CPU sometimes running inexplicably at 100%

Zeit · 01-07-2006, 08:34 AM

Hello

Windows task manager sometimes shows my CPU running at 100% (and I can hear HD activity) even though I have no applications running, and am not online.

I've done all of the 5 steps suggested in the sticky post. When I ran CWS Shredder it detected and removed CWS.Msconfig.

I have 512RAM with 2.2Ghz AMD Athlon 64.

Here is the HJT log. I'd be most grateful for any help.

Logfile of HijackThis v1.99.1
Scan saved at 17:19:15, on 07/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\dvd43\dvd43_tray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Dudez\ProtoWall\ProtoWall.exe
C:\Programme\AutoSizer\AutoSizer.exe
C:\Programme\Intense Language Office\COMMON\Offman.exe
C:\Programme\Intense Language Office\COMMON\Dict.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [dvd43] C:\Programme\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [ProtoWall] C:\Programme\Dudez\ProtoWall\ProtoWall.exe
O4 - HKCU\..\Run: [AutoSizer] "C:\Programme\AutoSizer\AutoSizer.exe"
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programme\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programme\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab34120.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121718138890
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Dr...Non_Member.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab35645.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...67/mcfscan.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76C5901-6592-4909-B193-9CBFC15713C8}: NameServer = 217.237.151.161 217.237.151.33
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe

greyknight17 · 01-07-2006, 11:44 AM

Welcome to TSF.

I don't see anything suspicious here. Do a ctrl+alt+del and look under the Processes tab. Sort it by Mem Usage and see which one is guzzling all the resources when your CPU spikes to 100%.

Just to be sure there's not a virus working here, perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Please post that log in your next reply.

Zeit · 01-07-2006, 01:53 PM

Hello

Thank you for your reponse.

Here is the Panda scan report. No viruses, 48 "spyware" and one "Hacking tools and potentially unwanted tools".

Incident Status Location

Adware:adware/startpage.amb Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Favoriten\Health

Spyware:Cookie/Ccbill Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\anyuser@ccbill[2].txt

Spyware:Cookie/did-it Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\anyuser@did-it[2].txt

Spyware:Cookie/Kount Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\anyuser@kount[1].txt

Spyware:Cookie/Xiti Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\anyuser@xiti[1].txt

Spyware:Cookie/YieldManager Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\astrid@ad.yieldmanager[1].txt

Spyware:Cookie/Ccbill Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\astrid@ccbill[2].txt

Spyware:Cookie/fe.lea.lycos Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\astrid@fe.lea.lycos[1].txt

Spyware:Cookie/go Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\astrid@go[1].txt

Spyware:Cookie/Mp3search Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\astrid@mp3search[1].txt

Spyware:Cookie/Ccbill Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\standard@ccbill[2].txt

Spyware:Cookie/Kazaa Networks Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\standard@desktop.kazaa[1].txt

Spyware:Cookie/Kazaa Networks Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\standard@desktop.kazaa[2].txt

Spyware:Cookie/go Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\standard@go[1].txt

Spyware:Cookie/go Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\standard@go[2].txt

Spyware:Cookie/go Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\standard@go[3].txt

Spyware:Cookie/Rn11 Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\standard@rn11[1].txt

Spyware:Cookie/YieldManager Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.ad.yieldmanager.com/]

Spyware:Cookie/Belnk Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.ath.belnk.com/]

Spyware:Cookie/Belnk Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.belnk.com/]

Spyware:Cookie/BurstNet Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.burstnet.com/]

Spyware:Cookie/Com.com Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.com.com/]

Spyware:Cookie/did-it Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.did-it.com/]

Spyware:Cookie/fe.lea.lycos Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.fe.lea.lycos.de/]

Spyware:Cookie/GoStats Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.gostats.com/]

Spyware:Cookie/Screensavers Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.i.screensavers.com/]

Spyware:Cookie/Searchportal Not disinfected C:\Dokumente

und

Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.searchportal.information.com

/]
Spyware:Cookie/Toplist Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.toplist.cz/]

Spyware:Cookie/Tucows Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.tucows.com/]

Spyware:Cookie/Yadro Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.yadro.ru/]

Spyware:Cookie/YieldManager Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[]

Spyware:Cookie/Ccbill Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\anyuser@ccbill[2].txt

Spyware:Cookie/did-it Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\anyuser@did-it[2].txt

Spyware:Cookie/Kount Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\anyuser@kount[1].txt

Spyware:Cookie/Xiti Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\anyuser@xiti[1].txt

Spyware:Cookie/YieldManager Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\astrid@ad.yieldmanager[1].txt

Spyware:Cookie/Ccbill Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\astrid@ccbill[2].txt

Spyware:Cookie/fe.lea.lycos Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\astrid@fe.lea.lycos[1].txt

Spyware:Cookie/go Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\astrid@go[1].txt

Spyware:Cookie/Mp3search Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\astrid@mp3search[1].txt

Spyware:Cookie/Ccbill Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\standard@ccbill[2].txt

Spyware:Cookie/Kazaa Networks Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\standard@desktop.kazaa[1].txt

Spyware:Cookie/Kazaa Networks Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\standard@desktop.kazaa[2].txt

