View Full Version : Command Service
BraveMax
2007-01-13, 06:48
I'm still getting the "Command Service" malware showing up in my Spybot checks, and I'm getting random ad pop-ups on my computer.
I've run checks with every anti-spyware/AV program I have (Adaware, Spybot, Symantec AV) in safemode, tried manually deleting the registry keys affected - everything.
So I followed the suggested preliminary steps, and I'd really appreciate any help you guys can give!
HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 6:35:05 PM, on 1/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\NALNTSRV.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hasbrotoyshop.com/SearchResults.htm?PG=1&CDT=1151754841
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{980BE85D-05D7-1033-0602-060409160001}] "C:\Program Files\Common Files\{980BE85D-05D7-1033-0602-060409160001}\Update.exe" te-110-12-0000064
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\Run: [{980BE85D-05D7-1033-0602-060409160051}] "C:\Program Files\Common Files\{980BE85D-05D7-1033-0602-060409160051}\Update.exe" te-110-12-0000064
O4 - HKLM\..\Run: [{980BE85D-0256-1033-0602-060409160051}] "C:\Program Files\Common Files\{980BE85D-0256-1033-0602-060409160051}\Update.exe" te-110-12-0000064
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Post-itR Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\newuser\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/115ea08abeb7e2358c19/netzip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32\Novell\XtNotify.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000064 (file missing)
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\System32\NALNTSRV.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
Next post with the Pandascan log.
BraveMax
2007-01-13, 11:38
Well... I tried a few of those online scanners. For some reason I couldn't get them to complete.
I'll try again tomorrow - in the mean time, if there are any suggestions lmk!
pskelley
2007-01-14, 15:08
Welcome to the forum, if you have not been helped elsewhere and still need help, I will do my best. Let me give you some information first.
You are infected, I can see PurityScan which is adware and other junk I can't even identify. This one:
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000064 (file missing) is new and CastleCops has this to say:
COM+ Messages X svchosts.exe Added by an unidentified TROJAN! of the Sdbot family. Note: This worm\trojan is located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System32 (XP/WinNT/2K)
As you can see there is not a lot of information yet. It may be this is a Mytob worm and Symantec has a removal tool we will try. Please follow these directions.
1) Download FixMytob.exe from this link and follow the directions. If the fix generates information you can save and post for me, please do.
http://www.symantec.com/security_response/writeup.jsp?docid=2005-022812-5045-99
2) Thanks to sUBs and anyone who helped with this fix.
1. Download ComboFix.exe using either of these links:
* bleepingcomputer.com
http://download.bleepingcomputer.com/sUBs/combofix.exe
* techsupportforum.com
http://www.techsupportforum.com/sectools/combofix.exe
2. Double click on combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
Restart the computer and post the combofix log, and information from FixMytob and a new HJT log. Please add any comments you think will help.
Thanks
BraveMax
2007-01-14, 22:31
FixMyTob found nothing. First the new HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 4:27:52 PM, on 1/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\NALNTSRV.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HiJackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{980BE85D-05D7-1033-0602-060409160001}] "C:\Program Files\Common Files\{980BE85D-05D7-1033-0602-060409160001}\Update.exe" te-110-12-0000064
O4 - HKLM\..\Run: [{980BE85D-05D7-1033-0602-060409160051}] "C:\Program Files\Common Files\{980BE85D-05D7-1033-0602-060409160051}\Update.exe" te-110-12-0000064
O4 - HKLM\..\Run: [{980BE85D-0256-1033-0602-060409160051}] "C:\Program Files\Common Files\{980BE85D-0256-1033-0602-060409160051}\Update.exe" te-110-12-0000064
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Post-itR Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\newuser\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/115ea08abeb7e2358c19/netzip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32\Novell\XtNotify.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000064 (file missing)
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\System32\NALNTSRV.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
Next the combofix log.
