WINDOWS\System32\ynuul\fvhqcxt.sys (manual start)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
gkjvabx: \??\C:\WINDOWS\System32\deksifb\gkjvabx (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
greenstdSystem32: C:\WINDOWS\System32\greenstd.exe (disabled)
guxcwli: \??\C:\WINDOWS\System32\fnxfp\guxcwli.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
hunknse: \??\C:\WINDOWS\System32\qxqbfxv\hunknse (manual start)
hvjaakq: \??\C:\WINDOWS\System32\iocotj\hvjaakq (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
idcmupd: \??\C:\WINDOWS\System32\epvnb\idcmupd (manual start)
iejtaaq: \??\C:\WINDOWS\System32\ojtmcbrq\iejtaaq (manual start)
ihojjxcejlsiq: C:\WINDOWS\System32\jlsiq\ihojjxce.exe (disabled)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
imxqrcx: \??\C:\WINDOWS\System32\caubra\imxqrcx (manual start)
IntelIde: system32\DRIVERS\intelide.sys (system)
IomegaAccess: C:\WINDOWS\System32\IomegaAccess.exe /S (autostart)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
kjwyfwm: \??\C:\WINDOWS\System32\nucy\kjwyfwm (manual start)
kkyumfcxhvvmpv: C:\WINDOWS\System32\xhvvmpv\kkyumfc.exe (disabled)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
koowegv: \??\C:\WINDOWS\System32\oqleuyht\koowegv (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
lhidgco: \??\C:\WINDOWS\System32\eejyvmnd\lhidgco (manual start)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
lsyaljj: \??\C:\WINDOWS\System32\ankjifjj\lsyaljj (manual start)
LT Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
lxbfcaa: \??\C:\WINDOWS\System32\ckevux\lxbfcaa (manual start)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
: C:\WINDOWS\System32\yojsco\mefc.exe (system)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
mtpacyl: \??\C:\WINDOWS\System32\ytjggmcp\mtpacyl (manual start)
NAVAP: \??\C:\Program Files\NavNT\NAVAP.sys (manual start)
NAVAPEL: \??\C:\Program Files\NavNT\NAVAPEL.SYS (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050518.008\NAVENG.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050518.008\NAVEX15.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
nghilpp: \??\C:\WINDOWS\system32\smjvktve\nghilpp.sys (manual start)
ngixuid: \??\C:\WINDOWS\System32\egrmglfb\ngixuid (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Network Monitor Driver: System32\DRIVERS\NMnt.sys (manual start)
Norton AntiVirus Client: C:\Program Files\NavNT\rtvscan.exe (autostart)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nv4: System32\DRIVERS\nv4.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
occxuyoi: C:\WINDOWS\System32\uyoi\occx.exe (disabled)
odsutph: \??\C:\WINDOWS\System32\rgcmlusq\odsutph (manual start)
OHCI Compliant IEEE 1394 Host Controller: system32\DRIVERS\ohci1394.sys (system)
onkiaba: \??\C:\WINDOWS\System32\xjwsh\onkiaba (manual start)
oqvhucoqleuyht: C:\WINDOWS\System32\oqleuyht\oqvhuc.exe (disabled)
: C:\WINDOWS\System32\gudl\oubvvw.exe (system)
ovekyvhxcffaqksm: C:\WINDOWS\System32\cffaqksm\ovekyvhx.exe (disabled)
Virtual NIC Service: C:\WINDOWS\System32\PackethSvc.exe (autostart)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PcdrNt: \SystemRoot\System32\drivers\PcdrNt.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
pisgnegrmglfb: C:\WINDOWS\System32\egrmglfb\pisgn.exe (disabled)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver: C:\WINDOWS\System32\HPHipm09.exe (manual start)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
pwixake: \??\C:\WINDOWS\System32\pwjrjuqe\pwixake.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
qaptyhiahu: C:\WINDOWS\System32\hiahu\qapty.exe (disabled)
