EXTREME Overclocking Forums
Home | Reviews | Forums | Downloads | $ EXTREME Deals $ | RealTime Pricing | Free Magazines | Gear | Folding Stats Newsletter | Contact Us


Go Back   EXTREME Overclocking Forums > Software Discussion > Antivirus & Spyware
Register Forum Rules FAQ Search Today's Posts Mark Forums Read

Welcome Guest Visitor! Please Register, It's Free and Fun To Participate!
The EXTREME Overclocking Forums are a place for people to learn how to overclock and tweak their PC's components like the CPU, memory (RAM), or video card in order to gain the maximum performance out of their system. There are lots of discussions about new processors, graphics cards, cooling products, power supplies, cases, and so much more!

You are currently viewing our boards as a "guest" which gives you limited access to view most discussions. You need to register before you can post: click the register link to proceed. Before you register, please read the forum rules. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own pictures, and access many other special features. Registration is fast, simple, and absolutely free! To start viewing messages, select the forum that you want to visit from the selection below.

After you have registered and read the forum rules, you can check out the FAQ for more information on using the forum. We hope you enjoy your stay here!

Note To Spammers: We do not allow unsolicited advertising! Spam is usually reported & deleted within minutes of it being posted, so don't waste your time (or ours)!


Please Register to Post a Reply
 
Thread Tools
Old 01-24-2009, 05:01 AM   #1
aygung
never say never
Senior Member
 
Posts: 288
Last Seen: 01-28-2013
Age: 31
From: Neverland
iTrader: 0 / 0%
XP-D41D8CD9 or iiiiii.exe

Hi guys. I dont know what this is. XP-D41D8CD9 or iiiiii.exe
I started to get this on startup recently out of nowhere. and it disturbed me so much. I decided to format my computer yesterday. and after a new fresh format, I updated the os to service pack2 (XP pro 64bit). installed the drivers for GPU and stuff. then I installed the internet explorer7 from windows Update... After the reboot, this iiiiii.exe returned. I didnt even copy paste something old from another harddrive to this formated one???
I am so confused.
I am looking for this exe in the folders, from where it has to start according to the startup and there are no files named like those above. But they are in the startup.
I dont know where to look in the registry.. any ideas?

I dont want to reformat, as I just did it already and this thing shows up again for no reason. is this by any chance maybe a necessary process for windows?
Turkey  Offline
    Register to Reply to This Post
Old 01-24-2009, 05:57 AM   #2
crunchie
Mad Warranty Voider
crunchie's Avatar
Senior Member
 
Posts: 1,539
Last Seen: 01-28-2012
Age: 56
From: Mandurah. Aussie
iTrader: 0 / 0%
From a Google search it seems that both are unwelcome guests.

What anti-virus and firewall did you install before going online?

A fresh install will wipe everything from the drive. The only way this has happened is that you have an infected flash drive or something.

Was it a clean install or just a repair?

==

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebyt...are_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Download HijackThis Executable from here. Save it to your desktop.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and then go to the format Tab and make sure that wordwrap is unchecked. Copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.
Australia  Offline
    Register to Reply to This Post
Old 01-24-2009, 09:08 AM   #3
aygung
never say never
Senior Member
 
Posts: 288
Last Seen: 01-28-2013
Age: 31
From: Neverland
iTrader: 0 / 0%
I never use antivirus software and actually never got a virus ever before. This is I think is not a virus either... I disabled it from the msconfig and it dosnt start now. but it is still there

it was a clean format. not a repair. deleted the boot partition and remade it then made the new install.

I googled it too, then end up with running a free scan from eset website. It didnt find anything about this either...
Turkey  Offline
    Register to Reply to This Post
Old 01-24-2009, 05:10 PM   #4
crunchie
Mad Warranty Voider
crunchie's Avatar
Senior Member
 
Posts: 1,539
Last Seen: 01-28-2012
Age: 56
From: Mandurah. Aussie
iTrader: 0 / 0%
Quote:
Originally Posted by aygung View Post
I never use antivirus software
A bit like unprotected sex if you ask me . You may get away scott free for a while, but you never know when you might get bitten.

So, you going to follow my above requests?

If you do, go back in to msconfig, go to the Startup Tab.

Select the Enable all button and hit apply.

Do NOT reboot!

Close msconfig and run hijackthis. Save the log.

Go back in to msconfig and change back the startup settings.

Post the log here.

Last edited by crunchie : 01-24-2009 at 06:00 PM.
Australia  Offline
    Register to Reply to This Post
Old 01-24-2009, 05:41 PM   #5
maxgull
fo mo yeers
maxgull's Avatar
Senior Member
 
Posts: 5,050
Last Seen: Today
From: Florida
iTrader: 10 / 100%
Please listen to crunchie! he is the virus master here, i am hoping i never need his help, but he will be the first i, and many others, will ask.
United States  Offline
    Register to Reply to This Post
Old 01-24-2009, 08:37 PM   #6
aygung
never say never
Senior Member
 
Posts: 288
Last Seen: 01-28-2013
Age: 31
From: Neverland
iTrader: 0 / 0%
okey so this is the log file with everything enabled on startup

note: ip-clamp is an non-malicious software for Cebas finalrender render motor. it's name looks spooky but it is safe

edit: I see now, after a reboot with XP-D41D8CD9 disabled on startup, the iiiiii.exe is gone from task manager and from startup too. I guess that is a good sign...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:36:48, on 25.01.2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
F:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
F:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_64server.exe
F:\WINDOWS\Domino.exe
F:\WINDOWS\VMSnap3.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe
F:\Program Files (x86)\MSN Messenger\usnsvc.exe
F:\PROGRA~2\cebas\ip-clamp\ipclamp.exe
C:\uygulamalar\benchmark software (64 bit)\RealTemp_2.70\RealTemp.exe
F:\Program Files (x86)\Mozilla Firefox\firefox.exe
F:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [StartCCC] "F:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [XP-D41D8CD9] F:\WINDOWS\SysWow64\XP-D41D8CD9.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1232735938750
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2saag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - F:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - F:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - F:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - F:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - F:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: IPCLAMP by cebas Computer GmbH (IPClampService) - Unknown owner - F:\PROGRA~2\cebas\ip-clamp\ipclamp.exe
O23 - Service: mental ray 3.5 Satellite (64-bit) (mi-raysat_3dsmax9_64) - Unknown owner - F:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_64server.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - F:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - F:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - F:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - F:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - F:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - F:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 5513 bytes

Last edited by aygung : 01-24-2009 at 08:44 PM.
Turkey  Offline
    Register to Reply to This Post
Old 01-24-2009, 08:52 PM   #7
crunchie
Mad Warranty Voider
crunchie's Avatar
Senior Member
 
Posts: 1,539
Last Seen: 01-28-2012
Age: 56
From: Mandurah. Aussie
iTrader: 0 / 0%
When did you reboot? I said NOT to reboot after msconfig. If you reboot, you will allow the file to run.

Can you run MBA-M as requested earlier?
Australia  Offline
    Register to Reply to This Post
Old 01-25-2009, 04:29 AM   #8
aygung
never say never
Senior Member
 
Posts: 288
Last Seen: 01-28-2013
Age: 31
From: Neverland
iTrader: 0 / 0%
Quote:
Originally Posted by crunchie View Post
When did you reboot? I said NOT to reboot after msconfig. If you reboot, you will allow the file to run.

Can you run MBA-M as requested earlier?

sorry man I did reboot like way before I saw your post. wait I reboot with that exe enabled. and see what happens...

Additional Comment:

okay restarted with that exe enabled and iiiiii.exe is back too
this is the log of the actual state right now...



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:03:52, on 25.01.2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
F:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
F:\PROGRA~2\cebas\ip-clamp\ipclamp.exe
F:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_64server.exe
F:\WINDOWS\Domino.exe
F:\WINDOWS\VMSnap3.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe
F:\WINDOWS\system32\XP-D41D8CD9.EXE
F:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [StartCCC] "F:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [XP-D41D8CD9] F:\WINDOWS\SysWow64\XP-D41D8CD9.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup:    .lnk = F:\WINDOWS\system32\XP-D41D8CD9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1232735938750
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2saag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - F:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - F:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - F:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - F:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - F:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: IPCLAMP by cebas Computer GmbH (IPClampService) - Unknown owner - F:\PROGRA~2\cebas\ip-clamp\ipclamp.exe
O23 - Service: mental ray 3.5 Satellite (64-bit) (mi-raysat_3dsmax9_64) - Unknown owner - F:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_64server.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - F:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - F:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - F:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - F:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - F:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - F:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 5454 bytes

Additional Comment:

okay it is very late now I have to go to bed. I will read what you say tomorrow
thanks for your interest...
have a good day

Additional Comment:

an update.

I disabled the boxes yesterday when I went to bed but apparently I forgot one so it started again when I started the computer now. so I went to disable them in msconfig again and now there are 2 processes for both of them. so I made the a newer log file. here it is: (all enabled)
I have my suspicions that this has something to do with the windows update


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:24:55, on 25.01.2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
F:\WINDOWS\system32\XP-D41D8CD9.EXE
F:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
F:\PROGRA~2\cebas\ip-clamp\ipclamp.exe
F:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_64server.exe
F:\Program Files (x86)\PowerISO\PWRISOVM.EXE
F:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [StartCCC] "F:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [XP-D41D8CD9] F:\WINDOWS\SysWow64\XP-D41D8CD9.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup:    .lnk = F:\WINDOWS\system32\XP-D41D8CD9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1232735938750
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2saag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - F:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - F:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - F:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - F:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - F:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: IPCLAMP by cebas Computer GmbH (IPClampService) - Unknown owner - F:\PROGRA~2\cebas\ip-clamp\ipclamp.exe
O23 - Service: mental ray 3.5 Satellite (64-bit) (mi-raysat_3dsmax9_64) - Unknown owner - F:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_64server.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - F:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - F:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - F:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - F:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - F:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - F:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 5367 bytes

Last edited by aygung : 01-25-2009 at 04:34 AM. Reason: Automerged Doublepost
Turkey  Offline
    Register to Reply to This Post
Old 01-25-2009, 05:42 AM   #9
crunchie
Mad Warranty Voider
crunchie's Avatar
Senior Member
 
Posts: 1,539
Last Seen: 01-28-2012
Age: 56
From: Mandurah. Aussie
iTrader: 0 / 0%
I'm haviong a real problem with understanding what you are doing. I simply wanted you to enable al startups in msconfig, do an hijackthis log, then disable in msconfig again. No reboots (restarts).

I have also asked you twice to run Malwarebytes Anti-malware and you have not done that yet.

If you believe those files are related to M$ updates, upload them for a virus scan.

http://virusscan.jotti.org/ or http://www.virustotal.com/en/virustotalf.html
Post the results back here.
Australia  Offline
    Register to Reply to This Post
Old 01-25-2009, 07:45 AM   #10
aygung
never say never
Senior Member
 
Posts: 288
Last Seen: 01-28-2013
Age: 31
From: Neverland
iTrader: 0 / 0%
okay. I am restarting the computer because I install new updates or programs that want restarts. but when I post logs here, I do it like how you told me to.

everything in startup is enabled and I click apply, get the log with hijackthis then I disable them again. so they are like you want.. I am also running the Malwarebytes Anti-malware now. I will post the log as soon as it ends.

thanks again.. (I have around 1.5 million files on my computer so scans take a while)

Additional Comment:

Malwarebytes' Anti-Malware 1.33
Database version: 1691
Windows 5.2.3790 Service Pack 2

25.01.2009 16:38:08
mbam-log-2009-01-25 (16-38-04).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 414013
Time elapsed: 1 hour(s), 38 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\Explorer\NoActiveDesktopChange s (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
F:\WINDOWS\system32\krnln.fnr (Trojan.Agent) -> No action taken.


okay this is the log for the malware scan (and hmmm, eset online scanned like 1.5 million files yesterday. this just did 400k. it is no different I guess lol)

Additional Comment:

I really dont want to make a new move without hearing your opinion first.
do you think I should run registry mechanic? would it fix anything? I see there are not a lot of problems here right?...

Last edited by aygung : 01-25-2009 at 07:45 AM. Reason: Automerged Doublepost
Turkey  Offline
    Register to Reply to This Post
Old 01-25-2009, 04:24 PM   #11
crunchie
Mad Warranty Voider
crunchie's Avatar
Senior Member
 
Posts: 1,539
Last Seen: 01-28-2012
Age: 56
From: Mandurah. Aussie
iTrader: 0 / 0%
Did you take no action in malwarebytes, or did you post the wrong log?

Did you upload those suspect files for an online scan as I suggested?
Australia  Offline
    Register to Reply to This Post
Old 01-25-2009, 04:58 PM   #12
aygung
never say never
Senior Member
 
Posts: 288
Last Seen: 01-28-2013
Age: 31
From: Neverland
iTrader: 0 / 0%
okay the situation now is:

I run the eset online scan. it found about 1000+ threats and cleaned them.
and pasted the log here.

and Malwarebytes' Anti-Malware 1.33 found 4 threats. I took no action and pasted the result here.
did I have to psate the log after cleaning the threats? I am gonna look for the log file I saved after cleaning the threats and post it..


the thing is, it is not affecting anything I do when that exe is running. like no virus infected like behavior on the computer. it just disturbs me that it pops that window on startup.
and this came right after I updated to internet explorer7 from windows update...

I think I should just let it go as it doesnt start when it is disabled from msconfig. if it was a virus it would start itself right? maybe it is something about some 64 bit os incompatibility porblem...

Additional Comment:

Malwarebytes' Anti-Malware 1.33
Database version: 1691
Windows 5.2.3790 Service Pack 2

25.01.2009 23:30:23
mbam-log-2009-01-25 (23-30-23).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 414013
Time elapsed: 1 hour(s), 38 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\Explorer\NoActiveDesktopChange s (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
F:\WINDOWS\system32\krnln.fnr (Trojan.Agent) -> Quarantined and deleted successfully.


this is the log after deleting threats.

Last edited by aygung : 01-25-2009 at 04:58 PM. Reason: Automerged Doublepost
Turkey  Offline
    Register to Reply to This Post
Old 01-25-2009, 05:06 PM   #13
crunchie
Mad Warranty Voider
crunchie's Avatar
Senior Member
 
Posts: 1,539
Last Seen: 01-28-2012
Age: 56
From: Mandurah. Aussie
iTrader: 0 / 0%
As I have said twice already....upload the suspect files for an online scan at the sites I provided links to before .
Australia  Offline
    Register to Reply to This Post
Old 01-25-2009, 05:07 PM   #14
aygung
never say never
Senior Member
 
Posts: 288
Last Seen: 01-28-2013
Age: 31
From: Neverland
iTrader: 0 / 0%
I am not that good with software or programming so I dont really know where are those update files or I didnt even know they are accessible to me?
you tried to help me and I really appreciate it. Thank you.... I f you think you cant help anymore it is okay really... this is a weird situation and maybe not even a virus... I try to do pretty much everything you say but if you think I am not following you very well (because I can not actually ) please tell me so. like for this situation, where or how to find those files and I try to do it.
again thank you very much...
Turkey  Offline
    Register to Reply to This Post
Old 01-25-2009, 06:17 PM   #15
crunchie
Mad Warranty Voider
crunchie's Avatar
Senior Member
 
Posts: 1,539
Last Seen: 01-28-2012
Age: 56
From: Mandurah. Aussie
iTrader: 0 / 0%
One is here; F:\WINDOWS\SysWow64\XP-D41D8CD9.EXE

You will need to locate iiiiii.exe yourself on your pc.

