limited
2007-02-05, 00:11
Greetings and thanks in advance for your help,
I am running W2k, with norton AV, and SpyBot. I suspect an infection d/t repeated reg. change warnings (TeaTimer). Also, browser search now goes to www.earthlink-help.net (not my choice).
I also wondered at the on-screen layout error of the SpyBot (teatimer) reg change dialog - the Accept and Remember This buttons/options are superimposed - ?known bug, my machine, or attack result? I am unable to select No to the reg changes and can only close the popup (which immediately reopens).
I have done the following:
Completely uninstalled SpyBot, including deleting folders and running regedit script.
Used Pandasoftwares Active scan (it detected only one item - see below)
Reinstalled Spybot, updated and ran it with Win booted into Safe Mode (it detected nothing).
Ran Hijackthis - log below.
I have included below the Spybot startup log - please note the entries starting at crypt32chain (DISABLED). I am not sure what they are, nor whether they are actually disabled.
***Panda****
Incident Status Location
Potentially unwanted tool:Application/Leaktest.A Not disinfected C:\Documents and Settings\Customer\Local Settings\Temporary Internet Files\Content.IE5\MM3RYQXE\LeakTest[1].exe
****Hijack****
Logfile of HijackThis v1.99.1
Scan saved at 12:54:04 PM, on 2/4/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://morsecode.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Man, I hate Microsoft...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WackGet Browser Helper Object - {248B131E-01EA-4587-8EFE-1D915E143D5E} - C:\Program Files\WackGet\WackGet.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless USB Network Adapter Config Utility.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: WackGet it! - C:\Program Files\WackGet\WGBHO.js
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - WWW. Prefix: http://
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123815965621
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CEBC955E-58AF-11D2-A30A-00A0C903492B} (CV3 Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{29D52EDE-CA91-424A-A24D-EB64417D2536}: NameServer = 207.69.188.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{29D52EDE-CA91-424A-A24D-EB64417D2536}: NameServer = 207.69.188.185
O17 - HKLM\System\CS3\Services\Tcpip\..\{29D52EDE-CA91-424A-A24D-EB64417D2536}: NameServer = 207.69.188.185
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
****Spybot Startup log****
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2007-02-03 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-15 advcheck.dll (1.2.1.0)
2007-01-02 Tools.dll (2.0.1.0)
2007-02-02 Includes\Cookies.sbi
2004-11-29 Includes\LSP.sbi
2007-02-02 Includes\Revision.sbi
2005-02-16 Includes\Tracks.uti
2007-02-02 Includes\DialerC.sbi
2007-02-02 Includes\HijackersC.sbi
2007-02-02 Includes\KeyloggersC.sbi
2007-02-02 Includes\MalwareC.sbi
2007-02-02 Includes\PUPSC.sbi
2007-02-02 Includes\SecurityC.sbi
2007-02-02 Includes\SpybotsC.sbi
2007-02-02 Includes\TrojansC.sbi
2006-12-08 Includes\Dialer.sbi
2006-11-24 Includes\Hijackers.sbi
2006-10-27 Includes\Keyloggers.sbi
2007-01-12 Includes\Malware.sbi
2007-01-19 Includes\PUPS.sbi
2006-12-08 Includes\Security.sbi
2007-02-02 Includes\Spybots.sbi
2006-12-08 Includes\Trojans.sbi
Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 58984
MD5: dd35c08bad29b1c0ba6e6dbb1034769c
Located: HK_LM:Run, SSC_UserPrompt
command: C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
file: C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
size: 218240
MD5: b96c81be7b8d11710496787e5859d768
Located: HK_LM:Run, Symantec NetDriver Monitor
command: C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
file: C:\PROGRA~1\SYMNET~1\SNDMon.exe
size: 100056
MD5: f9418981ee4d7e995d359833adab59d5
Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINDOWS\system32\mobsync.exe
size: 111376
MD5: 9b2f5b9e745deaaa57fb78329ed03061
Located: HK_LM:Run, Acronis Scheduler2 Service (DISABLED)
command: "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
file:
Located: HK_LM:Run, Acronis True Image Monitor (DISABLED)
command: "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
file:
Located: HK_LM:Run, Synchronization Manager (DISABLED)
command: mobsync.exe /logon
file: C:\WINDOWS\system32\mobsync.exe
size: 111376
MD5: 9b2f5b9e745deaaa57fb78329ed03061
Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 77824
MD5: f8dbb32041336a94c676e6b70f759993
Located: HK_LM:Run, SystemTray (DISABLED)
command: SysTray.Exe
file: C:\WINDOWS\system32\SysTray.Exe
size: 3856
MD5: 349c33508ae444215e23bf7bdd174adf
Located: HK_LM:Run, WinFaxAppPortStarter (DISABLED)
command: wfxsnt40.exe
file:
Located: HK_LM:Run, WinVNC (DISABLED)
command: "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
file:
Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38
Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office\OSA9.EXE
file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
size: 65588
MD5: 536f27b2413490abc6ecdd53f9cdf4aa
Located: Startup (common), Wireless USB Network Adapter Config Utility.lnk (DISABLED)
command:
file:
Located: System.ini, crypt32chain (DISABLED)
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet (DISABLED)
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll (DISABLED)
command: cscdll.dll
file: cscdll.dll
Located: System.ini, nwprovau (DISABLED)
command: nwprovau.dll
file: nwprovau.dll
Located: System.ini, sclgntfy (DISABLED)
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, wzcnotif (DISABLED)
command: wzcdlg.dll
file: wzcdlg.dll
Thanks Again...