Spyware:Cookie/go Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\standard@go[1].txt

Spyware:Cookie/go Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\standard@go[2].txt

Spyware:Cookie/go Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\standard@go[3].txt

Spyware:Cookie/Rn11 Not disinfected C:\Dokumente

und Einstellungen\HP_Besitzer\Cookies\standard@rn11[1].txt

Potentially unwanted tool:Application/KillApp.B Not disinfected

C:\hp\bin\KillIt.exe

Vikesrock8411 · 01-08-2006, 01:57 PM

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Downloads(make sure to save these in a permanent location)
Cleanup! (Alternate Link)- Install it. You will use this later.
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.
WinPFind-Unzip it to the desktop, but do not run it yet

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Tools
Double click WinPFind.exe

* Click 'Start Scan'
* It will scan the entire system, so please be patient!
* Once the scan is complete:
1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Copy those results in the next post!

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!

Check the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Uncheck the following :

Scan local drives for temporary files

Click OK, Press the CleanUp! button to start the program and reboot(Normal Mode) when prompted.

Online Scans
Please open IE and go to
Kaspersky WebScanner

Next Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Standard
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

In your next post please include:

Kaspersky Log
WinPFind Log
A new Hijackthis! Log

Zeit · 01-15-2006, 06:57 AM

Hi

Thank you very much for the reply, and sorry for not being able to respond sooner.

I've followed all the steps. Below is
-Kaspersky log
-WinPFind log
-Hijackthis log

KASPERSKY ON-LINE SCANNER REPORT
Sunday, January 15, 2006 15:36:10
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/01/2006
Kaspersky Anti-Virus database records: 161201
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 83603
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 3230 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
PEC2 04/12/2005 15:33:12 277936872 C:\sp2.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 04/08/2004 13:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 08/06/2000 16:00:00 42496 C:\WINDOWS\SYSTEM32\l3codecx.ax
aspack 07/08/2003 13:01:52 126464 C:\WINDOWS\SYSTEM32\lame_enc.dll
PTech 12/07/2005 17:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 08/12/2005 16:25:42 2723680 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 08/12/2005 16:25:42 2723680 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04/08/2004 19:00:00 733696 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04/08/2004 13:00:00 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 04/08/2004 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 08/12/2005 09:50:38 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 08/12/2005 09:50:38 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 08/12/2005 09:50:38 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 08/12/2005 09:50:38 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
15/01/2006 14:04:18 S 2048 C:\WINDOWS\bootstat.dat
10/01/2006 20:54:02 RHS 56 C:\WINDOWS\system32\056745997B.sys
10/01/2006 21:22:24 RHS 13 C:\WINDOWS\system32\IEcacher.dll
10/01/2006 20:54:02 HS 10856 C:\WINDOWS\system32\KGyGaAvL.sys
01/12/2005 04:44:42 S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
02/12/2005 01:12:38 S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
03/01/2006 00:09:26 S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
15/01/2006 14:05:02 H 1024 C:\WINDOWS\system32\config\default.LOG
15/01/2006 14:04:50 H 1024 C:\WINDOWS\system32\config\SAM.LOG
15/01/2006 14:05:02 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
15/01/2006 14

42 H 1024 C:\WINDOWS\system32\config\software.LOG
15/01/2006 14:18:48 H 1024 C:\WINDOWS\system32\config\system.LOG
16/12/2005 20:01:32 H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
05/12/2005 01:07:20 S 688 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
28/11/2005 00:21:04 S 70226 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\F482C95F83F1B59228F1B1E720F2EDF1
05/12/2005 01:07:20 S 94 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
28/11/2005 00:21:04 S 128 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\F482C95F83F1B59228F1B1E720F2EDF1
15/01/2006 01:38:24 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a9740297-491b-4f76-8fff-5fe70833f599
15/01/2006 01:38:24 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
15/01/2006 14:03:12 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 04/08/2004 13:00:00 70656 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 20/09/2004 23:20:44 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 04/08/2004 13:00:00 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04/08/2004 13:00:00 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04/08/2004 13:00:00 138240 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04/08/2004 13:00:00 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04/08/2004 13:00:00 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04/08/2004 13:00:00 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04/08/2004 13:00:00 133120 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04/08/2004 13:00:00 381440 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04/08/2004 13:00:00 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 01/01/2005 19:33:40 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 04/08/2004 13:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04/08/2004 13:00:00 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 04/08/2004 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04/08/2004 13:00:00 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04/08/2004 13:00:00 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 29/09/2004 21:23:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 04/08/2004 13:00:00 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04/08/2004 13:00:00 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 23/09/2004 17:57:40 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 04/08/2004 13:00:00 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 04/08/2004 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 13:00:00 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04/08/2004 13:00:00 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 03:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04/08/2004 13:00:00 70656 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 04/08/2004 13:00:00 555008 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 04/08/2004 13:00:00 138240 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 04/08/2004 13:00:00 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 04/08/2004 13:00:00 157184 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 04/08/2004 13:00:00 359424 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 04/08/2004 13:00:00 133120 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 04/08/2004 13:00:00 69632 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 04/08/2004 13:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 04/08/2004 13:00:00 625152 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 04/08/2004 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 04/08/2004 13:00:00 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 04/08/2004 13:00:00 260096 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 04/08/2004 13:00:00 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 04/08/2004 13:00:00 117248 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 04/08/2004 13:00:00 159744 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 04/08/2004 13:00:00 303104 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 04/08/2004 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 04/08/2004 13:00:00 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 04/08/2004 13:00:00 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26/05/2005 03:16:22 174872 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Realtek Semiconductor Corp. 20/09/2004 23:20:44 16121856 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
03/11/2004 02