BraveMax
2007-01-14, 22:33
"newuser" - 07-01-14 16:02:58 Service Pack 2
ComboFix 07-01-14.2 - Running from: "C:\Download"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Ipwindows\ipwins.dll
C:\Program Files\Ipwindows\ipwins.exe
C:\WINDOWS\system32\unsvchosts.lzma
C:\Program Files\Common Files\{380BE~1
C:\Program Files\Common Files\{980BE~3
C:\Program Files\Common Files\{980BE~1
C:\Program Files\Common Files\{980BE~2
C:\Program Files\Ipwindows
((((((((((((((((((((((((((((((( Files Created from 2006-12-14 to 2007-01-14 ))))))))))))))))))))))))))))))))))
2007-01-13 02:48 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-13 02:45 <DIR> d-------- C:\DOCUME~1\newuser\.housecall6.6
2007-01-12 18:29 <DIR> d-------- C:\HiJackThis
2007-01-12 18:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-11 21:23 <DIR> d-------- C:\DOCUME~1\newuser\Application Data\.gaim
2007-01-11 21:21 <DIR> d-------- C:\Program Files\Gaim
2007-01-11 21:21 <DIR> d-------- C:\Program Files\Common Files\GTK
2007-01-11 20:14 <DIR> d-------- C:\DOCUME~1\newuser\Application Data\Viewpoint
2007-01-10 14:02 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-10 11:32 <DIR> d--hs---- C:\WINDOWS\IA
2007-01-08 23:51 <DIR> d-------- C:\Program Files\Logiccode
2007-01-04 00:49 46,346 --a------ C:\WINDOWS\system32\SmrtDrive.dll
2007-01-04 00:48 83,216 --a------ C:\WINDOWS\system32\MabryObj.dll
2007-01-04 00:48 49,152 --a------ C:\WINDOWS\system32\cast.dll
2007-01-04 00:48 206,088 --a------ C:\WINDOWS\system32\HttpX.dll
2007-01-04 00:48 122,880 --a------ C:\WINDOWS\system32\fxtls532.dll
2007-01-04 00:47 89,360 --a------ C:\WINDOWS\system32\Vb5db.dll
2007-01-04 00:47 561,179 --a------ C:\WINDOWS\system32\dao360.dll
2007-01-04 00:47 48,872 --a------ C:\WINDOWS\system32\SSPng.dll
2007-01-04 00:47 29,184 --a------ C:\WINDOWS\system32\PICN20.dll
2007-01-04 00:47 <DIR> d-------- C:\Program Files\4PLAY
2007-01-02 10:45 92,485 --a------ C:\WINDOWS\system32\install.exe
2006-12-19 18:20 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-12-19 18:20 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-14 16:01 -------- d-------- C:\Program Files\mozilla firefox
2007-01-14 15:06 -------- d-------- C:\DOCUME~1\newuser\Application Data\.gaim
2007-01-14 15:02 -------- d-------- C:\Program Files\symantec antivirus
2007-01-13 01:37 -------- d-------- C:\Program Files\smartftp
2007-01-13 01:32 -------- d-------- C:\Program Files\messenger plus! 3
2007-01-13 01:29 -------- d-------- C:\Program Files\itunes
2007-01-13 01:28 -------- d-------- C:\Program Files\ibm recordnow!
2007-01-13 01:27 -------- d-------- C:\Program Files\google
2007-01-13 01:26 -------- d-------- C:\Program Files\digital line detect
2007-01-09 13:50 -------- d-------- C:\Program Files\warcraft iii
2007-01-08 03:48 3888 --a------ C:\WINDOWS\system32\drivers\NTHANDLE.SYS
2007-01-07 14:08 -------- d-------- C:\Program Files\dictionary
2007-01-06 18:23 -------- d-------- C:\Program Files\aim
2007-01-05 05:13 -------- d-------- C:\Program Files\aim6
2006-12-29 19:37 -------- d-------- C:\Program Files\divx
2006-12-23 03:30 -------- d-------- C:\DOCUME~1\newuser\Application Data\skype
2006-12-12 15:32 -------- d-------- C:\Program Files\Common Files\aol
2006-12-12 15:13 -------- d-------- C:\Program Files\Common Files\nullsoft
2006-11-30 14:25 -------- d---s---- C:\DOCUME~1\newuser\Application Data\microsoft
2006-11-29 14:44 -------- d-------- C:\Program Files\ipod
2006-11-29 14:42 -------- d-------- C:\Program Files\quicktime
2006-11-28 21:36 -------- d-------- C:\Program Files\winamp
2006-11-26 16:28 98304 --a------ C:\WINDOWS\system32\cmdlineext.dll
2006-11-25 04:25 -------- d-------- C:\Program Files\dawn of war
2006-11-20 09:42 11712 --a------ C:\WINDOWS\system32\egathdrv.sys
2006-11-20 09:42 -------- d--h----- C:\Program Files\installshield installation information
2006-11-20 09:40 -------- d-------- C:\Program Files\netwaiting
2006-11-20 09:40 -------- d-------- C:\Program Files\conexant
2006-11-20 02:02 -------- d-------- C:\Program Files\thinkpad
2006-11-20 02:02 -------- d-------- C:\Program Files\analog devices
2006-11-20 02:00 -------- d-------- C:\Program Files\ati technologies
2006-11-20 01:49 -------- d-------- C:\Program Files\lenovo
2006-11-20 01:48 -------- d-------- C:\Program Files\Common Files\lenovo
2006-11-19 10:38 -------- d-------- C:\DOCUME~1\newuser\Application Data\imvu
2006-11-19 09:26 -------- d-------- C:\Program Files\lavasoft