The full path can be copy/pasted into the upload window at the site.
Australia  Offline
    Register to Reply to This Post
Old 01-26-2009, 06:11 AM   #16
aygung
never say never
Senior Member
 
Posts: 288
Last Seen: 01-28-2013
Age: 31
From: Neverland
iTrader: 0 / 0%
I copy pasted the path as you requested

A-Squared Found Trojan-Dropper.Win32.Flystud!IK
AntiVir Found TR/Agent.1252319.1
ArcaVir Found Trojan.Flystudio.Ab
Avast Found nothing
AVG Antivirus Found Dropper.Agent.IYG
BitDefender Found DeepScan:Generic.Malware.SFMb.7E80AA46
ClamAV Found W32.Zloyfly
CPsecure Found nothing
Dr.Web Found Win32.HLLW.Autoruner.2855
F-Prot Antivirus Found W32/Trojan.WFZ
F-Secure Anti-Virus Found Worm:W32/Autorun.BI
G DATA Found nothing
Ikarus Found Trojan-Dropper.Win32.Flystud.B
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found W32/AutoRun.HYH
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found Worm.Autorun.CAK
VBA32 Found nothing


this is the result found. and I found the file too now when I unchecked the box that says hide system files... it appears as a hidden system file, has a folder icon but can not be opened.. cant be deleted... what do I do now?

I stopped the processes and deleted the file now... gonna make a reboot and see what happens...

Additional Comment:

I restarted the computer and no processes started now, cant find the file in the path to upload for virus scan, and the file does not appear in the directory either so I guess it is gone... phew. edit: Now it shows in the Windows\prefetch folder as this: XP-D41D8CD9.EXE-2055917E.pf I am gonna delete this too now... (and there are no signs of iiiiii.exe anywhere... I am doing advanced searches for this one too, like how I found XP-d49...exe. nothing..)

the only thing now is there are still paths showing in startup in msconfig for both iiiiii.exe and the other. how do I delete those lines from startup? I was doing that from autoexec.bat in good old dos times. how do I do it now??

Last edited by aygung : 01-26-2009 at 06:24 AM. Reason: Automerged Doublepost
Turkey  Offline
    Register to Reply to This Post
Old 01-26-2009, 12:38 PM   #17
crunchie
Mad Warranty Voider
crunchie's Avatar
Senior Member
 
Posts: 1,539
Last Seen: 01-28-2012
Age: 56
From: Mandurah. Aussie
iTrader: 0 / 0%
Easiest way to delete them from msconfig is to enable them as I explained before, run an hijackthis scan and delete them using hijackthis. They should show in the scan once enabled.
Australia  Offline
    Register to Reply to This Post
Old 01-26-2009, 04:01 PM   #18
aygung
never say never
Senior Member
 
Posts: 288
Last Seen: 01-28-2013
Age: 31
From: Neverland
iTrader: 0 / 0%
oh cool! I thought hijackthis was only for creating the log lol sorry for my mistake. I deleted them now...

you are the man crunchie! thank you so much...
Turkey  Offline
    Register to Reply to This Post
Old 01-27-2009, 02:07 AM   #19
crunchie
Mad Warranty Voider
crunchie's Avatar
Senior Member
 
Posts: 1,539
Last Seen: 01-28-2012
Age: 56
From: Mandurah. Aussie
iTrader: 0 / 0%
No worries
Australia  Offline
    Register to Reply to This Post
Old 02-06-2009, 08:55 AM   #20
g_mateus
Running System Stock
Forum Newbie
 
Posts: 1
Last Seen: 02-08-2009
Hey Crunchie,

I am experiencing the same problem. I followed your instructions and produced the following log files. Can you take a look and let me know what more I should do? Thanks g

Malwarebytes' Anti-Malware 1.33
Database version: 1735
Windows 5.1.2600 Service Pack 2

2/6/2009 10:27:06 AM
mbam-log-2009-02-06 (10-27-06).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 104235
Time elapsed: 44 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krnln.fnr (Trojan.Agent) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:15 AM, on 2/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\SettecAlphaDisc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://microsoft.com/
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [XP-B8D6931A] C:\WINDOWS\system32\XP-B8D6931A.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [SystemManager] C:\WINDOWS\system32\SettecAlphaDisc.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup:    .lnk = C:\WINDOWS\system32\XP-B8D6931A.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121472413652
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7521 bytes
United States  Offline
    Register to Reply to This Post
Sponsored Links:
Please Register to Post a Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

All times are GMT -6. The time now is 09:39 AM.

Copyright 2000 - 2011, Jelsoft Enterprises Ltd.
Powered by vBulletin
Copyright 2000 - 2011, EXTREME Overclocking