06 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
03/11/2004 01:56:58 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini
24/07/2005 18:45:18 5283 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
03/11/2004 02

06 HS 84 C:\Dokumente und Einstellungen\HP_Besitzer\Startmenü\Programme\Autostart\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
04/12/2005 17:33:50 392 C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\AutoGK.ini
26/09/2005 17:40:24 13033 C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Comma Separated Values (Windows).CAL
03/11/2004 01:56:58 HS 62 C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\desktop.ini
07/08/2005 12:40:10 22104 C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Microsoft Excel.ADR

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programme\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Custom shell context menu extension
{7A4097B2-6022-4670-995F-DA363EBF947F} = C:\WINDOWS\system32\shctxex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu
{AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programme\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Custom shell context menu extension
{7A4097B2-6022-4670-995F-DA363EBF947F} = C:\WINDOWS\system32\shctxex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\programme\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\programme\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Konsole :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programme\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer-Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\system32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\programme\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ILO_Office_Manager IntEdReg.exe /OFFMAN

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
xmlprov 3
WZCSVC 2
wuauserv 2
WmiApSrv 3
WmdmPmSN 3
winmgmt 2
WebClient 2
W32Time 2
VSS 3
UPS 3
TSMService 3
TrkWks 2
Themes 2
TermService 3
TapiSrv 3
SysmonLog 3
SwPrv 3
stisvc 2
SSDPSRV 3
srservice 2
Spooler 2
SmcService 2
ShellHWDetection 2
SharedAccess 2
SENS 2
seclogon 2
Schedule 2
SCardSvr 3
SamSs 2
RSVP 3
RDSessMgr 3
RasMan 3
ProtectedStorage 2
PolicyAgent 2
PlugPlay 2
ose 3
NVSvc 2
NtmsSvc 3
NtLmSsp 3
Nla 3
Netman 3
Netlogon 3
MSIServer 3
MSDTC 3
mnmsrvc 3
LmHosts 2
lanmanworkstation 2
lanmanserver 2
ImapiService 3
HTTPFilter 3
HidServ 2
helpsvc 2
Fax 3
FastUserSwitchingCompatibility 3
EventSystem 3
Eventlog 2
Dnscache 2
dmserver 3
dmadmin 3
Dhcp 2
CryptSvc 3
COMSysApp 3
CiSvc 3
Browser 2
BITS 3
Avg7UpdSvc 2
Avg7Alrt 2
AudioSrv 2
aspnet_state 3
AppMgmt 3
ALG 3

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AutoSizer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AutoSizer
hkey HKCU
command "C:\Programme\AutoSizer\AutoSizer.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AutoSizer
hkey HKCU
command "C:\Programme\AutoSizer\AutoSizer.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_CC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgcc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgcc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_EMC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgemc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgemc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dvd43
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dvd43_tray
hkey HKLM
command C:\Programme\dvd43\dvd43_tray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dvd43_tray
hkey HKLM
command C:\Programme\dvd43\dvd43_tray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ILO_Office_Manager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IntEdReg
hkey HKCU
command IntEdReg.exe /OFFMAN
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IntEdReg
hkey HKCU
command IntEdReg.exe /OFFMAN
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Intense Registry Service
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IntEdReg
hkey HKLM
command IntEdReg.exe /CHECK
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IntEdReg
hkey HKLM
command IntEdReg.exe /CHECK
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvCpl
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvCpl
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nwiz
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nwiz
hkey HKLM
command nwiz.exe /installquiet /keeploaded /nodetect
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nwiz
hkey HKLM
command nwiz.exe /installquiet /keeploaded /nodetect
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ProtoWall
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ProtoWall
hkey HKCU
command C:\Programme\Dudez\ProtoWall\ProtoWall.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ProtoWall
hkey HKCU
command C:\Programme\Dudez\ProtoWall\ProtoWall.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SmcService
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item smc
hkey HKLM
command C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item smc
hkey HKLM
command C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 1
win.ini 1
bootini 0
services 1
startup 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 1
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 15/01/2006 14:22:38

