wauclt.exe

Bad Maxx · 02-14-2007, 08:04 PM

I just know this is posted in the wrong place but..
I am currently following the procedure for posting my Hijackthis log but in the mean time I have a question.
In my Task Manager there is a program (or whatever it might be) that I did not recognize, it is called wauclt.exe, when I do a search for it on Microsoft it has warnings back in 2004 and prior that state this is an immediate threat and must be removed. When I try to follow their instructions for removal they have a lot of options for the different operating systems. Here is the problem it never has an option new enough for my system. It only offers support up to XP SP1 which I imagine was the latest available in 2004. When I search for threads about this particular "program" in the threads here a person mentioned it specifically, yet in receiving assistance the person helping did not (at all) think this was a threat. The thread was very new (today if I remember correctly) so is it no longer a threat? Is it something I do not need to concern myself with? Well while waiting for a reply I am going to continue the procedure for turning in a hijack log.
Thanks for your assistance.
Jeff

DylanO · 02-14-2007, 08:20 PM

okay, well the wauclt.exe was in a Microsoft Video Capture Controls for a worm called " Win32/Slinbot.ALJ ".

Win32/Slinbot.ALJ is IRC controlled backdoor that can be used to gain unauthorized access to a victim's machine. It can also spread by exploiting weak passwords on administrative shares, by exploiting several vulnerabilities, and by using backdoors created by other malware, so bad maxx when this Win32/Slinbot.ALJ is executed this variant copies itself to the %System% directory as WAUCLT.EXE and makes the following modifications to the registry to ensure that this file is executed at each Windows system start:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Video Capture Controls = "wauclt.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Video Capture Controls = "wauclt.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Video Capture Controls = "wauclt.exe".

But anyways this process is most likely a virus or trojan, and runs as a .ajd worm.

But I'm sure you know this already, XD.

So as of what you're doing please do so to upload the HJT log, and sure a TSF security member will guide you through.

P.S. sorry, I didn't provide really decent information, just pretty much gave you more info on it.

Bad Maxx · 02-14-2007, 08:57 PM

Hmmm no I didn't know that (But anyways this process is most likely a virus or trojan, and runs as a .ajd worm.) I am not too bright when it comes to this stuff. Right at the moment I am having major trouble even finishing a scan by the Panda Active Scan. Prior to it finishing the actual scan my Internet Exporer shuts down. It also took me 6 attempts to install the VX2 Cleaner so it would be recognized by the Ad-AdwarSE as an add-on!
Well I'm going to try the Panda Scan once more, if I can not get it to work I'm going to bed and start over tomorrow!
Thanks for the info!
Jeff

DylanO · 02-14-2007, 09:16 PM

Sincerely sorry about this late reply sort of lol, Sorry to hear the errors of attempting of installing and failure in scanning, Hope it all works out Jeff!

Good luck, :).

P.S. No problem about the info,

Bad Maxx · 02-14-2007, 09:35 PM

I can not get the Panda Scan to complete a scan. It shuts down my I.E. after scanning about 1/4 of the way through (according to the Panda Scan meter) this has happened 7 times in a row. I have had enough for this evening (I'm going bald fast enough the way it is!) so I give up for now. I am of course open to any suggestions, and will implement them first thing in the morning (providing there are any) thanks again for your help.
Jeff

Cricket57 · 02-15-2007, 04:16 AM

Here's some information on the malicious file WAUCLT.EXE:
http://spywarefiles.prevx.com/RRHFFH...t%252Eexe.html

Prevx report they are capable of removing this threat with their free trial so it may be worth giving that a shot. It's a pay-for program, but their free trial is fully-functional for at least 30 days which will remove any infections for free during this period. If you don't wish to keep it after cleanup, simply uninstall it.

The same filename may have been used years ago as mentioned by Microsoft, but there are also new malware infections using this same filename as late as January this year, under infections such as Worm.Ircbot.Gen and Trojan.SystemPoser. See here:
http://spywarefiles.prevx.com/ssHFFH.../WAUCmore.html

Many new infections are adding lines to your hosts file in order to stop you visiting sites which may be able to help or delete the malware, as well as some that actively target certain security applications and stop them from running or completing their scans (as you have witnessed with Panda).

**Glaswegian** · 02-15-2007, 06:26 AM

Jeff

The 5 Step guide does say that if you cannot complete something then just move to the next step. Please do not delete any files or fix anything yourself until you receive help from a trained analyst - you may end up with a useless system and then have to re-install your OS and all other programmes.

Bad Maxx · 02-15-2007, 10:51 AM

Okay, I hope I am following the right guidelines by posting my Combo Log here. As I understand it I should not start a new thread but continue this one?? I hope so.

Okay my computer is a 2.8GHz Dell Dimension 4600 with 512MB of Ram. I always keep my Ad-Aware SE Personal, CCleaner, Spybot - Search & Destroy, and Spyware Blaster up to date. Over the past few years I have found them very effective. I also use Camtech's Spysite which is a Data Base of 16,666 websites known to be problematic and you upload them in the Restricted folder in Internet Options/Security.

My computer used to be so fast it amazed me, I could also multi task with no noticable slow down. Lately it is patheticly slow, if I am printing a couple of pages I need to wait until it is done to take on another task. So I made sure everything was up to date, no progress there. I found wauclt.exe in my Task Manager window, eventually leading me here. I followed the 5 Steps but could not get a Panda ActiveScan to complete, it shut down my Internet Explorer 8 different times. I also tried to remove the wauclt.exe by installing Prevx, it did not even detect it after 3 scans nor any other problem, so I uninstalled it.
This brings me to my combo scan. I want to thank you for helping and I am sorry if I am posting it in the wrong place.

ComboScan v20070212.14 run by Jeffrey on 2007-02-15 at 11:19:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Restore was disabled; re-enabling.
Failed to create restore point: System Restore is disabled (service is not running).
Performed disk cleanup.

-- HijackThis log (run as Jeffrey.com) ------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:21:07 AM, on 2/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jeffrey\Desktop\comboscan.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\DOCUME~1\Jeffrey\LOCALS~1\Temp\~attuhag.tmp\Jeffrey.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Personal Firewall 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Personal Firewall 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: www.compusa.com
O15 - Trusted Zone: http://app.infopia.com
O15 - Trusted Zone: www.midmichiganrc.com
O15 - Trusted Zone: http://www.mysurvey.com
O15 - Trusted Zone: www.positscience.com
O15 - Trusted Zone: http://compusa.shoplocal.com
O15 - Trusted Zone: www.squaretrade.com
O15 - Trusted Zone: http://www.squaretrade.com
O15 - Trusted Zone: http://online.tns-global.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120660274468
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1137027903453
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/40...3/cpbrkpie.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.multicastmedia.com/co...INIBrowser.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {EF58E341-49C3-4156-A3C4-5FFCA7C1EAB7} (EURAS_Portal.Gateway) - http://www.euras.com/euras/activex2/euras.CAB
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

4 abp480n5 - \SystemRoot\System32\DRIVERS\ABP480N5.SYS
4 Adp216shu - C:\WINDOWS\system32\drivers\imapi.sys
4 adpu160m - \SystemRoot\System32\DRIVERS\adpu160m.sys
3 aeaudio - system32\drivers\aeaudio.sys
4 agpCPQ (Compaq AGP Bus Filter) - \SystemRoot\System32\DRIVERS\agpCPQ.sys
4 Aha154x - \SystemRoot\System32\DRIVERS\aha154x.sys
4 aic78u2 - \SystemRoot\System32\DRIVERS\aic78u2.sys
4 aic78xx - \SystemRoot\System32\DRIVERS\aic78xx.sys
4 AliIde - \SystemRoot\System32\DRIVERS\aliide.sys
4 alim1541 (ALI AGP Bus Filter) - \SystemRoot\System32\DRIVERS\alim1541.sys
4 amdagp (AMD AGP Bus Filter Driver) - \SystemRoot\System32\DRIVERS\amdagp.sys
4 amsint - \SystemRoot\System32\DRIVERS\amsint.sys
3 ASAPIW2k - system32\drivers\ASAPIW2k.sys
4 asc - \SystemRoot\System32\DRIVERS\asc.sys
4 asc3350p - \SystemRoot\System32\DRIVERS\asc3350p.sys
4 asc3550 - \SystemRoot\System32\DRIVERS\asc3550.sys
3 ati2mtag - System32\DRIVERS\ati2mtag.sys
2 BCMNTIO - \??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys
4 cbidf - \SystemRoot\System32\DRIVERS\cbidf2k.sys
4 cd20xrnt - \SystemRoot\System32\DRIVERS\cd20xrnt.sys
4 CmdIde - \SystemRoot\System32\DRIVERS\cmdide.sys
4 Cpqarray - \SystemRoot\System32\DRIVERS\cpqarray.sys
4 dac2w2k - \SystemRoot\System32\DRIVERS\dac2w2k.sys
4 dac960nt - \SystemRoot\System32\DRIVERS\dac960nt.sys
4 dpti2o - \SystemRoot\System32\DRIVERS\dpti2o.sys
3 E100B (Intel(R) PRO Network Connection Driver) - System32\DRIVERS\e100b325.sys
1 eeCtrl (Symantec Eraser Control driver) - \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
3 EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - System32\DRIVERS\el90xbc5.sys
0 ElbyVCD - System32\DRIVERS\ElbyVCD.sys
3 EraserUtilRebootDrv - \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
3 GEARAspiWDM - System32\Drivers\GEARAspiWDM.sys
2 hardlock - \??\C:\WINDOWS\system32\drivers\hardlock.sys
2 Haspnt - \??\C:\WINDOWS\system32\drivers\Haspnt.sys
3 HidUsb (Microsoft HID Class Driver) - System32\DRIVERS\hidusb.sys
4 hpn - \SystemRoot\System32\DRIVERS\hpn.sys
3 HSFHWBS2 - System32\DRIVERS\HSFHWBS2.sys
3 HSF_DP - System32\DRIVERS\HSF_DP.sys
4 i2omp - \SystemRoot\System32\DRIVERS\i2omp.sys
3 i81x - System32\DRIVERS\i81xnt5.sys
3 iAimFP0 - System32\DRIVERS\wADV01nt.sys
3 iAimFP1 - System32\DRIVERS\wADV02NT.sys
3 iAimFP2 - System32\DRIVERS\wADV05NT.sys
3 iAimFP3 - System32\DRIVERS\wSiINTxx.sys
3 iAimFP4 - System32\DRIVERS\wVchNTxx.sys
3 iAimTV0 - System32\DRIVERS\wATV01nt.sys
3 iAimTV1 - System32\DRIVERS\wATV02NT.sys
3 iAimTV2 - System32\DRIVERS\wATV03nt.sys
3 iAimTV3 - System32\DRIVERS\wATV04nt.sys
3 iAimTV4 - System32\DRIVERS\wCh7xxNT.sys
4 ini910u - \SystemRoot\System32\DRIVERS\ini910u.sys
1 intelppm (Intel Processor Driver) - System32\DRIVERS\intelppm.sys
1 kbdhid (Keyboard HID Driver) - system32\DRIVERS\kbdhid.sys
2 MAPMEM - \??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys
2 mdmxsdk - System32\DRIVERS\mdmxsdk.sys
3 MODEMCSA (Unimodem Streaming Filter Device) - system32\drivers\MODEMCSA.sys
3 mouhid (Mouse HID Driver) - System32\DRIVERS\mouhid.sys
4 mraid35x - \SystemRoot\System32\DRIVERS\mraid35x.sys
3 NAVENG - \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070214.020\NAVENG.Sys
3 NAVEX15 - \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070214.020\NavEx15.Sys
3 NPDriver (Norton UnErase Protection Driver) - \??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
3 nv - System32\DRIVERS\nv4_mini.sys
1 omci (OMCI WDM Device Driver) - System32\DRIVERS\omci.sys
1 P3 (Intel PentiumIII Processor Driver) - System32\DRIVERS\p3.sys
0 PCIIde - System32\DRIVERS\pciide.sys
4 perc2 - \SystemRoot\System32\DRIVERS\perc2.sys
4 perc2hib - \SystemRoot\System32\DRIVERS\perc2hib.sys
4 ql1080 - \SystemRoot\System32\DRIVERS\ql1080.sys
4 Ql10wnt - \SystemRoot\System32\DRIVERS\ql10wnt.sys
4 ql12160 - \SystemRoot\System32\DRIVERS\ql12160.sys
4 ql1240 - \SystemRoot\System32\DRIVERS\ql1240.sys
4 ql1280 - \SystemRoot\System32\DRIVERS\ql1280.sys
3 SAVRT - \??\C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVRT.SYS
1 SAVRTPEL - \??\C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVRTPEL.SYS
3 SDdriver - \??\C:\WINDOWS\system32\Drivers\sddriver.sys
3 senfilt - system32\drivers\senfilt.sys
4 sisagp (SIS AGP Bus Filter) - \SystemRoot\System32\DRIVERS\sisagp.sys
3 smwdm - system32\drivers\smwdm.sys
4 Sparrow - \SystemRoot\System32\DRIVERS\sparrow.sys
1 SPBBCDrv - \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
4 symc810 - \SystemRoot\System32\DRIVERS\symc810.sys
4 symc8xx - \SystemRoot\System32\DRIVERS\symc8xx.sys
3 SYMDNS - \SystemRoot\System32\Drivers\SYMDNS.SYS
3 SymEvent - \??\C:\Program Files\Symantec\SYMEVENT.SYS
3 SYMFW - \SystemRoot\System32\Drivers\SYMFW.SYS
3 SYMIDS - \SystemRoot\System32\Drivers\SYMIDS.SYS
3 SYMIDSCO - \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20070214.003\symidsco.sys
3 SYMNDIS - \SystemRoot\System32\Drivers\SYMNDIS.SYS
3 SYMREDRV - \SystemRoot\System32\Drivers\SYMREDRV.SYS
1 SYMTDI - \SystemRoot\System32\Drivers\SYMTDI.SYS
4 sym_hi - \SystemRoot\System32\DRIVERS\sym_hi.sys
4 sym_u3 - \SystemRoot\System32\DRIVERS\sym_u3.sys
4 TosIde - \SystemRoot\System32\DRIVERS\toside.sys
3 TVICHW32 - \??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
4 ultra - \SystemRoot\System32\DRIVERS\ultra.sys
3 usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - System32\DRIVERS\usbehci.sys
3 usbscan (USB Scanner Driver) - System32\DRIVERS\usbscan.sys
4 viaagp (VIA AGP Bus Filter) - \SystemRoot\System32\DRIVERS\viaagp.sys
4 ViaIde - \SystemRoot\System32\DRIVERS\viaide.sys
3 wanatw (WAN Miniport (ATW)) - System32\DRIVERS\wanatw4.sys
3 winachsf - System32\DRIVERS\HSF_CNXT.sys
3 WmBEnum (Logitech Virtual Bus Enumerator Driver) - system32\drivers\WmBEnum.sys
3 WmFilter (Logitech WingMan HID Filter Driver) - system32\drivers\WmFilter.sys
3 WmHidLo (Logitech WingMan USB Filter Driver) - system32\drivers\WmHidLo.sys
3 WmVirHid (Logitech Virtual Hid Device Driver) - system32\drivers\WmVirHid.sys
3 WmXlCore (Logitech WingMan Translation Layer Driver) - system32\drivers\WmXlCore.sys
4 WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - \SystemRoot\System32\drivers\ws2ifsl.sys
3 WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - system32\DRIVERS\WudfPf.sys
3 WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - system32\DRIVERS\wudfrd.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 aspnet_state (ASP.NET State Service) - %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
2 Automatic LiveUpdate Scheduler - "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
2 ccEvtMgr (Symantec Event Manager) - "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
3 ccISPwdSvc (Symantec Internet Security Password Validation) - "C:\Program Files\Norton Personal Firewall\ccPwdSvc.exe"
2 ccProxy (Symantec Network Proxy) - "C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"
2 ccSetMgr (Symantec Settings Manager) - "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
3 clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
3 Diskeeper - C:\Program Files\Executive Software\Diskeeper\DkService.exe
2 GBPoll (GoBack Polling Service) - "C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe"
3 iPod Service - "C:\Program Files\iPod\bin\iPodService.exe"
3 LiveUpdate - "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"
2 navapsvc (Norton AntiVirus Auto-Protect Service) - "C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe"
4 NetSvc (Intel NCS NetService) - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
2 NPFMntor (Norton AntiVirus Firewall Monitor Service) - "C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe"
2 NProtectService (Norton UnErase Protection) - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
3 NSCService (Norton Protection Center Service) - "C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE"
3 NVSvc (NVIDIA Driver Helper Service) - %SystemRoot%\system32\nvsvc32.exe
3 ose (Office Source Engine) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
3 SAVScan (Symantec AVScan) - "C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe"
2 SNDSrvc (Symantec Network Drivers Service) - "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"
2 SPBBCSvc (Symantec SPBBCSvc) - "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"
4 Speed Disk service - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
2 Symantec Core LC - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
3 WMPNetworkSvc (Windows Media Player Network Sharing Service) - "C:\Program Files\Windows Media Player\WMPNetwk.exe"
3 WudfSvc (Windows Driver Foundation - User-mode Driver Framework) - %SystemRoot%\system32\svchost.exe -k WudfServiceGroup

-- Scheduled Tasks --------------------------------------------------------------

2007-02-14 00:00:01 312 --a------ C:\WINDOWS\Tasks\Symantec Drmc.job<SYMANT~1.JOB>
2007-02-12 21:08:33 296 --a------ C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job<NORTON~1.JOB>
2007-02-09 21:32:23 552 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Jeffrey.job<NORTON~2.JOB>

-- Files created between 2007-01-15 and 2007-02-15 ------------------------------

2007-02-15 10:20:21 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-02-15 10:11:30 21312 --a------ C:\WINDOWS\choice.exe<Unsigned: n/a>
2007-02-15 10:10:25 0 d-------- C:\ie-spyad
2007-02-14 21:08:47 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-02-14 18:00:35 0 d-------- C:\Documents and Settings\Jeffrey\Application Data\Uniblue
2007-02-14 18:00:26 0 d-------- C:\Program Files\Uniblue
2007-01-29 11:28:45 0 d-------- C:\WINDOWS\system32\LogFiles
2007-01-29 11:28:45 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-01-24 10:34:40 0 d-------- C:\Documents and Settings\Jeffrey\Application Data\Apple Computer<APPLEC~1>
2007-01-24 10:34:29 0 d-------- C:\Program Files\iPod
2007-01-24 10:34:20 0 d-------- C:\Program Files\iTunes
2007-01-24 10:33:46 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-01-24 10:11:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer<APPLEC~1>

-- Find3M Report ----------------------------------------------------------------

2007-02-15 11:21:32 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-02-14 22:19:40 0 d-------- C:\Documents and Settings\Jeffrey\Application Data\Symantec
2007-02-14 22:13:47 0 d-------- C:\Program Files\Norton SystemWorks<NORTON~2>
2007-02-14 19:52:04 0 d-------- C:\Program Files\ZipCentral<ZIPCEN~1>
2007-02-14 18:36:33 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-02-12 19:49:50 0 d-------- C:\Program Files\Norton Personal Firewall<NORTON~1>
2007-01-29 11:31:13 0 d-------- C:\Program Files\Windows Media Connect 2<WI4DF6~1>
2007-01-15 22:04:35 0 d-------- C:\Program Files\RockSim 8 demo<ROCKSI~1>
2007-01-04 12:30:42 0 d-------- C:\Program Files\Common Files\Adobe
2006-12-17 10:36:24 0 d-------- C:\Documents and Settings\Jeffrey\Application Data\AdobeUM

-- Registry Dump ----------------------------------------------------------------

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Synchronizer.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Synchronizer.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\ADOBEC~1.EXE "
"item"="Adobe Reader Synchronizer"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk"
"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item"="Digital Line Detect"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SBC Self Support Tool.lnk"
"backup"="C:\\WINDOWS\\pss\\SBC Self Support Tool.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SBCSEL~1\\bin\\matcli.exe -boot"
"item"="SBC Self Support Tool"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jeffrey^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
"path"="C:\\Documents and Settings\\Jeffrey\\Start Menu\\Programs\\Startup\\PowerReg Scheduler.exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Jeffrey\\Start Menu\\Programs\\Startup\\PowerReg Scheduler.exe"
"item"="PowerReg Scheduler"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcctMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AcctMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Norton SystemWorks\\Password Manager\\AcctMgr.exe /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CFD"
"hkey"="HKLM"
"command"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ElbyCheck"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Elaborate Bytes\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDLauncher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSentry"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\DSentry.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 02]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPClient"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPClient.exe\" -l"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 02]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPMon32"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPMon32.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHost"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\kdx\\KHost.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mail.com]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcalert"
"hkey"="HKCU"
"command"="C:\\Program Files\\mail.com\\mcalert.exe -auto"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MotiveSB"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetLimiter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NetLimiter"
"hkey"="HKLM"
"command"="C:\\Program Files\\NetLimiter\\NetLimiter.exe /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NexusServer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PNXSERVR"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Canopus Shared\\ProCoder 2\\Kernel\\PNXSERVR.exe\" -SelfLaunch"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cfgwiz"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Norton SystemWorks\\cfgwiz.exe\" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="opware32"
"hkey"="HKLM"
"command"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCPOptimize"
"hkey"="HKLM"
"command"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCMService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Reminder"
"hkey"="HKLM"
"command"="C:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSDrvCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Red Swoosh EDN Client]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RSEDNClient"
"hkey"="HKCU"
"command"="C:\\Program Files\\RSSoft\\RSEDNClient.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RxMon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrgToDsc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EngUtil"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="smax4pnp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Begone]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="freescan"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\Jeffrey\\Desktop\\Malware Removal\\freescan.exe -FastScan"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UrlLstCk"
"hkey"="HKLM"
"command"="C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="1"
"hkey"="HKCU"
"command"="1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NetSvc"=dword:00000003

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowCpl]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\RestrictCpl]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\RestrictRun]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

-- End of ComboScan: finished at 2007-02-15 at 11:22:17 -------------------------

Bad Maxx · 02-17-2007, 10:49 AM

BUMP If there is something wrong with where or how I posted I sure would have appreciated someone telling me so.

02-14-2007, 08:04 PM	#1 (permalink)
Bad Maxx Registered User Join Date: Feb 2007 Location: West Central Wisconsin Posts: 9 OS: XP	wauclt.exe I just know this is posted in the wrong place but.. I am currently following the procedure for posting my Hijackthis log but in the mean time I have a question. In my Task Manager there is a program (or whatever it might be) that I did not recognize, it is called wauclt.exe, when I do a search for it on Microsoft it has warnings back in 2004 and prior that state this is an immediate threat and must be removed. When I try to follow their instructions for removal they have a lot of options for the different operating systems. Here is the problem it never has an option new enough for my system. It only offers support up to XP SP1 which I imagine was the latest available in 2004. When I search for threads about this particular "program" in the threads here a person mentioned it specifically, yet in receiving assistance the person helping did not (at all) think this was a threat. The thread was very new (today if I remember correctly) so is it no longer a threat? Is it something I do not need to concern myself with? Well while waiting for a reply I am going to continue the procedure for turning in a hijack log. Thanks for your assistance. Jeff