qmaknddlpkf: C:\WINDOWS\System32\dlpkf\qmaknd.exe (disabled)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
rcfoays: \??\C:\WINDOWS\System32\qxqbfxv\rcfoays.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
rfacgyndcanmapm: C:\WINDOWS\System32\dcanmapm\rfacgyn.exe (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
rsjstpp: \??\C:\WINDOWS\System32\jlsiq\rsjstpp (manual start)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
S3SavageNB: System32\DRIVERS\s3gnbm.sys (manual start)
sakdmeq: \??\C:\WINDOWS\System32\tsjbins\sakdmeq (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SbcpHid: \??\C:\WINDOWS\System32\Drivers\SbcpHid.sys (system)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
scyienvwhxvora: C:\WINDOWS\System32\hxvora\scyienvw.exe (disabled)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
sgwktgj: \??\C:\WINDOWS\System32\ghttvrl\sgwktgj.sys (manual start)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
smwdm: system32\drivers\smwdm.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
srsgbwtl: C:\WINDOWS\system32\bwtl\srsg.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Still Serial Digital Camera Driver: System32\DRIVERS\serscan.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
suvoacnssftuej: C:\WINDOWS\System32\sftuej\suvoacns.exe (disabled)
System Startup Service : C:\WINDOWS\svcproc.exe (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{D0D945C7-5A6E-485E-A49A-2478DC8DF4E3} (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
tdccvsk: \??\C:\WINDOWS\System32\hxrkgr\tdccvsk.sys (manual start)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
tmsdbfckevux: C:\WINDOWS\System32\ckevux\tmsdbf.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
udinjmx: \??\C:\WINDOWS\System32\cufmyo\udinjmx (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB Standard Hub Driver: system32\DRIVERS\usbhub.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
USB Remote NDIS Network Device Driver: System32\DRIVERS\usb8023.sys (manual start)
uyiriwu: \??\C:\WINDOWS\System32\jelmu\uyiriwu (manual start)
vburfghttvrl: C:\WINDOWS\System32\ghttvrl\vburf.exe (disabled)
vdmoinbn: C:\WINDOWS\System32\inbn\vdmo.exe (disabled)
vecapin: \??\C:\WINDOWS\System32\fjje\vecapin.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
vlibgrt: \??\C:\WINDOWS\system32\nquhop\vlibgrt (manual start)
vnymjxlqxqbfxv: C:\WINDOWS\System32\qxqbfxv\vnymjxl.exe (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
WAN Network Driver: System32\DRIVERS\wandrv.sys (manual start)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
wfjstlq: \??\C:\WINDOWS\System32\inbn\wfjstlq (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
xikhcnl: \??\C:\WINDOWS\System32\bbsgmgq\xikhcnl (manual start)
xmfeooo: \??\C:\WINDOWS\System32\fbaceoar\xmfeooo (manual start)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
xoynson: \??\C:\WINDOWS\System32\kaxkgh\xoynson (manual start)
xvehhlt: \??\C:\WINDOWS\System32\eypo\xvehhlt.sys (manual start)
ycwkblbrvpieg: C:\WINDOWS\System32\brvpieg\ycwkbl.exe (disabled)
yyaxgmhfjje: C:\WINDOWS\System32\fjje\yyaxgmh.exe (disabled)
ZipToA: C:\WINDOWS\System32\ZipToA.exe /S (disabled)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
newpws = C:\WINDOWS\System32\newpws.exe
krxf.exe = C:\WINDOWS\system\krxf.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*No values found*
--------------------------------------------------
End of report, 48,198 bytes
Report generated in 0.265 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
---------------------------------------------------------------------------
And, the HijackThis log...