2006-11-19 09:20 -------- d-------- C:\DOCUME~1\newuser\Application Data\lavasoft
2006-11-19 08:44 -------- d-------- C:\DOCUME~1\newuser\Application Data\google
2006-11-15 22:51 -------- d-------- C:\Program Files\java
2006-11-15 09:03 -------- d-------- C:\Program Files\msxml 4.0
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-27 15:09 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-27 15:09 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-27 15:09 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-27 15:09 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-27 15:09 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-27 15:09 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-27 15:09 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-27 02:44 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-27 02:44 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-27 02:44 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-27 02:44 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-27 02:44 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-27 02:44 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-27 02:44 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-27 02:44 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-27 02:44 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-27 02:42 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-19 08:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\winfxdocobj.exe
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\ibmmessages.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"IBM RecordNow!"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"S3TRAY2"="S3Tray2.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"BluetoothAuthenticationAgent"="rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"TpShocks"="TpShocks.exe"
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"TP4EX"="tp4ex.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\\\ibmmessages.exe"
"UpdateManager"="\"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"IBMPRC"="C:\\IBMTOOLS\\UTILS\\ibmprc.exe"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"ZENRC Tray Icon"="zentray.exe"
"NWTRAY"="NWTRAY.EXE"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"MessengerPlus3"="\"C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~2\\VPTray.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"TVT Scheduler Proxy"="C:\\Program Files\\Common Files\\Lenovo\\Scheduler\\scheduler_proxy.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"BMMMONWND"="rundll32.exe C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatInfEx.dll,BMMAutonomicMonitor"
"BLOG"="rundll32.exe C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatLogEx.DLL,StartBattLog"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"{980BE85D-05D7-1033-0602-060409160001}"="\"C:\\Program Files\\Common Files\\{980BE85D-05D7-1033-0602-060409160001}\\Update.exe\" te-110-12-0000064"
"{980BE85D-05D7-1033-0602-060409160051}"="\"C:\\Program Files\\Common Files\\{980BE85D-05D7-1033-0602-060409160051}\\Update.exe\" te-110-12-0000064"
"{980BE85D-0256-1033-0602-060409160051}"="\"C:\\Program Files\\Common Files\\{980BE85D-0256-1033-0602-060409160051}\\Update.exe\" te-110-12-0000064"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\BMMTask.job
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: 07-01-14 16:09:27
BraveMax
2007-01-14, 22:34
And I wound up running combo-fix a second time, and here's the log from that:
"newuser" - 07-01-14 16:19:55 Service Pack 2
ComboFix 07-01-14.2 - Running from: "C:\Download"
((((((((((((((((((((((((((((((( Files Created from 2006-12-14 to 2007-01-14 ))))))))))))))))))))))))))))))))))
2007-01-13 02:48 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-13 02:45 <DIR> d-------- C:\DOCUME~1\newuser\.housecall6.6
2007-01-12 18:29 <DIR> d-------- C:\HiJackThis
2007-01-12 18:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-11 21:23 <DIR> d-------- C:\DOCUME~1\newuser\Application Data\.gaim
2007-01-11 21:21 <DIR> d-------- C:\Program Files\Gaim
2007-01-11 21:21 <DIR> d-------- C:\Program Files\Common Files\GTK
2007-01-11 20:14 <DIR> d-------- C:\DOCUME~1\newuser\Application Data\Viewpoint
2007-01-10 14:02 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-10 11:32 <DIR> d--hs---- C:\WINDOWS\IA
2007-01-08 23:51 <DIR> d-------- C:\Program Files\Logiccode
2007-01-04 00:49 46,346 --a------ C:\WINDOWS\system32\SmrtDrive.dll