Logfile of HijackThis v1.99.1
Scan saved at 15:53:20, on 15/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\dvd43\dvd43_tray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Dudez\ProtoWall\ProtoWall.exe
C:\Programme\AutoSizer\AutoSizer.exe
C:\Programme\Intense Language Office\COMMON\Offman.exe
C:\Programme\Intense Language Office\COMMON\Dict.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Opera\Opera.exe
C:\Programme\Grisoft\AVG Free\avgcc.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [dvd43] C:\Programme\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ProtoWall] C:\Programme\Dudez\ProtoWall\ProtoWall.exe
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [AutoSizer] "C:\Programme\AutoSizer\AutoSizer.exe"
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programme\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programme\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab34120.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121718138890
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Dr...Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab35645.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...67/mcfscan.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab36385.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76C5901-6592-4909-B193-9CBFC15713C8}: NameServer = 217.237.151.161 217.237.151.33
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe

removed916 · 01-15-2006, 02:21 PM

Hi,

I had the same problem, when I checked the CPU usage in Task manager / processes, I found it was spoolsv.exe eating it all up, when I then checked my printers there was a print job still deleting. So I ran services.msc and stopped the spooler then went to C:\WINDOWS\system32\spool\PRINTERS deleted the files then re-started the spooler again, CPU back to normal. Worth checking before you spend hours looking fro something that may not be there.

Vikesrock8411 · 01-15-2006, 02:53 PM

Those logs are all clean. It is looking like this may not be malware related. I reccomend you follow Greyknight's suggestion and see if you can determine what process is eating up all your resources when the CPU spikes.

Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved.

Setting a new Restore Point
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter.

Tick the checkbox - Turn off System Restore on all drives
Click Apply
Turn it back 'On' by unticking the same checkbox & click OK

Windows Update
Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site.

Prevention
A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include:
AVG Free
Avast! Home Edition (Antivirus & Firewall)
AntiVir

A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are:
Zone Alarm
Outpost
Tiny Personal Firewall
Avast! Home Edition (Antivirus & Firewall)

Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed.

Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses.

IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC.

The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed.

Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all.

Alternative Programs
Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Desktop Weather - Free taskbar weather program that is free, malware free, and resource light.

Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

Zeit · 01-16-2006, 11:56 AM

Hello

Goods news that everything is clean.

I don't think it was spoolsv.exe as I don't have a printer and the Printers folder was empty.

The CPU usage spikes haven't happened in over a week now, so hopefully everything is ok. Thanks once again for your help.

01-07-2006, 08:34 AM	#1 (permalink)
Zeit Registered User Join Date: Jan 2006 Posts: 4 OS: Windows XP Personal	CPU sometimes running inexplicably at 100% Hello Windows task manager sometimes shows my CPU running at 100% (and I can hear HD activity) even though I have no applications running, and am not online. I've done all of the 5 steps suggested in the sticky post. When I ran CWS Shredder it detected and removed CWS.Msconfig. I have 512RAM with 2.2Ghz AMD Athlon 64. Here is the HJT log. I'd be most grateful for any help. Logfile of HijackThis v1.99.1 Scan saved at 17:19:15, on 07/01/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\Programme\dvd43\dvd43_tray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\system32\rundll32.exe C:\Programme\Dudez\ProtoWall\ProtoWall.exe C:\Programme\AutoSizer\AutoSizer.exe C:\Programme\Intense Language Office\COMMON\Offman.exe C:\Programme\Intense Language Office\COMMON\Dict.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK O4 - HKLM\..\Run: [dvd43] C:\Programme\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN O4 - HKCU\..\Run: [ProtoWall] C:\Programme\Dudez\ProtoWall\ProtoWall.exe O4 - HKCU\..\Run: [AutoSizer] "C:\Programme\AutoSizer\AutoSizer.exe" O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\programme\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\programme\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab34120.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121718138890 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Dr...Non_Member.CAB O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab35645.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...67/mcfscan.cab O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab36385.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{B76C5901-6592-4909-B193-9CBFC15713C8}: NameServer = 217.237.151.161 217.237.151.33 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe

01-07-2006, 11:44 AM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Welcome to TSF. I don't see anything suspicious here. Do a ctrl+alt+del and look under the Processes tab. Sort it by Mem Usage and see which one is guzzling all the resources when your CPU spikes to 100%. Just to be sure there's not a virus working here, perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm * Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it. * Click 'Check Now' & a pop-up window will appear. * Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size). * Begin the scan by selecting My Computer. * If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later. * Click on see report. Then click Save report. * Please post that log in your next reply. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

01-08-2006, 01:57 PM	#4 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Downloads(make sure to save these in a permanent location) Cleanup! (Alternate Link)- Install it. You will use this later. NOTE Cleanup deletes EVERYTHING out of temporary folders and does not make backups. WinPFind-Unzip it to the desktop, but do not run it yet Next, please reboot your computer in SafeMode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. Tools Double click WinPFind.exe * Click 'Start Scan' * It will scan the entire system, so please be patient! * Once the scan is complete: 1. Go to the WinPFind folder 2. Locate WinPFind.txt 3. Copy those results in the next post! Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Uncheck the following : Scan local drives for temporary files Click OK, Press the CleanUp! button to start the program and reboot(Normal Mode) when prompted. Online Scans Please open IE and go to Kaspersky WebScanner Next Click on Kaspersky Online Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Standard Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. * Turn off the real time scanner of any existing antivirus program while performing the online scan In your next post please include: Kaspersky Log WinPFind Log A new Hijackthis! Log