Logfile of HijackThis v1.99.1
Scan saved at 4:26:57 PM, on 5/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\wjkxbhq\bbxcln.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\ybvdenni\rqxfkwno.exe
C:\WINDOWS\system32\xvkwciub\dhwli.exe
C:\WINDOWS\system32\nquhop\oabl.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\qjdt\xcrkvu.exe
C:\WINDOWS\System32\bhohktor\odihfl.exe
C:\WINDOWS\System32\chvuxco\doupdxwv.exe
C:\WINDOWS\System32\jcplxih\mwtugl.exe
C:\WINDOWS\system32\vmiehp\fxcgr.exe
C:\WINDOWS\System32\mgft\pjubdprf.exe
C:\WINDOWS\System32\onwvixlj\rlqka.exe
C:\WINDOWS\System32\kpphqn\fdqy.exe
C:\WINDOWS\System32\pwxkysx\qalkc.exe
C:\WINDOWS\System32\kevxy\vpnogrfg.exe
C:\WINDOWS\System32\hctycvyj\ovyft.exe
C:\WINDOWS\System32\nwxdmhx\rxlg.exe
C:\WINDOWS\System32\iduvfc\ldkgco.exe
C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
C:\WINDOWS\System32\kgxpv\xqpyix.exe
C:\WINDOWS\System32\jffrknf\twehfrag.exe
C:\WINDOWS\System32\dbdexge\vropfh.exe
C:\WINDOWS\System32\haxjkjf\lpxjns.exe
C:\WINDOWS\system32\bwtl\srsg.exe
C:\WINDOWS\System32\fejlai\fcykrqae.exe
C:\WINDOWS\System32\otqyprha\aiyygr.exe
C:\WINDOWS\System32\aqwf\keqfe.exe
C:\WINDOWS\System32\mdcsar\quknrc.exe
C:\WINDOWS\System32\cdocmugl\jehddo.exe
C:\WINDOWS\System32\dsso\sqtnm.exe
C:\WINDOWS\System32\jimi\rcyjii.exe
C:\WINDOWS\System32\mnwrfwj\oqpkn.exe
C:\WINDOWS\System32\pafpk\ihdqj.exe
C:\WINDOWS\System32\pirs\rnlt.exe
C:\WINDOWS\System32\bqclh\vysma.exe
C:\WINDOWS\System32\hocaeqgj\gvoktn.exe
C:\WINDOWS\system32\uvknmz.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\gmas\itjfwe.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\wsqnbl.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
c:\windows\system32\ufgwef.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\axpfbho.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\nndbu.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\gnxjmxom.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\gnxjmxom.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\gnxjmxom.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\sdlnfw.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\wpaokubj.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: (no name) - {F5C88987-35F5-ECA8-B7BB-592F28062E2E} - C:\WINDOWS\system32\ncbmtlxj\swcijjvg.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sjkp] C:\WINDOWS\System32\oxsaynow\sjkp.exe
O4 - HKLM\..\Run: [ntmcq] C:\WINDOWS\System32\moqsgf\ntmcq.exe
O4 - HKLM\..\Run: [jtutu] C:\WINDOWS\System32\ybuxb\jtutu.exe
O4 - HKLM\..\Run: [hshatpb] C:\WINDOWS\System32\qboa\hshatpb.exe
O4 - HKLM\..\Run: [evrad] C:\WINDOWS\System32\ynuul\evrad.exe
O4 - HKLM\..\Run: [wsagu] C:\WINDOWS\System32\hahm\wsagu.exe
O4 - HKLM\..\Run: [mhxo] C:\WINDOWS\System32\tlmtptg\mhxo.exe