02-14-2007, 08:20 PM	#2 (permalink)
DylanO Registered User Join Date: Feb 2007 Location: 127.0.0.1:1000 Posts: 81 OS: Windows XP Professional My System	okay, well the wauclt.exe was in a Microsoft Video Capture Controls for a worm called " Win32/Slinbot.ALJ ". Win32/Slinbot.ALJ is IRC controlled backdoor that can be used to gain unauthorized access to a victim's machine. It can also spread by exploiting weak passwords on administrative shares, by exploiting several vulnerabilities, and by using backdoors created by other malware, so bad maxx when this Win32/Slinbot.ALJ is executed this variant copies itself to the %System% directory as WAUCLT.EXE and makes the following modifications to the registry to ensure that this file is executed at each Windows system start: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Video Capture Controls = "wauclt.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Video Capture Controls = "wauclt.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Video Capture Controls = "wauclt.exe". But anyways this process is most likely a virus or trojan, and runs as a .ajd worm. But I'm sure you know this already, XD. So as of what you're doing please do so to upload the HJT log, and sure a TSF security member will guide you through. P.S. sorry, I didn't provide really decent information, just pretty much gave you more info on it. __________________ - Dylan O.

02-14-2007, 09:16 PM	#4 (permalink)
DylanO Registered User Join Date: Feb 2007 Location: 127.0.0.1:1000 Posts: 81 OS: Windows XP Professional My System	Sincerely sorry about this late reply sort of lol, Sorry to hear the errors of attempting of installing and failure in scanning, Hope it all works out Jeff! Good luck, :). P.S. No problem about the info, __________________ - Dylan O.

02-15-2007, 06:26 AM	#7 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 21,767 OS: Win XP Pro SP3 My System Blog Entries: 10	Jeff The 5 Step guide does say that if you cannot complete something then just move to the next step. Please do not delete any files or fix anything yourself until you receive help from a trained analyst - you may end up with a useless system and then have to re-install your OS and all other programmes. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::5 Steps For Infected PCs

02-14-2007, 08:57 PM	#3 (permalink)
Bad Maxx Registered User Join Date: Feb 2007 Location: West Central Wisconsin Posts: 9 OS: XP	Hmmm no I didn't know that (But anyways this process is most likely a virus or trojan, and runs as a .ajd worm.) I am not too bright when it comes to this stuff. Right at the moment I am having major trouble even finishing a scan by the Panda Active Scan. Prior to it finishing the actual scan my Internet Exporer shuts down. It also took me 6 attempts to install the VX2 Cleaner so it would be recognized by the Ad-AdwarSE as an add-on! Well I'm going to try the Panda Scan once more, if I can not get it to work I'm going to bed and start over tomorrow! Thanks for the info! Jeff

02-14-2007, 09:35 PM	#5 (permalink)
Bad Maxx Registered User Join Date: Feb 2007 Location: West Central Wisconsin Posts: 9 OS: XP	I can not get the Panda Scan to complete a scan. It shuts down my I.E. after scanning about 1/4 of the way through (according to the Panda Scan meter) this has happened 7 times in a row. I have had enough for this evening (I'm going bald fast enough the way it is!) so I give up for now. I am of course open to any suggestions, and will implement them first thing in the morning (providing there are any) thanks again for your help. Jeff

02-15-2007, 04:16 AM	#6 (permalink)
Cricket57 Registered User Join Date: May 2006 Posts: 19 OS: Win XP	Here's some information on the malicious file WAUCLT.EXE: http://spywarefiles.prevx.com/RRHFFH...t%252Eexe.html Prevx report they are capable of removing this threat with their free trial so it may be worth giving that a shot. It's a pay-for program, but their free trial is fully-functional for at least 30 days which will remove any infections for free during this period. If you don't wish to keep it after cleanup, simply uninstall it. The same filename may have been used years ago as mentioned by Microsoft, but there are also new malware infections using this same filename as late as January this year, under infections such as Worm.Ircbot.Gen and Trojan.SystemPoser. See here: http://spywarefiles.prevx.com/ssHFFH.../WAUCmore.html Many new infections are adding lines to your hosts file in order to stop you visiting sites which may be able to help or delete the malware, as well as some that actively target certain security applications and stop them from running or completing their scans (as you have witnessed with Panda).

02-17-2007, 10:49 AM	#9 (permalink)
Bad Maxx Registered User Join Date: Feb 2007 Location: West Central Wisconsin Posts: 9 OS: XP	BUMP If there is something wrong with where or how I posted I sure would have appreciated someone telling me so.