Tech Support Forum - View Single Post - Having a problem, possibly malware in winlogon.exe

phrozenwind · 12-03-2006, 04:03 PM

Alright, Deckard, here are the new logs:

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"Spyware Doctor" = ""C:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PCTools"]
"AIM" = "C:\PROGRA~1\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"DW4" = ""C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"" ["The Weather Channel Interactive"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"]
"Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"LtMoh" = "C:\Program Files\ltmoh\Ltmoh.exe" ["Agere Systems"]
"00THotkey" = "C:\WINDOWS\System32\00THotkey.exe" ["TOSHIBA Corp."]
"000StTHK" = "000StTHK.exe" [null data]
"TMESRV.EXE" = "C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon" ["TOSHIBA"]
"TMERzCtl.EXE" = "C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service" ["TOSHIBA"]
"TMEEJME.EXE" = "C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE" ["TOSHIBA"]
"TMESBS.EXE" = "C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client" ["TOSHIBA Corporation"]
"DpUtil" = "C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe" ["TOSHIBA"]
"TFNF5" = "TFNF5.exe" ["Toshiba Corp."]
"TosHKCW.exe" = ""C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"" ["TOSHIBA CORPORATION"]
"NDSTray.exe" = ""C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"" ["TOSHIBA CORPORATION"]
"ezShieldProtector for Px" = "C:\WINDOWS\System32\ezSP_Px.exe" ["Easy Systems Japan Ltd."]
"(Default)" = "(empty string)" [file not found]
"TFncKy" = "TFncKy.exe /Type 25" ["TOSHIBA Corporation"]
"Tpwrtray" = "TPWRTRAY.EXE" ["TOSHIBA Corporation"]
"Pinger" = "c:\toshiba\ivp\ism\pinger.exe /run" ["TOSHIBA Corporation"]
"ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."]
"McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey" ["Network Associates, Inc."]
"Network Associates Error Reporting Service" = ""C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"" ["Network Associates, Inc."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe" ["HP"]
"HP Software Update" = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"DriverMagicLogon" = ""C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe" /boot" ["SymplisIT Corporation"]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online"
-> {HKLM...CLSID} = "America Online"
\InProcServer32\(Default) = "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {HKLM...CLSID} = "Microsoft Office Binder Explode"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\olkfstub.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Chad Swanson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\DOCUME~1\CHADSW~1\Desktop\Stuff\MATRIX~1.SCR" (Matrix Code Emulator.scr) [null data]

Startup items in "Chad Swanson" & "All Users" startup folders:
--------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Find Fast" -> shortcut to: "C:\Program Files\Microsoft Office\Office\FINDFAST.EXE" [MS]
"Office Startup" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA.EXE -b" [MS]
"RAMASST" -> shortcut to: "C:\WINDOWS\system32\RAMASST.exe" ["Matsushita Electric Industrial Co., Ltd."]
"Run Nintendo Wi-Fi USB Connector Registration Tool" -> shortcut to: "C:\Program Files\WiFiConnector\NintendoWFCReg.exe" [empty string]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\PROGRA~1\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.toshiba.com

Missing lines (compared with English-language version):
[Strings]: 1 line

All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

Application Management, AppMgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\appmgmts.dll" [file not found]}
Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
DVD-RAM_Service, DVD-RAM_Service, "C:\WINDOWS\System32\DVDRAMSV.exe" ["Matsushita Electric Industrial Co., Ltd."]
Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
InstallDriver Table Manager, IDriverT, ""C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"" ["Macrovision Corporation"]
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
McAfee Framework Service, McAfeeFramework, "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart" ["Network Associates, Inc."]
Network Associates McShield, McShield, ""C:\Program Files\Network Associates\VirusScan\Mcshield.exe"" ["Network Associates, Inc."]
Network Associates Task Manager, McTaskManager, ""C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"" ["Network Associates, Inc."]
Network Provisioning Service, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Tmesbs32, Tmesbs, ""C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service" ["TOSHIBA Corporation"]
Tmesrv3, Tmesrv, ""C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service" ["TOSHIBA"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt08\Driver = "hpzsnt08.dll" ["HP"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
Toshiba Bluetooth Monitor\Driver = "tbtmon.dll" ["Toshiba America Business Solutions, Inc."]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 106 seconds.
---------- (total run time: 140 seconds)

And Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 03, 2006 4:52:41 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 3/12/2006
Kaspersky Anti-Virus database records: 233769
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 79643
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:24:34

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Chad Swanson\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Chad Swanson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Chad Swanson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Chad Swanson\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chad Swanson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chad Swanson\ntuser.dat Object is locked skipped
C:\Documents and Settings\Chad Swanson\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CB8232F6-6F86-4FF8-9639-133A519A027C}\RP405\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd3021.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

Scan process completed.

And Autoruns:

Chad Swanson - Sun 12/03/2006@15

55.58
running from C:\Documents and Settings\Chad Swanson\Desktop\Autoruns\

Other users of this machine:

----------------------------------------------------------------------------------

HKLM\System\CurrentControlSet\Services
Bonjour Service
Enables hardware devices and software services to automatically configure themselves on the network and advertise their presence, so that users can discover and use those services without any unnecessary manual setup or administration.
(Not verified) Apple Computer, Inc.
c:\program files\bonjour\mdnsresponder.exe
DVD-RAM_Service
Service of RAMAsst for Windows XP
(Not verified) Matsushita Electric Industrial Co., Ltd.
c:\windows\system32\dvdramsv.exe
McAfeeFramework
Shared component framework for McAfee products
(Not verified) Network Associates, Inc.
c:\program files\network associates\common framework\frameworkservice.exe
McShield
On-Access Scanner service
(Not verified) Network Associates, Inc.
c:\program files\network associates\virusscan\mcshield.exe
McTaskManager
Task Manager : scheduling and OAS alerting service
(Not verified) Network Associates, Inc.
c:\program files\network associates\virusscan\vstskmgr.exe
SoundMAX Agent Service (default)
SoundMAX service agent component
(Not verified) Analog Devices, Inc.
c:\program files\analog devices\soundmax\smagent.exe
Tmesbs
tmesbs32
(Not verified) TOSHIBA Corporation
c:\program files\toshiba\tme3\tmesbs32.exe
Tmesrv
TOSHIBA MobileExtension Service
(Not verified) TOSHIBA
c:\program files\toshiba\tme3\tmesrv31.exe

HKLM\System\CurrentControlSet\Services
cmuda
C-Media Audio WDM Driver
(Not verified) C-Media Inc
c:\windows\system32\drivers\cmuda.sys
dtscsi
c:\windows\system32\drivers\dtscsi.sys
EntDrv51
EntDrv
(Not verified) Network Associates, Inc
c:\windows\system32\drivers\entdrv51.sys
GEARAspiWDM
CDRom Class Filter Driver
(Verified) GEAR Software Inc.
c:\windows\system32\drivers\gearaspiwdm.sys
NaiAvFilter1
Anti-Virus File System Filter Driver
(Not verified) Network Associates, Inc.
c:\windows\system32\drivers\naiavf5x.sys
NaiAvTdi1
Anti-Virus Mini-Firewall Driver
(Not verified) Network Associates, Inc.
c:\windows\system32\drivers\mvstdi5x.sys
nenum13E
File not found: C:\DOCUME~1\CHADSW~1\LOCALS~1\Temp\nenum13E.sys
PxHelp20
Px Engine Device Driver for Windows 2000/XP
(Not verified) Sonic Solutions
c:\windows\system32\drivers\pxhelp20.sys
RT25USBAP
Sample Driver for Ralink 802.11g Wireless USB Adapters
(Not verified) Ralink Technology Inc.
c:\windows\system32\drivers\rt25usbap.sys
Secdrv
SafeDisc driver
c:\windows\system32\drivers\secdrv.sys
sptd
c:\windows\system32\drivers\sptd.sys
TBiosDrv
c:\windows\system32\drivers\tbiosdrv.sys
TMEI3E
Toshiba Mobile Extension Value Added Logical Device Driver
(Not verified) Toshiba Corporation
c:\windows\system32\drivers\tmei3e.sys
tosrfec
TOSHIBA Bluetooth EC Driver
(Not verified) TOSHIBA Corporation
c:\windows\system32\drivers\tosrfec.sys
tsdhd
SD Card Host Controller Driver
(Not verified) TOSHIBA Corporation
c:\windows\system32\drivers\tsdhd.sys
TVALD
Toshiba ACPI-Based Value Added Logical Device Driver
(Not verified) Toshiba Corporation
c:\windows\system32\drivers\tvald.sys
TVALG
TOSHIBA Value Added Logical and General Purpose Device Driver
(Not verified) TOSHIBA Corporation
c:\windows\system32\drivers\tvalg.sys