O4 - HKLM\..\Run: [mefc] C:\WINDOWS\System32\yojsco\mefc.exe
O4 - HKLM\..\Run: [rgif] C:\WINDOWS\System32\hxrkgr\rgif.exe
O4 - HKLM\..\Run: [xcrkvu] C:\WINDOWS\System32\qjdt\xcrkvu.exe
O4 - HKLM\..\Run: [odihfl] C:\WINDOWS\System32\bhohktor\odihfl.exe
O4 - HKLM\..\Run: [oocdnjj] C:\WINDOWS\System32\bpapj\oocdnjj.exe
O4 - HKLM\..\Run: [doupdxwv] C:\WINDOWS\System32\chvuxco\doupdxwv.exe
O4 - HKLM\..\Run: [eimn] C:\WINDOWS\System32\iocotj\eimn.exe
O4 - HKLM\..\Run: [phvxbd] C:\WINDOWS\System32\pxdx\phvxbd.exe
O4 - HKLM\..\Run: [yqxjee] C:\WINDOWS\System32\xjwsh\yqxjee.exe
O4 - HKLM\..\Run: [ZMFGXAox] C:\PROGRA~1\wutorsr\pvptqr.exe
O4 - HKLM\..\Run: [vhodigq] C:\WINDOWS\System32\pwjrjuqe\vhodigq.exe
O4 - HKLM\..\Run: [qivgboox] C:\WINDOWS\System32\fnxfp\qivgboox.exe
O4 - HKLM\..\Run: [mwtugl] C:\WINDOWS\System32\jcplxih\mwtugl.exe
O4 - HKLM\..\Run: [pjubdprf] C:\WINDOWS\System32\mgft\pjubdprf.exe
O4 - HKLM\..\Run: [rlqka] C:\WINDOWS\System32\onwvixlj\rlqka.exe
O4 - HKLM\..\Run: [cexawejh] C:\WINDOWS\System32\amdhfp\cexawejh.exe
O4 - HKLM\..\Run: [reiu] C:\WINDOWS\System32\yslecioe\reiu.exe
O4 - HKLM\..\Run: [klqf] C:\WINDOWS\System32\kaxkgh\klqf.exe
O4 - HKLM\..\Run: [fdqy] C:\WINDOWS\System32\kpphqn\fdqy.exe
O4 - HKLM\..\Run: [ckbu] C:\WINDOWS\System32\ankjifjj\ckbu.exe
O4 - HKLM\..\Run: [qalkc] C:\WINDOWS\System32\pwxkysx\qalkc.exe
O4 - HKLM\..\Run: [vpnogrfg] C:\WINDOWS\System32\kevxy\vpnogrfg.exe
O4 - HKLM\..\Run: [dcejfgtk] C:\WINDOWS\System32\epvnb\dcejfgtk.exe
O4 - HKLM\..\Run: [ntqjhb] C:\WINDOWS\System32\wvaqvd\ntqjhb.exe
O4 - HKLM\..\Run: [rjctdjfj] C:\WINDOWS\System32\wmjsvgnj\rjctdjfj.exe
O4 - HKLM\..\Run: [nruewxrl] C:\WINDOWS\System32\bqwhyme\nruewxrl.exe
O4 - HKLM\..\Run: [ovyft] C:\WINDOWS\System32\hctycvyj\ovyft.exe
O4 - HKLM\..\Run: [rxlg] C:\WINDOWS\System32\nwxdmhx\rxlg.exe
O4 - HKLM\..\Run: [ldkgco] C:\WINDOWS\System32\iduvfc\ldkgco.exe
O4 - HKLM\..\Run: [xbhgbw] C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
O4 - HKLM\..\Run: [xqpyix] C:\WINDOWS\System32\kgxpv\xqpyix.exe
O4 - HKLM\..\Run: [cdpbfu] C:\WINDOWS\System32\eypo\cdpbfu.exe
O4 - HKLM\..\Run: [twehfrag] C:\WINDOWS\System32\jffrknf\twehfrag.exe
O4 - HKLM\..\Run: [vropfh] C:\WINDOWS\System32\dbdexge\vropfh.exe
O4 - HKLM\..\Run: [eyytvw] C:\WINDOWS\System32\jelmu\eyytvw.exe
O4 - HKLM\..\Run: [smrr] C:\WINDOWS\System32\vwwskbjg\smrr.exe
O4 - HKLM\..\Run: [yvay] C:\WINDOWS\System32\anfpsx\yvay.exe
O4 - HKLM\..\Run: [lpxjns] C:\WINDOWS\System32\haxjkjf\lpxjns.exe
O4 - HKLM\..\Run: [fcykrqae] C:\WINDOWS\System32\fejlai\fcykrqae.exe
O4 - HKLM\..\Run: [hiujt] C:\WINDOWS\System32\nucy\hiujt.exe
O4 - HKLM\..\Run: [jyumtrt] C:\WINDOWS\System32\tsjbins\jyumtrt.exe
O4 - HKLM\..\Run: [aiyygr] C:\WINDOWS\System32\otqyprha\aiyygr.exe