2007-01-04 00:48 83,216 --a------ C:\WINDOWS\system32\MabryObj.dll
2007-01-04 00:48 49,152 --a------ C:\WINDOWS\system32\cast.dll
2007-01-04 00:48 206,088 --a------ C:\WINDOWS\system32\HttpX.dll
2007-01-04 00:48 122,880 --a------ C:\WINDOWS\system32\fxtls532.dll
2007-01-04 00:47 89,360 --a------ C:\WINDOWS\system32\Vb5db.dll
2007-01-04 00:47 561,179 --a------ C:\WINDOWS\system32\dao360.dll
2007-01-04 00:47 48,872 --a------ C:\WINDOWS\system32\SSPng.dll
2007-01-04 00:47 29,184 --a------ C:\WINDOWS\system32\PICN20.dll
2007-01-04 00:47 <DIR> d-------- C:\Program Files\4PLAY
2007-01-02 10:45 92,485 --a------ C:\WINDOWS\system32\install.exe
2006-12-19 18:20 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-12-19 18:20 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-14 16:18 -------- d-------- C:\Program Files\symantec antivirus
2007-01-14 16:01 -------- d-------- C:\Program Files\mozilla firefox
2007-01-14 15:06 -------- d-------- C:\DOCUME~1\newuser\Application Data\.gaim
2007-01-13 01:37 -------- d-------- C:\Program Files\smartftp
2007-01-13 01:32 -------- d-------- C:\Program Files\messenger plus! 3
2007-01-13 01:29 -------- d-------- C:\Program Files\itunes
2007-01-13 01:28 -------- d-------- C:\Program Files\ibm recordnow!
2007-01-13 01:27 -------- d-------- C:\Program Files\google
2007-01-13 01:26 -------- d-------- C:\Program Files\digital line detect
2007-01-09 13:50 -------- d-------- C:\Program Files\warcraft iii
2007-01-08 03:48 3888 --a------ C:\WINDOWS\system32\drivers\NTHANDLE.SYS
2007-01-07 14:08 -------- d-------- C:\Program Files\dictionary
2007-01-06 18:23 -------- d-------- C:\Program Files\aim
2007-01-05 05:13 -------- d-------- C:\Program Files\aim6
2006-12-29 19:37 -------- d-------- C:\Program Files\divx
2006-12-23 03:30 -------- d-------- C:\DOCUME~1\newuser\Application Data\skype
2006-12-12 15:32 -------- d-------- C:\Program Files\Common Files\aol
2006-12-12 15:13 -------- d-------- C:\Program Files\Common Files\nullsoft
2006-11-30 14:25 -------- d---s---- C:\DOCUME~1\newuser\Application Data\microsoft
2006-11-29 14:44 -------- d-------- C:\Program Files\ipod
2006-11-29 14:42 -------- d-------- C:\Program Files\quicktime
2006-11-28 21:36 -------- d-------- C:\Program Files\winamp
2006-11-26 16:28 98304 --a------ C:\WINDOWS\system32\cmdlineext.dll
2006-11-25 04:25 -------- d-------- C:\Program Files\dawn of war
2006-11-20 09:42 11712 --a------ C:\WINDOWS\system32\egathdrv.sys
2006-11-20 09:42 -------- d--h----- C:\Program Files\installshield installation information
2006-11-20 09:40 -------- d-------- C:\Program Files\netwaiting
2006-11-20 09:40 -------- d-------- C:\Program Files\conexant
2006-11-20 02:02 -------- d-------- C:\Program Files\thinkpad
2006-11-20 02:02 -------- d-------- C:\Program Files\analog devices
2006-11-20 02:00 -------- d-------- C:\Program Files\ati technologies
2006-11-20 01:49 -------- d-------- C:\Program Files\lenovo
2006-11-20 01:48 -------- d-------- C:\Program Files\Common Files\lenovo
2006-11-19 10:38 -------- d-------- C:\DOCUME~1\newuser\Application Data\imvu
2006-11-19 09:26 -------- d-------- C:\Program Files\lavasoft
2006-11-19 09:20 -------- d-------- C:\DOCUME~1\newuser\Application Data\lavasoft
2006-11-19 08:44 -------- d-------- C:\DOCUME~1\newuser\Application Data\google
2006-11-15 22:51 -------- d-------- C:\Program Files\java
2006-11-15 09:03 -------- d-------- C:\Program Files\msxml 4.0
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-27 15:09 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-27 15:09 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-27 15:09 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-27 15:09 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-27 15:09 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-27 15:09 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-27 15:09 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-27 02:44 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-27 02:44 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-27 02:44 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-27 02:44 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-27 02:44 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-27 02:44 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-27 02:44 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-27 02:44 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-27 02:44 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-27 02:42 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-19 08:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\winfxdocobj.exe
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\ibmmessages.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"IBM RecordNow!"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"S3TRAY2"="S3Tray2.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"BluetoothAuthenticationAgent"="rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"TpShocks"="TpShocks.exe"
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"TP4EX"="tp4ex.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\\\ibmmessages.exe"
"UpdateManager"="\"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"IBMPRC"="C:\\IBMTOOLS\\UTILS\\ibmprc.exe"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"ZENRC Tray Icon"="zentray.exe"
"NWTRAY"="NWTRAY.EXE"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"MessengerPlus3"="\"C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~2\\VPTray.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"TVT Scheduler Proxy"="C:\\Program Files\\Common Files\\Lenovo\\Scheduler\\scheduler_proxy.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"BMMMONWND"="rundll32.exe C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatInfEx.dll,BMMAutonomicMonitor"
"BLOG"="rundll32.exe C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatLogEx.DLL,StartBattLog"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"{980BE85D-05D7-1033-0602-060409160001}"="\"C:\\Program Files\\Common Files\\{980BE85D-05D7-1033-0602-060409160001}\\Update.exe\" te-110-12-0000064"
"{980BE85D-05D7-1033-0602-060409160051}"="\"C:\\Program Files\\Common Files\\{980BE85D-05D7-1033-0602-060409160051}\\Update.exe\" te-110-12-0000064"
"{980BE85D-0256-1033-0602-060409160051}"="\"C:\\Program Files\\Common Files\\{980BE85D-0256-1033-0602-060409160051}\\Update.exe\" te-110-12-0000064"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\BMMTask.job
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: 07-01-14 16:25:48
C:\ComboFix2.txt ... 07-01-14 16:09
pskelley
2007-01-14, 23:20
OK on the MyTobfix, the item is still there, we will give it a try manually. Please follow the instructions in the numbered order.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) TeaTimer will block the changes we must make, follow the instruction in this link to turn it off until you are done.
http://russelltexas.com/malware/teatimer.htm
4) Disable the Service
Click Start > Run and type services.msc
Scroll down to COM+ Messages and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type COM+ Messages and press OK.
OK any prompts, close HijackThis, and restart your computer.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [{980BE85D-05D7-1033-0602-060409160001}] "C:\Program Files\Common Files\{980BE85D-05D7-1033-0602-060409160001}\Update.exe" te-110-12-0000064
O4 - HKLM\..\Run: [{980BE85D-05D7-1033-0602-060409160051}] "C:\Program Files\Common Files\{980BE85D-05D7-1033-0602-060409160051}\Update.exe" te-110-12-0000064
O4 - HKLM\..\Run: [{980BE85D-0256-1033-0602-060409160051}] "C:\Program Files\Common Files\{980BE85D-0256-1033-0602-060409160051}\Update.exe" te-110-12-0000064
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/115ea08a...p/RdxIE601.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000064 (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items in bold if they are there:
C:\Program Files\Common Files\{980BE85D-05D7-1033-0602-060409160001}\Update.exe
C:\Program Files\Common Files\{980BE85D-05D7-1033-0602-060409160051}\Update.exe
C:\Program Files\Common Files\{980BE85D-0256-1033-0602-060409160051}\Update.exe
7) All of these were created on 1/4/2007. Please use one or more of these free online scans to find out if they are bad. If they are all bad, be aware they probably got on your computer along with the program (C:\Program Files\4PLAY)
If you find they are bad, delete them. You may have to boot to safe mode to do it?
http://www.bleepingcomputer.com/tutorials/tutorial61.html
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
C:\WINDOWS\system32\SmrtDrive.dll
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\cast.dll
C:\WINDOWS\system32\HttpX.dll
C:\WINDOWS\system32\SSPng.dll
C:\WINDOWS\system32\PICN20.dll
C:\Program Files\4PLAY
C:\WINDOWS\system32\install.exe
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log. Let me know how the computer is running.
Thanks
BraveMax
2007-01-15, 01:29
Some quick things:
1) COM+ was already stopped
2) I couldn't find "023 - Service: COM+... (file missing)"
3) The three files that were supposed to be in "Common Files" weren't there
4) Only "install.exe" showed up as bad. I used Kaspersky and jotti.org
5) The new HJT log is as follows:
Logfile of HijackThis v1.99.1
Scan saved at 7:14:25 PM, on 1/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\NALNTSRV.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HiJackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Post-itR Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\newuser\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32\Novell\XtNotify.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\System32\NALNTSRV.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
Command Service still shows up in Spybot, associated with the following files:
Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService
Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService
pskelley
2007-01-15, 01:53
OK and thanks for the feedback.The HJT log looks clean of malware. You rJava program needs an update, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Download the newest version and uninstall all old versions in Add Remove Programs.
________________________________________________________
Please download and unzip Ren-cmdservice to your Desktop.
It will only work correctly if the folder is placed on your Desktop and extracted !!.
http://www.bleepingcomputer.com/files/lonny/ren-cmdservice.zip
http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.
________________________________________________________
I would like to run one more program to look for anything hiding, please follow the directions in the following link. Make sure you delete or at least quarantine anything located.
http://forums.security-central.us/showthread.php?t=3165
Post the scan results and one last HJT log. Let me know if that took care of the Command Service items in Spybot and how the computer is running now.
Thanks
BraveMax
2007-01-15, 02:30
Running from C:\Documents and Settings\newuser\Desktop\ren-cmdservice
No Image Path Listed in Registry
-----------------
Deleting cmdservice key
cmdservice key deleted
..
-----------------
Commandline utilities (SWReg and SWSC)
Written by Bobbi Flekman © 2005
-----------------
Finised, Post this text then
Please Restart your PC
ren-cmdservice.bat edited 6-25-2006
-----------------
Restarting...
BraveMax
2007-01-15, 02:41
Also - I couldn't get rid of the old versions of Java. For some reason all three updates of JRE 5 reference a folder that is in a network folder on my desktop, which is in another city. Coincidentally, I moved a bunch of folders from my laptop to that computer when I was last in that city - up until January 8th. So I probably contracted all this there.
Running the spyware scan, and I'll post the log from the other scan when I do it.
pskelley
2007-01-15, 02:53
Knowing little about Java all I can do is tell you what I am aware of. That is that hackers are using script to infect folks running old versions of Java. I understand from the information I have been given that you can get infected if you have old programs on the computer. Besides that I can refer you to Java, here are a couple of links:
http://java.sun.com/developer/support/
http://java.sun.com/products/javahelp/
http://www.java.com/en/download/help/index_installing.xml
Thanks
BraveMax
2007-01-15, 03:00
Final log:
Logfile of HijackThis v1.99.1
Scan saved at 8:59:02 PM, on 1/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\NALNTSRV.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpShocks.exe
c:\program files\lenovo\system update\suservice.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Post-itR Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32\Novell\XtNotify.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\System32\NALNTSRV.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
Command Service seems to be gone, but I'm still getting different random spyware programs every time I scan. Very strange. Let me know if you notice anything else... And I'll try to contact SJ about Java... I dunno what's up with it or why it would need files that I moved to the other computer (Files that were in a picture folder, no less!).
BraveMax
2007-01-15, 04:30
Lol
I couldn't remove Java the traditional way, and I don't really have the chance to head to the other city where my desktop is for a while. So I basically wound up deleting the registry entries with the JRE uninstallation info and all the files in the program folder and common files folder that pertained to the older version. It's not perfect, but it'll do for now...
Spybot now returns all-clear. Thanks for all your help! I'm just gonna run that last program you mentioned.
BraveMax
2007-01-15, 06:45
Here we go:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:43:36 AM 1/15/2007
+ Scan result:
C:\HiJackThis\backups\backup-20070114-184545-802.dll -> Adware.Coupons : Cleaned.
C:\WINDOWS\Downloaded Program Files\gsda.dll -> Not-A-Virus.Downloader.Win32.SpyGame : Cleaned.
:mozilla.100:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.189:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.255:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.260:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.437:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.72:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.73:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.74:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.75:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.76:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.77:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.78:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.79:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.80:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.81:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.82:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.83:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.84:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.85:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.86:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.87:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.88:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.89:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.90:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.91:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.92:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.93:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.94:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.95:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.96:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.97:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.98:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.99:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\newuser\Cookies\newuser@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.115:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.116:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.124:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.129:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.130:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.35:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.36:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.37:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.38:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.39:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.53:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.739:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.180:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.181:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.740:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.663:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.198:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.199:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.29:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.298:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Enhance : Cleaned.
:mozilla.299:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Enhance : Cleaned.
:mozilla.118:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.119:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.120:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.121:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.157:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.54:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.55:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.752:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.753:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.754:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.755:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.341:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.21:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.22:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.23:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.24:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.707:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.708:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.693:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.64:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.65:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.462:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.463:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Overture : Cleaned.
BraveMax
2007-01-15, 06:48
:mozilla.125:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.126:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.127:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.128:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.470:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.471:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.472:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.288:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.289:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.290:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.291:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.292:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.293:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.294:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.295:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.177:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.541:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.542:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.543:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.544:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.545:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.203:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.204:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.205:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.206:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.207:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.208:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.209:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.210:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.211:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.212:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.213:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.214:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.215:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.216:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.217:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.218:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.219:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.220:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.221:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.222:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.223:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.224:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.225:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.226:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.227:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.228:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.229:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.230:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.231:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.232:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.233:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.234:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.235:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.236:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.237:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.238:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.239:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.240:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.241:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.242:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.243:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.244:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.245:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.246:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.247:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.248:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.249:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.250:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.251:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.252:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.783:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.784:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.785:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.122:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.123:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.52:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.30:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.31:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.32:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.33:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.34:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.672:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.583:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.584:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.585:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.586:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.587:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.588:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.589:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.590:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.595:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.596:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.597:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.598:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.599:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.600:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.601:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.602:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.643:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.644:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.659:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.660:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.661:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.662:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.56:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.57:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.58:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.59:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.60:C:\Documents and Settings\newuser\Application Data\Mozilla\Firefox\Profiles\default.mpf\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\IA\KE.vbs -> Trojan.Small : Cleaned.
::Report end
pskelley
2007-01-15, 11:47
Thanks for the information, You have two items that are problems:
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
http://www.xblock.com/product_show.php?id=1793
http://www.spywareguide.com/product_show.php?id=1793
and: O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
http://vil.nai.com/vil/content/v_134314.htm
For some reason they were not removed by HJT? The only program I can see that might block the change is TeaTimer. Did you follow the instructions to turn it off during the removal? If so you might try again, if there are still in the next log, uninstall Spybot, reboot and then try it. Once they are remove you can reinstall Spybot.
C:\Program Files\Messenger Plus! 3\MsgPlus.exe read about that program:
http://www.castlecops.com/startuplist-2034.html If LOP got installed, it is very hard to remove and it might not show in the HJT log?
My suggest would be to uninstall the program.
http://inetexplorer.mvps.org/answers/43.html
http://chooseknowledge.com/How-to-uninstall-Messenger-Plus.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
read about this one: http://www.castlecops.com/startuplist-1321.html
I suggest you use HJT to remove this one and check Add Remove programs for GetRight Browser and uninstall it if there.
but I'm still getting different random spyware programs every time I scan.
I don't understand what you are saying here? What random programs? Are you sure these are not dataminer/tracking cookies that are a part of surfing the web unless you block them?
I would say AVG did a great job cleaning junk cookies for you. If you need information showing how to block that junk in Firefox, let me know.
Let's finish up by cleaning out your System Restore files:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks and safe surfing...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
BraveMax
2007-01-20, 23:29
Sorry for the delay - I got caught up with work.
I disabled tea-timer again and removed those values, as well as uninstalling Getright. I'm fairly certain LOP wasn't installed with Messenger Plus - I recall noticing the option at the time of installation and choosing not to get the sponsor stuff.
I don't typically have System Restore on, so no worries there.