HKCU\Control Panel\Desktop\Scrnsave.exe
C:\DOCUME~1\CHADSW~1\Desktop\Stuff\MATRIX~1.SCR
c:\documents and settings\chad swanson\desktop\stuff\matrix code emulator.scr

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
Toshiba Bluetooth Monitor
tbtmon98
(Not verified) Toshiba America Business Solutions, Inc.
c:\windows\system32\tbtmon.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LtMoh
LtMoh MFC Application
(Not verified) Agere Systems
c:\program files\ltmoh\ltmoh.exe
00THotkey
THotkey
(Not verified) TOSHIBA Corp.
c:\windows\system32\00thotkey.exe
000StTHK
c:\windows\system32\000stthk.exe
TMESRV.EXE
TOSHIBA MobileExtension Service
(Not verified) TOSHIBA
c:\program files\toshiba\tme3\tmesrv31.exe
TMERzCtl.EXE
TMERzCtl
(Not verified) TOSHIBA
c:\program files\toshiba\tme3\tmerzctl.exe
TMEEJME.EXE
TMEEJME
(Not verified) TOSHIBA
c:\program files\toshiba\tme3\tmeejme.exe
TMESBS.EXE
tmesbs32
(Not verified) TOSHIBA Corporation
c:\program files\toshiba\tme3\tmesbs32.exe
DpUtil
TOSHIBA DualPoint Utility Main Module
(Not verified) TOSHIBA
c:\program files\toshiba\dualpointutility\tedtray.exe
TFNF5
TFnF5
(Not verified) Toshiba Corp.
c:\windows\system32\tfnf5.exe
TosHKCW.exe
Wireless Hotkey
(Not verified) TOSHIBA CORPORATION
c:\program files\toshiba\wireless hotkey\toshkcw.exe
NDSTray.exe
ConfigFree(TM) Tray
(Not verified) TOSHIBA CORPORATION
c:\program files\toshiba\configfree\ndstray.exe
ezShieldProtector for Px
ezSP_Px MFC Application
(Not verified) Easy Systems Japan Ltd.
c:\windows\system32\ezsp_px.exe
TFncKy
TFncKy
(Not verified) TOSHIBA Corporation
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
Tpwrtray
TOSHIBA Power Saver
(Not verified) TOSHIBA Corporation
c:\windows\system32\tpwrtray.exe
Pinger
TOSHIBA Pinger
(Not verified) TOSHIBA Corporation
c:\toshiba\ivp\ism\pinger.exe
ShStatEXE
On-access scanner statistics
(Not verified) Network Associates, Inc.
c:\program files\network associates\virusscan\shstat.exe
McAfeeUpdaterUI
Common User Interface
(Not verified) Network Associates, Inc.
c:\program files\network associates\common framework\updaterui.exe
Network Associates Error Reporting Service
TalkBack Monitor
(Not verified) Network Associates, Inc.
c:\program files\common files\network associates\talkback\tbmon.exe
HP Software Update
Hewlett-Packard Product Assistant
(Not verified) Hewlett-Packard Co.
c:\program files\hewlett-packard\hp software update\hpwuschd2.exe
SunJavaUpdateSched
Java(TM) 2 Platform Standard Edition binary
(Not verified) Sun Microsystems, Inc.
c:\program files\java\jre1.5.0_06\bin\jusched.exe
iTunesHelper
iTunesHelper Module
(Not verified) Apple Computer, Inc.
c:\program files\itunes\ituneshelper.exe
QuickTime Task
QuickTime Task
(Not verified) Apple Computer, Inc.
c:\program files\quicktime\qttask.exe
TkBellExe
RealNetworks Scheduler
(Not verified) RealNetworks, Inc.
c:\program files\common files\real\update_ob\realsched.exe
DAEMON Tools
Virtual DAEMON Manager
(Verified) DAEMON Tools Code Signing Services
c:\program files\daemon tools\daemon.exe
WinampAgent
c:\program files\winamp\winampa.exe
DriverMagicLogon
DriverMagic Scheduler by SymplisIT Corporation
(Not verified) SymplisIT Corporation
c:\program files\symplisit\drivermagic\dmschedule.exe
Cmaudio
CmiCnfg DLL
(Not verified) C-Media Corporation
c:\windows\system\cmicnfg.cpl

HKLM\SOFTWARE\Classes\Protocols\Handler
msnim
MSN Messenger Protocol Handler
(Not verified) Microsoft Corporation
c:\program files\msn messenger\msgrapp.dll

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
0
File not found: About:Home

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Find Fast.lnk
Microsoft Office Find Fast
(Not verified) Microsoft Corporation
c:\program files\microsoft office\office\findfast.exe
Office Startup.lnk
c:\program files\microsoft office\office\osa.exe
RAMASST.lnk
CD Burning of Windows XP disabling tool for DVD MULTI Drive
(Not verified) Matsushita Electric Industrial Co., Ltd.
c:\windows\system32\ramasst.exe
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk
Nintendo Wi-Fi Connector USB
c:\program files\wificonnector\nintendowfcreg.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsnMsgr
MSN Messenger
(Not verified) Microsoft Corporation
c:\program files\msn messenger\msnmsgr.exe
Spyware Doctor
Spyware Doctor
(Not verified) PCTools
c:\program files\spyware doctor\swdoctor.exe
AIM
AOL Instant Messenger
(Verified) America Online, Inc.
c:\program files\aim\aim.exe
DW4
(Not verified) The Weather Channel Interactive
c:\program files\the weather channel fw\desktop weather\desktopweather.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
AcroIEHlprObj Class
AcroIEHelper Module
(Verified) Adobe Systems, Incorporated
c:\program files\adobe\acrobat 5.0\reader\activex\acroiehelper.ocx
SSVHelper Class
Java(TM) 2 Platform Standard Edition binary
(Not verified) Sun Microsystems, Inc.
c:\program files\java\jre1.5.0_06\bin\ssv.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Display Panning CPL Extension
File not found: deskpan.dll
America Online
AOL Shell Extension
(Not verified) America Online, Inc.
c:\program files\common files\aolshare\shell\us\shellext.dll
WinRAR shell extension
c:\program files\winrar\rarext.dll
iTunes
iTunes Mini Player DLL
(Not verified) Apple Computer, Inc.
c:\program files\itunes\itunesminiplayer.dll
Microsoft Access Custom Icon Handler
MSAPP Export Support for Microsoft Access
(Not verified) Microsoft Corporation
c:\program files\microsoft office\office\soa800.dll
Microsoft Office Binder Explode
Microsoft Office Binder Document Unbinder
(Not verified) Microsoft Corporation
c:\program files\microsoft office\office\unbind.dll
Microsoft Outlook Custom Icon Handler
Microsoft Outlook Shell Hook for Start/Find
(Not verified) Microsoft Corporation
c:\program files\microsoft office\office\olkfstub.dll
Shell Extensions for RealOne Player
RealPlayer Shell Extensions
(Not verified) RealNetworks, Inc.
c:\program files\real\realplayer\rpshell.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions
AIM
AOL Instant Messenger
(Verified) America Online, Inc.
c:\program files\aim\aim.exe

And, finally, Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 4:54:37 PM, on 12/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 25
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DriverMagicLogon] "C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe" /boot
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126118806598
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

Thanks again!

12-03-2006, 04:03 PM	#11 (permalink)
phrozenwind Registered User Join Date: Dec 2006 Posts: 18 OS: XP	Alright, Deckard, here are the new logs: "Silent Runners.vbs", revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS] "MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS] "Spyware Doctor" = ""C:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PCTools"] "AIM" = "C:\PROGRA~1\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."] "DW4" = ""C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"" ["The Weather Channel Interactive"] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS] "nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"] "Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."] "LtMoh" = "C:\Program Files\ltmoh\Ltmoh.exe" ["Agere Systems"] "00THotkey" = "C:\WINDOWS\System32\00THotkey.exe" ["TOSHIBA Corp."] "000StTHK" = "000StTHK.exe" [null data] "TMESRV.EXE" = "C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon" ["TOSHIBA"] "TMERzCtl.EXE" = "C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service" ["TOSHIBA"] "TMEEJME.EXE" = "C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE" ["TOSHIBA"] "TMESBS.EXE" = "C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client" ["TOSHIBA Corporation"] "DpUtil" = "C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe" ["TOSHIBA"] "TFNF5" = "TFNF5.exe" ["Toshiba Corp."] "TosHKCW.exe" = ""C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"" ["TOSHIBA CORPORATION"] "NDSTray.exe" = ""C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"" ["TOSHIBA CORPORATION"] "ezShieldProtector for Px" = "C:\WINDOWS\System32\ezSP_Px.exe" ["Easy Systems Japan Ltd."] "(Default)" = "(empty string)" [file not found] "TFncKy" = "TFncKy.exe /Type 25" ["TOSHIBA Corporation"] "Tpwrtray" = "TPWRTRAY.EXE" ["TOSHIBA Corporation"] "Pinger" = "c:\toshiba\ivp\ism\pinger.exe /run" ["TOSHIBA Corporation"] "ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."] "McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey" ["Network Associates, Inc."] "Network Associates Error Reporting Service" = ""C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"" ["Network Associates, Inc."] "HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe" ["HP"] "HP Software Update" = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."] "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."] "iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."] "WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data] "DriverMagicLogon" = ""C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe" /boot" ["SymplisIT Corporation"] "Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {HKLM...CLSID} = "Display Panning CPL Extension" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online" -> {HKLM...CLSID} = "America Online" \InProcServer32\(Default) = "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll" ["America Online, Inc."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS] "{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode" -> {HKLM...CLSID} = "Microsoft Office Binder Explode" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\UNBIND.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\olkfstub.dll" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] HKLM\Software\Classes\\shellex\ContextMenuHandlers\ VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Chad Swanson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\DOCUME~1\CHADSW~1\Desktop\Stuff\MATRIX~1.SCR" (Matrix Code Emulator.scr) [null data] Startup items in "Chad Swanson" & "All Users" startup folders: -------------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Microsoft Find Fast" -> shortcut to: "C:\Program Files\Microsoft Office\Office\FINDFAST.EXE" [MS] "Office Startup" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA.EXE -b" [MS] "RAMASST" -> shortcut to: "C:\WINDOWS\system32\RAMASST.exe" ["Matsushita Electric Industrial Co., Ltd."] "Run Nintendo Wi-Fi USB Connector Registration Tool" -> shortcut to: "C:\Program Files\WiFiConnector\NintendoWFCReg.exe" [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided) -> {HKLM...CLSID} = "Real.com" \InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."] {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\ "ButtonText" = "AIM" "Exec" = "C:\PROGRA~1\AIM\aim.exe" ["America Online, Inc."] {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ "ButtonText" = "Real.com" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.toshiba.com Missing lines (compared with English-language version): [Strings]: 1 line All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- Application Management, AppMgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\appmgmts.dll" [file not found]} Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."] DVD-RAM_Service, DVD-RAM_Service, "C:\WINDOWS\System32\DVDRAMSV.exe" ["Matsushita Electric Industrial Co., Ltd."] Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS] HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]} InstallDriver Table Manager, IDriverT, ""C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"" ["Macrovision Corporation"] iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."] Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"] McAfee Framework Service, McAfeeFramework, "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart" ["Network Associates, Inc."] Network Associates McShield, McShield, ""C:\Program Files\Network Associates\VirusScan\Mcshield.exe"" ["Network Associates, Inc."] Network Associates Task Manager, McTaskManager, ""C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"" ["Network Associates, Inc."] Network Provisioning Service, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]} NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"] Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]} SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."] Tmesbs32, Tmesbs, ""C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service" ["TOSHIBA Corporation"] Tmesrv3, Tmesrv, ""C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service" ["TOSHIBA"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt08\Driver = "hpzsnt08.dll" ["HP"] Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS] Toshiba Bluetooth Monitor\Driver = "tbtmon.dll" ["Toshiba America Business Solutions, Inc."] ---------- + This report excludes default entries except where indicated. + To see everywhere* the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 106 seconds. ---------- (total run time: 140 seconds) And Kaspersky: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Sunday, December 03, 2006 4:52:41 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 3/12/2006 Kaspersky Anti-Virus database records: 233769 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 79643 Number of viruses found: 0 Number of infected objects: 0 / 0 Number of suspicious objects: 0 Duration of the scan process: 01:24:34 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\Chad Swanson\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Chad Swanson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Chad Swanson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Chad Swanson\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Chad Swanson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Chad Swanson\ntuser.dat Object is locked skipped C:\Documents and Settings\Chad Swanson\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{CB8232F6-6F86-4FF8-9639-133A519A027C}\RP405\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\drivers\sptd3021.sys Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped Scan process completed. And Autoruns: Chad Swanson - Sun 12/03/2006@1555.58 running from C:\Documents and Settings\Chad Swanson\Desktop\Autoruns\ Other users of this machine: ---------------------------------------------------------------------------------- HKLM\System\CurrentControlSet\Services Bonjour Service Enables hardware devices and software services to automatically configure themselves on the network and advertise their presence, so that users can discover and use those services without any unnecessary manual setup or administration. (Not verified) Apple Computer, Inc. c:\program files\bonjour\mdnsresponder.exe DVD-RAM_Service Service of RAMAsst for Windows XP (Not verified) Matsushita Electric Industrial Co., Ltd. c:\windows\system32\dvdramsv.exe McAfeeFramework Shared component framework for McAfee products (Not verified) Network Associates, Inc. c:\program files\network associates\common framework\frameworkservice.exe McShield On-Access Scanner service (Not verified) Network Associates, Inc. c:\program files\network associates\virusscan\mcshield.exe McTaskManager Task Manager : scheduling and OAS alerting service (Not verified) Network Associates, Inc. c:\program files\network associates\virusscan\vstskmgr.exe SoundMAX Agent Service (default) SoundMAX service agent component (Not verified) Analog Devices, Inc. c:\program files\analog devices\soundmax\smagent.exe Tmesbs tmesbs32 (Not verified) TOSHIBA Corporation c:\program files\toshiba\tme3\tmesbs32.exe Tmesrv TOSHIBA MobileExtension Service (Not verified) TOSHIBA c:\program files\toshiba\tme3\tmesrv31.exe HKLM\System\CurrentControlSet\Services cmuda C-Media Audio WDM Driver (Not verified) C-Media Inc c:\windows\system32\drivers\cmuda.sys dtscsi c:\windows\system32\drivers\dtscsi.sys EntDrv51 EntDrv (Not verified) Network Associates, Inc c:\windows\system32\drivers\entdrv51.sys GEARAspiWDM CDRom Class Filter Driver (Verified) GEAR Software Inc. c:\windows\system32\drivers\gearaspiwdm.sys NaiAvFilter1 Anti-Virus File System Filter Driver (Not verified) Network Associates, Inc. c:\windows\system32\drivers\naiavf5x.sys NaiAvTdi1 Anti-Virus Mini-Firewall Driver (Not verified) Network Associates, Inc. c:\windows\system32\drivers\mvstdi5x.sys nenum13E File not found: C:\DOCUME~1\CHADSW~1\LOCALS~1\Temp\nenum13E.sys PxHelp20 Px Engine Device Driver for Windows 2000/XP (Not verified) Sonic Solutions c:\windows\system32\drivers\pxhelp20.sys RT25USBAP Sample Driver for Ralink 802.11g Wireless USB Adapters (Not verified) Ralink Technology Inc. c:\windows\system32\drivers\rt25usbap.sys Secdrv SafeDisc driver c:\windows\system32\drivers\secdrv.sys sptd c:\windows\system32\drivers\sptd.sys TBiosDrv c:\windows\system32\drivers\tbiosdrv.sys TMEI3E Toshiba Mobile Extension Value Added Logical Device Driver (Not verified) Toshiba Corporation c:\windows\system32\drivers\tmei3e.sys tosrfec TOSHIBA Bluetooth EC Driver (Not verified) TOSHIBA Corporation c:\windows\system32\drivers\tosrfec.sys tsdhd SD Card Host Controller Driver (Not verified) TOSHIBA Corporation c:\windows\system32\drivers\tsdhd.sys TVALD Toshiba ACPI-Based Value Added Logical Device Driver (Not verified) Toshiba Corporation c:\windows\system32\drivers\tvald.sys TVALG TOSHIBA Value Added Logical and General Purpose Device Driver (Not verified) TOSHIBA Corporation c:\windows\system32\drivers\tvalg.sys HKCU\Control Panel\Desktop\Scrnsave.exe C:\DOCUME~1\CHADSW~1\Desktop\Stuff\MATRIX~1.SCR c:\documents and settings\chad swanson\desktop\stuff\matrix code emulator.scr HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors Toshiba Bluetooth Monitor tbtmon98 (Not verified) Toshiba America Business Solutions, Inc. c:\windows\system32\tbtmon.dll HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LtMoh LtMoh MFC Application (Not verified) Agere Systems c:\program files\ltmoh\ltmoh.exe 00THotkey THotkey (Not verified) TOSHIBA Corp. c:\windows\system32\00thotkey.exe 000StTHK c:\windows\system32\000stthk.exe TMESRV.EXE TOSHIBA MobileExtension Service (Not verified) TOSHIBA c:\program files\toshiba\tme3\tmesrv31.exe TMERzCtl.EXE TMERzCtl (Not verified) TOSHIBA c:\program files\toshiba\tme3\tmerzctl.exe TMEEJME.EXE TMEEJME (Not verified) TOSHIBA c:\program files\toshiba\tme3\tmeejme.exe TMESBS.EXE tmesbs32 (Not verified) TOSHIBA Corporation c:\program files\toshiba\tme3\tmesbs32.exe DpUtil TOSHIBA DualPoint Utility Main Module (Not verified) TOSHIBA c:\program files\toshiba\dualpointutility\tedtray.exe TFNF5 TFnF5 (Not verified) Toshiba Corp. c:\windows\system32\tfnf5.exe TosHKCW.exe Wireless Hotkey (Not verified) TOSHIBA CORPORATION c:\program files\toshiba\wireless hotkey\toshkcw.exe NDSTray.exe ConfigFree(TM) Tray (Not verified) TOSHIBA CORPORATION c:\program files\toshiba\configfree\ndstray.exe ezShieldProtector for Px ezSP_Px MFC Application (Not verified) Easy Systems Japan Ltd. c:\windows\system32\ezsp_px.exe TFncKy TFncKy (Not verified) TOSHIBA Corporation C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe Tpwrtray TOSHIBA Power Saver (Not verified) TOSHIBA Corporation c:\windows\system32\tpwrtray.exe Pinger TOSHIBA Pinger (Not verified) TOSHIBA Corporation c:\toshiba\ivp\ism\pinger.exe ShStatEXE On-access scanner statistics (Not verified) Network Associates, Inc. c:\program files\network associates\virusscan\shstat.exe McAfeeUpdaterUI Common User Interface (Not verified) Network Associates, Inc. c:\program files\network associates\common framework\updaterui.exe Network Associates Error Reporting Service TalkBack Monitor (Not verified) Network Associates, Inc. c:\program files\common files\network associates\talkback\tbmon.exe HP Software Update Hewlett-Packard Product Assistant (Not verified) Hewlett-Packard