O4 - HKLM\..\Run: [keqfe] C:\WINDOWS\System32\aqwf\keqfe.exe
O4 - HKLM\..\Run: [quknrc] C:\WINDOWS\System32\mdcsar\quknrc.exe
O4 - HKLM\..\Run: [jehddo] C:\WINDOWS\System32\cdocmugl\jehddo.exe
O4 - HKLM\..\Run: [xnllgwgh] C:\WINDOWS\System32\eejyvmnd\xnllgwgh.exe
O4 - HKLM\..\Run: [sqtnm] C:\WINDOWS\System32\dsso\sqtnm.exe
O4 - HKLM\..\Run: [rcyjii] C:\WINDOWS\System32\jimi\rcyjii.exe
O4 - HKLM\..\Run: [qqeqw] C:\WINDOWS\System32\fbaceoar\qqeqw.exe
O4 - HKLM\..\Run: [oqpkn] C:\WINDOWS\System32\mnwrfwj\oqpkn.exe
O4 - HKLM\..\Run: [ihdqj] C:\WINDOWS\System32\pafpk\ihdqj.exe
O4 - HKLM\..\Run: [rnlt] C:\WINDOWS\System32\pirs\rnlt.exe
O4 - HKLM\..\Run: [vysma] C:\WINDOWS\System32\bqclh\vysma.exe
O4 - HKLM\..\Run: [gvoktn] C:\WINDOWS\System32\hocaeqgj\gvoktn.exe
O4 - HKLM\..\Run: [demvb] C:\WINDOWS\System32\ywrfy\demvb.exe
O4 - HKLM\..\Run: [rtdbk] C:\WINDOWS\System32\xgfbnlo\rtdbk.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\uvknmz.exe reg_run
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [gxhglii] C:\WINDOWS\system32\vqtyuymk\gxhglii.exe
O4 - HKLM\..\Run: [pfoug] C:\WINDOWS\system32\smjvktve\pfoug.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\sdlnfw.exe
O4 - HKLM\..\Run: [rqxfkwno] C:\WINDOWS\system32\ybvdenni\rqxfkwno.exe
O4 - HKLM\..\Run: [fxcgr] C:\WINDOWS\system32\vmiehp\fxcgr.exe
O4 - HKLM\..\Run: [dhwli] C:\WINDOWS\system32\xvkwciub\dhwli.exe
O4 - HKLM\..\Run: [itjfwe] C:\WINDOWS\system32\gmas\itjfwe.exe
O4 - HKLM\..\Run: [bbxcln] C:\WINDOWS\system32\wjkxbhq\bbxcln.exe
O4 - HKLM\..\Run: [srsg] C:\WINDOWS\system32\bwtl\srsg.exe
O4 - HKLM\..\Run: [oabl] C:\WINDOWS\system32\nquhop\oabl.exe
O4 - HKLM\..\Run: [xpnkrom] c:\windows\system32\ufgwef.exe
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\wpaokubj.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKCU\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Adaware Bootup] C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\Ad-aware.exe /Auto /Log "C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\"
O4 - HKCU\..\RunOnce: [Web Offer] C:\DOCUME~1\Owner\LOCALS~1\Temp\rlkh.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) -
http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -
http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) -
http://esupport.aol.com/help/acp2/engin ... core_1.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v ... 7392481625
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) -
file://E:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) -
http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: bbxclnwjkxbhq - Unknown owner - C:\WINDOWS\system32\wjkxbhq\bbxcln.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: srsgbwtl - Unknown owner - C:\WINDOWS\system32\bwtl\srsg.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe