Virus, Adware, I Dunno

Bagelmeister · January 28, 2007

I'm new to bettechie's forums, though I've known him for some time, and finally I've left in a situation where I think I really need help. I did something rather stupid (20/20 hindsight) which I shouldn't, and am afraid I have something malevolent on my computer. Did a HJT scan and here's the log:

Logfile of HijackThis v1.99.1

Scan saved at 10:04:48 PM, on 1/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\brss01a.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\TWljaGFlbCBCZWlnZWxtYWNoZXI\command.exe

C:\PROGRA~1\SMANTE~1\alg.exe

C:\Documents and Settings\Michael Beigelmacher\My Documents\?racle\smss.exe

C:\Program Files\Opera\Opera.exe

C:\WINDOWS\explorer.exe

C:\Program Files\BOINC\boincmgr.exe

C:\Program Files\BOINC\boinc.exe

C:\Program Files\BOINC\projects\einstein.phys.uwm.edu\einstein_S5RI_4.24_windows_intelx86.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\mIRC\mirc.exe

C:\Documents and Settings\Michael Beigelmacher\Desktop\New Downloads\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gxforever.com/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}

R3 - URLSearchHook: (no name) - {BA29763D-C9FB-E27C-F9E8-E6FBFD1423E5} - C:\WINDOWS\system32\wgbiantd.dll

F3 - REG:win.ini: load=C:\WINDOWS\system32\ninojq\winlogon.exe

F3 - REG:win.ini: run=C:\WINDOWS\system32\ninojq\winlogon.exe

O1 - Hosts: 1.1.1.1 free.grisoft.com

O1 - Hosts: 1.1.1.1 housecall.trendmicro.com

O1 - Hosts: 1.1.1.1 usa.kaspersky.com

O1 - Hosts: 1.1.1.1 ewido.net

O1 - Hosts: 1.1.1.1 www.ewido.net

O1 - Hosts: 1.1.1.1 zonelabs.com

O1 - Hosts: 1.1.1.1 www.zonelabs.com

O1 - Hosts: 1.1.1.1 bitdefender.com

O1 - Hosts: 1.1.1.1 www.bitdefender.com

O1 - Hosts: 1.1.1.1 download.bitdefender.com

O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com

O1 - Hosts: 1.1.1.1 spywareinfo.com

O1 - Hosts: 1.1.1.1 www.spywareinfo.com

O1 - Hosts: 1.1.1.1 merijn.org

O1 - Hosts: 1.1.1.1 www.merijn.org

O1 - Hosts: 1.1.1.1 sysinternals.com

O1 - Hosts: 1.1.1.1 www.sysinternals.com

O1 - Hosts: 1.1.1.1 onguardonline.gov

O1 - Hosts: 1.1.1.1 www.onguardonline.gov

O1 - Hosts: 1.1.1.1 avast.com

O1 - Hosts: 1.1.1.1 www.avast.com

O1 - Hosts: 1.1.1.1 safety.live.com

O1 - Hosts: 1.1.1.1 www.paretologic.com

O1 - Hosts: 1.1.1.1 paretologic.com

O1 - Hosts: 1.1.1.1 services.google.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: (no name) - {BA29763D-C9FB-E27C-F9E8-E6FBFD1423E5} - C:\WINDOWS\system32\wgbiantd.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"

O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - HKCU\..\Run: [boincLogX] "C:\Program Files\BoincLogX\boinclogx.exe"

O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SMANTE~1\alg.exe" -vt yazb

O4 - HKCU\..\Run: [Evyctwf] "C:\Documents and Settings\Michael Beigelmacher\My Documents\?racle\smss.exe" 99001122

O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe

O4 - Startup: [email protected] = C:\Program Files\SETI@BOINCWatch\[email protected]

O4 - Startup: winlogon.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PowerReg Scheduler.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5D5BB36B-7FD7-43FE-8362-A52BAC42E925}: NameServer = 68.237.161.12 71.250.0.12

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWljaGFlbCBCZWlnZWxtYWNoZXI\command.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Thanks.

Besttechie · January 28, 2007

Hey Bagel,

Let's get started..

STEP 1:

In HJT tick and have it remove the following (make sure you close any explorer and internet explorer windows before doing so)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gxforever.com/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}

R3 - URLSearchHook: (no name) - {BA29763D-C9FB-E27C-F9E8-E6FBFD1423E5} - C:\WINDOWS\system32\wgbiantd.dll

F3 - REG:win.ini: load=C:\WINDOWS\system32\ninojq\winlogon.exe

F3 - REG:win.ini: run=C:\WINDOWS\system32\ninojq\winlogon.exe

O1 - Hosts: 1.1.1.1 free.grisoft.com

O1 - Hosts: 1.1.1.1 housecall.trendmicro.com

O1 - Hosts: 1.1.1.1 usa.kaspersky.com

O1 - Hosts: 1.1.1.1 ewido.net

O1 - Hosts: 1.1.1.1 www.ewido.net

O1 - Hosts: 1.1.1.1 zonelabs.com

O1 - Hosts: 1.1.1.1 www.zonelabs.com

O1 - Hosts: 1.1.1.1 bitdefender.com

O1 - Hosts: 1.1.1.1 www.bitdefender.com

O1 - Hosts: 1.1.1.1 download.bitdefender.com

O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com

O1 - Hosts: 1.1.1.1 spywareinfo.com

O1 - Hosts: 1.1.1.1 www.spywareinfo.com

O1 - Hosts: 1.1.1.1 merijn.org

O1 - Hosts: 1.1.1.1 www.merijn.org

O1 - Hosts: 1.1.1.1 sysinternals.com

O1 - Hosts: 1.1.1.1 www.sysinternals.com

O1 - Hosts: 1.1.1.1 onguardonline.gov

O1 - Hosts: 1.1.1.1 www.onguardonline.gov

O1 - Hosts: 1.1.1.1 avast.com

O1 - Hosts: 1.1.1.1 www.avast.com

O1 - Hosts: 1.1.1.1 safety.live.com

O1 - Hosts: 1.1.1.1 www.paretologic.com

O1 - Hosts: 1.1.1.1 paretologic.com

O1 - Hosts: 1.1.1.1 services.google.com

O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SMANTE~1\alg.exe" -vt yazb

O4 - HKCU\..\Run: [Evyctwf] "C:\Documents and Settings\Michael Beigelmacher\My Documents\?racle\smss.exe" 99001122

O4 - Startup: winlogon.lnk = ?

O4 - Global Startup: PowerReg Scheduler.exe

STEP 2:

Go to Add/Remove Programs. Start - Control Panel - Add/Remove Programs. From there remove the following:

Command Service

Also remove anything that begins with OIN

STEP 3:

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\ninojq\winlogon.exe
[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.
[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Then reboot your computer and post a new HJT log. :thumbsup:

B

Bagelmeister · January 28, 2007

Here's the new log file, hope it's better.

Logfile of HijackThis v1.99.1

Scan saved at 11:10:58 PM, on 1/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\brss01a.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\BOINC\boincmgr.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\TWljaGFlbCBCZWlnZWxtYWNoZXI\command.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\BOINC\boinc.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\BOINC\projects\boinc.bakerlab.org_rosetta\rosetta_5.43_windows_intelx86.exe