Co. c:\program files\hewlett-packard\hp software update\hpwuschd2.exe SunJavaUpdateSched Java(TM) 2 Platform Standard Edition binary (Not verified) Sun Microsystems, Inc. c:\program files\java\jre1.5.0_06\bin\jusched.exe iTunesHelper iTunesHelper Module (Not verified) Apple Computer, Inc. c:\program files\itunes\ituneshelper.exe QuickTime Task QuickTime Task (Not verified) Apple Computer, Inc. c:\program files\quicktime\qttask.exe TkBellExe RealNetworks Scheduler (Not verified) RealNetworks, Inc. c:\program files\common files\real\update_ob\realsched.exe DAEMON Tools Virtual DAEMON Manager (Verified) DAEMON Tools Code Signing Services c:\program files\daemon tools\daemon.exe WinampAgent c:\program files\winamp\winampa.exe DriverMagicLogon DriverMagic Scheduler by SymplisIT Corporation (Not verified) SymplisIT Corporation c:\program files\symplisit\drivermagic\dmschedule.exe Cmaudio CmiCnfg DLL (Not verified) C-Media Corporation c:\windows\system\cmicnfg.cpl HKLM\SOFTWARE\Classes\Protocols\Handler msnim MSN Messenger Protocol Handler (Not verified) Microsoft Corporation c:\program files\msn messenger\msgrapp.dll HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components 0 File not found: About:Home C:\Documents and Settings\All Users\Start Menu\Programs\Startup Microsoft Find Fast.lnk Microsoft Office Find Fast (Not verified) Microsoft Corporation c:\program files\microsoft office\office\findfast.exe Office Startup.lnk c:\program files\microsoft office\office\osa.exe RAMASST.lnk CD Burning of Windows XP disabling tool for DVD MULTI Drive (Not verified) Matsushita Electric Industrial Co., Ltd. c:\windows\system32\ramasst.exe Run Nintendo Wi-Fi USB Connector Registration Tool.lnk Nintendo Wi-Fi Connector USB c:\program files\wificonnector\nintendowfcreg.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run MsnMsgr MSN Messenger (Not verified) Microsoft Corporation c:\program files\msn messenger\msnmsgr.exe Spyware Doctor Spyware Doctor (Not verified) PCTools c:\program files\spyware doctor\swdoctor.exe AIM AOL Instant Messenger (Verified) America Online, Inc. c:\program files\aim\aim.exe DW4 (Not verified) The Weather Channel Interactive c:\program files\the weather channel fw\desktop weather\desktopweather.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects AcroIEHlprObj Class AcroIEHelper Module (Verified) Adobe Systems, Incorporated c:\program files\adobe\acrobat 5.0\reader\activex\acroiehelper.ocx SSVHelper Class Java(TM) 2 Platform Standard Edition binary (Not verified) Sun Microsystems, Inc. c:\program files\java\jre1.5.0_06\bin\ssv.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Display Panning CPL Extension File not found: deskpan.dll America Online AOL Shell Extension (Not verified) America Online, Inc. c:\program files\common files\aolshare\shell\us\shellext.dll WinRAR shell extension c:\program files\winrar\rarext.dll iTunes iTunes Mini Player DLL (Not verified) Apple Computer, Inc. c:\program files\itunes\itunesminiplayer.dll Microsoft Access Custom Icon Handler MSAPP Export Support for Microsoft Access (Not verified) Microsoft Corporation c:\program files\microsoft office\office\soa800.dll Microsoft Office Binder Explode Microsoft Office Binder Document Unbinder (Not verified) Microsoft Corporation c:\program files\microsoft office\office\unbind.dll Microsoft Outlook Custom Icon Handler Microsoft Outlook Shell Hook for Start/Find (Not verified) Microsoft Corporation c:\program files\microsoft office\office\olkfstub.dll Shell Extensions for RealOne Player RealPlayer Shell Extensions (Not verified) RealNetworks, Inc. c:\program files\real\realplayer\rpshell.dll HKLM\Software\Microsoft\Internet Explorer\Extensions AIM AOL Instant Messenger (Verified) America Online, Inc. c:\program files\aim\aim.exe And, finally, Hijack This: Logfile of HijackThis v1.99.1 Scan saved at 4:54:37 PM, on 12/3/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\HJT\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local., O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe" O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 25 O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [DriverMagicLogon] "C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe" /boot O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126118806598 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing) O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing) Thanks again!