Here is my latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 5:26:52 PM, on 1/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\NALNTSRV.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HiJackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Post-itR Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32\Novell\XtNotify.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\System32\NALNTSRV.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
BraveMax
2007-01-20, 23:47
Hm... It seems that the two values stay gone as long as Teatimer is off, but once I re-enable it (I made sure to restart before enabling it too...) they re-appear.
I'm going to try leaving it on and telling it to allow the changes. We'll see.
pskelley
2007-01-20, 23:56
OK and thanks for getting back with me, you said:
I don't typically have System Restore on, so no worries there.We have found that even a bad restore point is better than no restore point, so I would keep that on all of the time.
I understand what you are saying about MessengerPlus, I just can't understand why they would make it so difficult for you to not install LOP/C2Media. I consider this such bad business I would never use their product. I mean just read what is being said about the junk they bundle with their product and most folks do not know enough to read the EULA like you did:
http://www.spywareinfo.com/articles/lop/
Lop.com has become one of the most hated names on the internet. http://research.sunbelt-software.com/threatdisplay.aspx?name=C2.Lop&threatid=8144
http://sarc.com/avcenter/venc/data/adware.lop.html
http://en.wikipedia.org/wiki/C2.LOP
Known programs that bundle LOP
Patchou's Messenger Plus
Warez P2P Client
I could go on and on, you do what you have to do.
Safe surfing to you:bigthumb:
Your last post, you are not talking about the Command Service keys? If so, try that fix again, and make sure you are running it exactly as instructed.
I can tell you this about TeaTimer, we at times have to uninstall Spybot and make the change then reinstall Spybot. At times that is the only way TeaTimer allows the changes.
BraveMax
2007-01-20, 23:58
I guess there's something to be said for persistence in a program like Teatimer :-p
I'll uninstall Spybot and try it again. I shouldn't be surprised trying to remove them with Teatimer on didn't work. The keys I'm refering to are these:
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
http://www.xblock.com/product_show.php?id=1793
http://www.spywareguide.com/product_show.php?id=1793
and: O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
http://vil.nai.com/vil/content/v_134314.htm
pskelley
2007-01-21, 00:23
OK, those ActiveX plugins are being read by CastleCops here:
http://www.castlecops.com/ActiveX.html
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
http://www.xblock.com/product_show.php?id=1793
This one is: Netster(?) X {56336BCB-3D8A-11D6-A00B-0050DA18DE71} RdxIE2.cab Malware. The IP belongs to godaddy.com
Netster X {56336BCB-3D8A-11D6-A00B-0050DA18DE71} identified by SpywareBlaster
This one: O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
as this:
Coupons Inc X {9522B3FB-7A2B-4646-8AF6-36E7F593073C} cpbrkpie.cab IESPYADS Restricted Site
Try it again with HJT, TeaTimer rarely stops those from being removed. You can also try the long way around manually like this:
Internet Explorer > Tools > Options > Settings (next to the Delete key)
View Objects > you should be able to highlite and delete them from there.
Thanks
BraveMax
2007-01-21, 06:11
Hah - I had quite a bit of trouble removing them. Your initial suggestion of uninstalling Spybot seems to have done the trick, though.
I'll post a final log as soon as I reinstall Spybot and give it a good restart.
BraveMax
2007-01-21, 06:21
Spybot reinstalled, everything looks okay, I guess. Java seems to have stopped complaining, too - I may have gotten all its pieces manually. Getright is uninstalled, and I'm pretty sure Messenger Plus is free of spyware too. Was there anything else?
Here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 12:18:42 AM, on 1/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\NALNTSRV.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\HiJackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Post-itR Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32\Novell\XtNotify.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\System32\NALNTSRV.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
pskelley
2007-01-21, 12:50
That sounds good, unusual for the Downloaded Program Files to be that hard to remove? Any other program onboard that would block changes? The Guard in Avg Anti-Spyware would. This last HJT log looks fine:bigthumb:
Thanks
BraveMax
2007-01-21, 15:46
Spyware and AVG gave completely negative results on their last scan, and Adaware just found a few cookies. Looks like I'm clean.
Thanks for all your help - you've been awesome!
pskelley
2007-01-21, 15:53
http://www.google.com/search?hl=en&rls=GGLG,GGLG:2006-16,GGLG:en&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=controlling+cookies&spell=1
:eek: :bigthumb:
pskelley
2007-01-27, 11:36
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.