01-15-2006, 06:57 AM	#5 (permalink)
Zeit Registered User Join Date: Jan 2006 Posts: 4 OS: Windows XP Personal	Hi Thank you very much for the reply, and sorry for not being able to respond sooner. I've followed all the steps. Below is -Kaspersky log -WinPFind log -Hijackthis log KASPERSKY ON-LINE SCANNER REPORT Sunday, January 15, 2006 15:36:10 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 15/01/2006 Kaspersky Anti-Virus database records: 161201 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ K:\ L:\ Scan Statistics: Total number of scanned objects: 83603 Number of viruses found: 0 Number of infected objects: 0 Number of suspicious objects: 0 Duration of the scan process: 3230 sec No malware has been detected. The sections that have been scanned are CLEAN. Scan process completed. WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding. If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly. »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600 Internet Explorer Version: 6.0.2900.2180 »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»» Checking %SystemDrive% folder... PEC2 04/12/2005 15:33:12 277936872 C:\sp2.exe Checking %ProgramFilesDir% folder... Checking %WinDir% folder... Checking %System% folder... PEC2 04/08/2004 13:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc UPX! 08/06/2000 16:00:00 42496 C:\WINDOWS\SYSTEM32\l3codecx.ax aspack 07/08/2003 13:01:52 126464 C:\WINDOWS\SYSTEM32\lame_enc.dll PTech 12/07/2005 17:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll PECompact2 08/12/2005 16:25:42 2723680 C:\WINDOWS\SYSTEM32\MRT.exe aspack 08/12/2005 16:25:42 2723680 C:\WINDOWS\SYSTEM32\MRT.exe aspack 04/08/2004 19:00:00 733696 C:\WINDOWS\SYSTEM32\ntdll.dll Umonitor 04/08/2004 13:00:00 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll winsync 04/08/2004 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu Checking %System%\Drivers folder and sub-folders... UPX! 08/12/2005 09:50:38 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys FSG! 08/12/2005 09:50:38 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys PEC2 08/12/2005 09:50:38 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys aspack 08/12/2005 09:50:38 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts Checking the Windows folder and sub-folders for system and hidden files within the last 60 days... 15/01/2006 14:04:18 S 2048 C:\WINDOWS\bootstat.dat 10/01/2006 20:54:02 RHS 56 C:\WINDOWS\system32\056745997B.sys 10/01/2006 21:22:24 RHS 13 C:\WINDOWS\system32\IEcacher.dll 10/01/2006 20:54:02 HS 10856 C:\WINDOWS\system32\KGyGaAvL.sys 01/12/2005 04:44:42 S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat 02/12/2005 01:12:38 S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat 03/01/2006 00:09:26 S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat 15/01/2006 14:05:02 H 1024 C:\WINDOWS\system32\config\default.LOG 15/01/2006 14:04:50 H 1024 C:\WINDOWS\system32\config\SAM.LOG 15/01/2006 14:05:02 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG 15/01/2006 1442 H 1024 C:\WINDOWS\system32\config\software.LOG 15/01/2006 14:18:48 H 1024 C:\WINDOWS\system32\config\system.LOG 16/12/2005 20:01:32 H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG 05/12/2005 01:07:20 S 688 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 28/11/2005 00:21:04 S 70226 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\F482C95F83F1B59228F1B1E720F2EDF1 05/12/2005 01:07:20 S 94 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 28/11/2005 00:21:04 S 128 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\F482C95F83F1B59228F1B1E720F2EDF1 15/01/2006 01:38:24 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a9740297-491b-4f76-8fff-5fe70833f599 15/01/2006 01:38:24 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred 15/01/2006 14:03:12 H 6 C:\WINDOWS\Tasks\SA.DAT Checking for CPL files... Microsoft Corporation 04/08/2004 13:00:00 70656 C:\WINDOWS\SYSTEM32\access.cpl Realtek Semiconductor Corp. 20/09/2004 23:20:44 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL Microsoft Corporation 04/08/2004 13:00:00 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl Microsoft Corporation 04/08/2004 13:00:00 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl Microsoft Corporation 04/08/2004 13:00:00 138240 C:\WINDOWS\SYSTEM32\desk.cpl Microsoft Corporation 04/08/2004 13:00:00 80384 C:\WINDOWS\SYSTEM32\firewall.cpl Microsoft Corporation 04/08/2004 13:00:00 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl Microsoft Corporation 04/08/2004 13:00:00 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl Microsoft Corporation 04/08/2004 13:00:00 133120 C:\WINDOWS\SYSTEM32\intl.cpl Microsoft Corporation 04/08/2004 13:00:00 381440 C:\WINDOWS\SYSTEM32\irprops.cpl Microsoft Corporation 04/08/2004 13:00:00 69632 C:\WINDOWS\SYSTEM32\joy.cpl Sun Microsystems 01/01/2005 19:33:40 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl Microsoft Corporation 04/08/2004 13:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl Microsoft Corporation 04/08/2004 13:00:00 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl Microsoft Corporation 04/08/2004 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl Microsoft Corporation 04/08/2004 13:00:00 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl Microsoft Corporation 04/08/2004 13:00:00 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl NVIDIA Corporation 29/09/2004 21:23:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl Microsoft Corporation 04/08/2004 13:00:00 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl Microsoft Corporation 04/08/2004 13:00:00 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl Apple Computer, Inc. 23/09/2004 17:57:40 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl Microsoft Corporation 04/08/2004 13:00:00 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl Microsoft Corporation 04/08/2004 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl Microsoft Corporation 04/08/2004 13:00:00 94208 C:\WINDOWS\SYSTEM32\timedate.cpl Microsoft Corporation 04/08/2004 13:00:00 148480 C:\WINDOWS\SYSTEM32\wscui.cpl Microsoft Corporation 26/05/2005 03:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl Microsoft Corporation 04/08/2004 13:00:00 70656 C:\WINDOWS\SYSTEM32\dllcache\access.cpl Microsoft Corporation 04/08/2004 13:00:00 555008 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl Microsoft Corporation 04/08/2004 13:00:00 138240 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl Microsoft Corporation 04/08/2004 13:00:00 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl Microsoft Corporation 04/08/2004 13:00:00 157184 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl Microsoft Corporation 04/08/2004 13:00:00 359424 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl Microsoft Corporation 04/08/2004 13:00:00 133120 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl Microsoft Corporation 04/08/2004 13:00:00 69632 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl Microsoft Corporation 04/08/2004 13:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl Microsoft Corporation 04/08/2004 13:00:00 625152 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl Microsoft Corporation 04/08/2004 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl Microsoft Corporation 04/08/2004 13:00:00 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl Microsoft Corporation 04/08/2004 13:00:00 260096 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl Microsoft Corporation 04/08/2004 13:00:00 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl Microsoft Corporation 04/08/2004 13:00:00 117248 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl Microsoft Corporation 04/08/2004 13:00:00 159744 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl Microsoft Corporation 04/08/2004 13:00:00 303104 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl Microsoft Corporation 04/08/2004 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl Microsoft Corporation 04/08/2004 13:00:00 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl Microsoft Corporation 04/08/2004 13:00:00 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl Microsoft Corporation 26/05/2005 03:16:22 174872 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl Realtek Semiconductor Corp. 20/09/2004 23:20:44 16121856 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\ALSNDMGR.CPL »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»» Checking files in %ALLUSERSPROFILE%\Startup folder... 03/11/2004 0206 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini Checking files in %ALLUSERSPROFILE%\Application Data folder... 03/11/2004 01:56:58 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini 24/07/2005 18:45:18 5283 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hpzinstall.log Checking files in %USERPROFILE%\Startup folder... 03/11/2004 0206 HS 84 C:\Dokumente und Einstellungen\HP_Besitzer\Startmenü\Programme\Autostart\desktop.ini Checking files in %USERPROFILE%\Application Data folder... 04/12/2005 17:33:50 392 C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\AutoGK.ini 26/09/2005 17:40:24 13033 C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Comma Separated Values (Windows).CAL 03/11/2004 01:56:58 HS 62 C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\desktop.ini 07/08/2005 12:40:10 22104 C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Microsoft Excel.ADR »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»» [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] SV1 = [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers] HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programme\Grisoft\AVG Free\avgse.dll HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\Custom shell context menu extension {7A4097B2-6022-4670-995F-DA363EBF947F} = C:\WINDOWS\system32\shctxex.dll HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin = %SystemRoot%\system32\SHELL32.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu {AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programme\Grisoft\AVG Free\avgse.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Custom shell context menu extension {7A4097B2-6022-4670-995F-DA363EBF947F} = C:\WINDOWS\system32\shctxex.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = %SystemRoot%\system32\SHELL32.dll [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} AcroIEHlprObj Class = C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F} = C:\PROGRA~1\SPYBOT~1\SDHelper.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7} Google Toolbar Helper = c:\programme\google\googletoolbar2.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tipps und Tricks = %SystemRoot%\system32\shdocvw.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] {2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\programme\google\googletoolbar2.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} MenuText = Sun Java Konsole : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66} MenuText = Uninstall BitDefender Online Scanner v8 : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263} ButtonText = Research : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683} ButtonText = Messenger : C:\Programme\Messenger\msmsgs.exe [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} Explorer-Band = %SystemRoot%\system32\shdocvw.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = : HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = : {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\system32\browseui.dll {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\programme\google\googletoolbar2.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] IMAIL Installed = 1 MAPI Installed = 1 MSFS Installed = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] ILO_Office_Manager IntEdReg.exe /OFFMAN [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services xmlprov 3 WZCSVC 2 wuauserv 2 WmiApSrv 3 WmdmPmSN 3 winmgmt 2 WebClient 2 W32Time 2 VSS 3 UPS 3 TSMService 3 TrkWks 2 Themes 2 TermService 3 TapiSrv 3 SysmonLog 3 SwPrv 3 stisvc 2 SSDPSRV 3 srservice 2 Spooler 2 SmcService 2 ShellHWDetection 2 SharedAccess 2 SENS 2 seclogon 2 Schedule 2 SCardSvr 3 SamSs 2 RSVP 3 RDSessMgr 3 RasMan 3 ProtectedStorage 2 PolicyAgent 2 PlugPlay 2 ose 3 NVSvc 2 NtmsSvc 3 NtLmSsp 3 Nla 3 Netman 3 Netlogon 3 MSIServer 3 MSDTC 3 mnmsrvc 3 LmHosts 2 lanmanworkstation 2 lanmanserver 2 ImapiService 3 HTTPFilter 3 HidServ 2 helpsvc 2 Fax 3 FastUserSwitchingCompatibility 3 EventSystem 3 Eventlog 2 Dnscache 2 dmserver 3 dmadmin 3 Dhcp 2 CryptSvc 3 COMSysApp 3 CiSvc 3 Browser 2 BITS 3 Avg7UpdSvc 2 Avg7Alrt 2 AudioSrv 2 aspnet_state 3 AppMgmt 3 ALG 3 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AutoSizer key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item AutoSizer hkey HKCU command "C:\Programme\AutoSizer\AutoSizer.exe" inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item AutoSizer hkey HKCU command "C:\Programme\AutoSizer\AutoSizer.exe" inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_CC key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item avgcc hkey HKLM command C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item avgcc hkey HKLM command C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_EMC key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item avgemc hkey HKLM command C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item avgemc hkey HKLM command C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dvd43 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item dvd43_tray hkey HKLM command C:\Programme\dvd43\dvd43_tray.exe inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item dvd43_tray hkey HKLM command C:\Programme\dvd43\dvd43_tray.exe inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ILO_Office_Manager key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item IntEdReg hkey HKCU command IntEdReg.exe /OFFMAN inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item IntEdReg hkey HKCU command IntEdReg.exe /OFFMAN inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Intense Registry Service key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item IntEdReg hkey HKLM command IntEdReg.exe /CHECK inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item IntEdReg hkey HKLM command IntEdReg.exe /CHECK inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item dumprep 0 -k hkey HKLM command %systemroot%\system32\dumprep 0 -k inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item dumprep 0 -k hkey HKLM command %systemroot%\system32\dumprep 0 -k inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item NvCpl hkey HKLM command RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item NvCpl hkey HKLM command RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nwiz key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item nwiz hkey HKLM command nwiz.exe /installquiet /keeploaded /nodetect inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item nwiz hkey HKLM command nwiz.exe /installquiet /keeploaded /nodetect inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ProtoWall key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item ProtoWall hkey HKCU command C:\Programme\Dudez\ProtoWall\ProtoWall.exe inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item ProtoWall hkey HKCU command C:\Programme\Dudez\ProtoWall\ProtoWall.exe inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SmcService key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item smc hkey HKLM command C:\PROGRA~1\Sygate\SPF\smc.exe -startgui inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item smc hkey HKLM command C:\PROGRA~1\Sygate\SPF\smc.exe -startgui inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item realsched hkey HKLM command "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item realsched hkey HKLM command "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state system.ini 1 win.ini 1 bootini 0 services 1 startup 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = {0DF44EAA-FF21-4412-828E-260A8728E7F1} = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system dontdisplaylastusername 1 legalnoticecaption legalnoticetext shutdownwithoutlogon 1 undockwithoutlogon 1 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoDriveTypeAutoRun 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, Shell = Explorer.exe System = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon = wlnotify.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder. Scan completed on 15/01/2006 14:22:38 Logfile of HijackThis v1.99.1 Scan saved at 15:53:20, on 15/01/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\Programme\dvd43\dvd43_tray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\rundll32.exe C:\Programme\Dudez\ProtoWall\ProtoWall.exe C:\Programme\AutoSizer\AutoSizer.exe C:\Programme\Intense Language Office\COMMON\Offman.exe C:\Programme\Intense Language Office\COMMON\Dict.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\wuauclt.exe C:\Programme\Opera\Opera.exe C:\Programme\Grisoft\AVG Free\avgcc.exe C:\HJT\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK O4 - HKLM\..\Run: [dvd43] C:\Programme\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ProtoWall] C:\Programme\Dudez\ProtoWall\ProtoWall.exe O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN O4 - HKCU\..\Run: [AutoSizer] "C:\Programme\AutoSizer\AutoSizer.exe" O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\programme\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\programme\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab34120.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121718138890 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Dr...Non_Member.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab35645.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...67/mcfscan.cab O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab36385.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{B76C5901-6592-4909-B193-9CBFC15713C8}: NameServer = 217.237.151.161 217.237.151.33 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe

01-15-2006, 02:53 PM	#7 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Those logs are all clean. It is looking like this may not be malware related. I reccomend you follow Greyknight's suggestion and see if you can determine what process is eating up all your resources when the CPU spikes. Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved. Setting a new Restore Point Go to Start >> Run - type control sysdm.cpl,,4 & press Enter. Tick the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK Windows Update Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site. Prevention A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include: AVG Free Avast! Home Edition (Antivirus & Firewall) AntiVir A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are: Zone Alarm Outpost Tiny Personal Firewall Avast! Home Edition (Antivirus & Firewall) Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed. Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses. IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC. The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed. Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all. Alternative Programs Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Desktop Weather - Free taskbar weather program that is free, malware free, and resource light. Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

01-07-2006, 01:53 PM	#3 (permalink)
Zeit Registered User Join Date: Jan 2006 Posts: 4 OS: Windows XP Personal	Hello Thank you for your reponse. Here is the Panda scan report. No viruses, 48 "spyware" and one "Hacking tools and potentially unwanted tools". Incident Status Location Adware:adware/startpage.amb Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Favoriten\Health Spyware:Cookie/Ccbill Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\anyuser@ccbill[2].txt Spyware:Cookie/did-it Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\anyuser@did-it[2].txt Spyware:Cookie/Kount Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\anyuser@kount[1].txt Spyware:Cookie/Xiti Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\anyuser@xiti[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\astrid@ad.yieldmanager[1].txt Spyware:Cookie/Ccbill Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\astrid@ccbill[2].txt Spyware:Cookie/fe.lea.lycos Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\astrid@fe.lea.lycos[1].txt Spyware:Cookie/go Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\astrid@go[1].txt Spyware:Cookie/Mp3search Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\astrid@mp3search[1].txt Spyware:Cookie/Ccbill Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\standard@ccbill[2].txt Spyware:Cookie/Kazaa Networks Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\standard@desktop.kazaa[1].txt Spyware:Cookie/Kazaa Networks Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\standard@desktop.kazaa[2].txt Spyware:Cookie/go Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\standard@go[1].txt Spyware:Cookie/go Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\standard@go[2].txt Spyware:Cookie/go Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\standard@go[3].txt Spyware:Cookie/Rn11 Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\standard@rn11[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.ad.yieldmanager.com/] Spyware:Cookie/Belnk Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.ath.belnk.com/] Spyware:Cookie/Belnk Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.belnk.com/] Spyware:Cookie/BurstNet Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.burstnet.com/] Spyware:Cookie/Com.com Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.com.com/] Spyware:Cookie/did-it Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.did-it.com/] Spyware:Cookie/fe.lea.lycos Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.fe.lea.lycos.de/] Spyware:Cookie/GoStats Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.gostats.com/] Spyware:Cookie/Screensavers Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.i.screensavers.com/] Spyware:Cookie/Searchportal Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.searchportal.information.com /] Spyware:Cookie/Toplist Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.toplist.cz/] Spyware:Cookie/Tucows Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.tucows.com/] Spyware:Cookie/Yadro Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[.yadro.ru/] Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Anwendungsdaten\Mozilla\Firefox\Profiles\hevcc4fx.default\cookies.txt[] Spyware:Cookie/Ccbill Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\anyuser@ccbill[2].txt Spyware:Cookie/did-it Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\anyuser@did-it[2].txt Spyware:Cookie/Kount Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\anyuser@kount[1].txt Spyware:Cookie/Xiti Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\anyuser@xiti[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\astrid@ad.yieldmanager[1].txt Spyware:Cookie/Ccbill Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\astrid@ccbill[2].txt Spyware:Cookie/fe.lea.lycos Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\astrid@fe.lea.lycos[1].txt Spyware:Cookie/go Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\astrid@go[1].txt Spyware:Cookie/Mp3search Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\astrid@mp3search[1].txt Spyware:Cookie/Ccbill Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\standard@ccbill[2].txt Spyware:Cookie/Kazaa Networks Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\standard@desktop.kazaa[1].txt Spyware:Cookie/Kazaa Networks Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\standard@desktop.kazaa[2].txt Spyware:Cookie/go Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\standard@go[1].txt Spyware:Cookie/go Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\standard@go[2].txt Spyware:Cookie/go Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\standard@go[3].txt Spyware:Cookie/Rn11 Not disinfected C:\Dokumente und Einstellungen\HP_Besitzer\Cookies\standard@rn11[1].txt Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe

01-15-2006, 02:21 PM	#6 (permalink)
removed916 Registered User Join Date: Jan 2006 Posts: 2 OS: XP	Hi, I had the same problem, when I checked the CPU usage in Task manager / processes, I found it was spoolsv.exe eating it all up, when I then checked my printers there was a print job still deleting. So I ran services.msc and stopped the spooler then went to C:\WINDOWS\system32\spool\PRINTERS deleted the files then re-started the spooler again, CPU back to normal. Worth checking before you spend hours looking fro something that may not be there.

01-16-2006, 11:56 AM	#8 (permalink)
Zeit Registered User Join Date: Jan 2006 Posts: 4 OS: Windows XP Personal	Hello Goods news that everything is clean. I don't think it was spoolsv.exe as I don't have a printer and the Printers folder was empty. The CPU usage spikes haven't happened in over a week now, so hopefully everything is ok. Thanks once again for your help.