I am running W2k, with norton AV, and SpyBot. I suspect an infection d/t repeated reg. change warnings (TeaTimer). Also, browser search now goes to www.earthlink-help.net (not my choice).
I also wondered at the on-screen layout error of the SpyBot (teatimer) reg change dialog - the Accept and Remember This buttons/options are superimposed - ?known bug, my machine, or attack result? I am unable to select No to the reg changes and can only close the popup (which immediately reopens).
I have done the following:
Completely uninstalled SpyBot, including deleting folders and running regedit script.
Used Pandasoftwares Active scan (it detected only one item - see below)
Reinstalled Spybot, updated and ran it with Win booted into Safe Mode (it detected nothing).
Ran Hijackthis - log below.
I have included below the Spybot startup log - please note the entries starting at crypt32chain (DISABLED). I am not sure what they are, nor whether they are actually disabled.
***Panda****
Incident Status Location
Potentially unwanted tool:Application/Leaktest.A Not disinfected C:\Documents and Settings\Customer\Local Settings\Temporary Internet Files\Content.IE5\MM3RYQXE\LeakTest[1].exe
****Hijack****
Logfile of HijackThis v1.99.1
Scan saved at 12:54:04 PM, on 2/4/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://morsecode.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Man, I hate Microsoft...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WackGet Browser Helper Object - {248B131E-01EA-4587-8EFE-1D915E143D5E} - C:\Program Files\WackGet\WackGet.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless USB Network Adapter Config Utility.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: WackGet it! - C:\Program Files\WackGet\WGBHO.js
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - WWW. Prefix: http://
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123815965621
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CEBC955E-58AF-11D2-A30A-00A0C903492B} (CV3 Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{29D52EDE-CA91-424A-A24D-EB64417D2536}: NameServer = 207.69.188.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{29D52EDE-CA91-424A-A24D-EB64417D2536}: NameServer = 207.69.188.185
O17 - HKLM\System\CS3\Services\Tcpip\..\{29D52EDE-CA91-424A-A24D-EB64417D2536}: NameServer = 207.69.188.185
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
****Spybot Startup log****
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2007-02-03 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-15 advcheck.dll (1.2.1.0)
2007-01-02 Tools.dll (2.0.1.0)
2007-02-02 Includes\Cookies.sbi
2004-11-29 Includes\LSP.sbi
2007-02-02 Includes\Revision.sbi
2005-02-16 Includes\Tracks.uti
2007-02-02 Includes\DialerC.sbi
2007-02-02 Includes\HijackersC.sbi
2007-02-02 Includes\KeyloggersC.sbi
2007-02-02 Includes\MalwareC.sbi
2007-02-02 Includes\PUPSC.sbi
2007-02-02 Includes\SecurityC.sbi
2007-02-02 Includes\SpybotsC.sbi
2007-02-02 Includes\TrojansC.sbi
2006-12-08 Includes\Dialer.sbi
2006-11-24 Includes\Hijackers.sbi
2006-10-27 Includes\Keyloggers.sbi
2007-01-12 Includes\Malware.sbi
2007-01-19 Includes\PUPS.sbi
2006-12-08 Includes\Security.sbi
2007-02-02 Includes\Spybots.sbi
2006-12-08 Includes\Trojans.sbi
Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 58984
MD5: dd35c08bad29b1c0ba6e6dbb1034769c
Located: HK_LM:Run, SSC_UserPrompt
command: C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
file: C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
size: 218240
MD5: b96c81be7b8d11710496787e5859d768
Located: HK_LM:Run, Symantec NetDriver Monitor
command: C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
file: C:\PROGRA~1\SYMNET~1\SNDMon.exe
size: 100056
MD5: f9418981ee4d7e995d359833adab59d5
Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINDOWS\system32\mobsync.exe
size: 111376
MD5: 9b2f5b9e745deaaa57fb78329ed03061
Located: HK_LM:Run, Acronis Scheduler2 Service (DISABLED)
command: "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
file:
Located: HK_LM:Run, Acronis True Image Monitor (DISABLED)
command: "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
file:
Located: HK_LM:Run, Synchronization Manager (DISABLED)
command: mobsync.exe /logon
file: C:\WINDOWS\system32\mobsync.exe
size: 111376
MD5: 9b2f5b9e745deaaa57fb78329ed03061
Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 77824
MD5: f8dbb32041336a94c676e6b70f759993
Located: HK_LM:Run, SystemTray (DISABLED)
command: SysTray.Exe
file: C:\WINDOWS\system32\SysTray.Exe
size: 3856
MD5: 349c33508ae444215e23bf7bdd174adf
Located: HK_LM:Run, WinFaxAppPortStarter (DISABLED)
command: wfxsnt40.exe
file:
Located: HK_LM:Run, WinVNC (DISABLED)
command: "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
file:
Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38
Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office\OSA9.EXE
file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
size: 65588
MD5: 536f27b2413490abc6ecdd53f9cdf4aa
Located: Startup (common), Wireless USB Network Adapter Config Utility.lnk (DISABLED)
command:
file:
Located: System.ini, crypt32chain (DISABLED)
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet (DISABLED)
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll (DISABLED)
command: cscdll.dll
file: cscdll.dll
Located: System.ini, nwprovau (DISABLED)
command: nwprovau.dll
file: nwprovau.dll
Located: System.ini, sclgntfy (DISABLED)
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, wzcnotif (DISABLED)
command: wzcdlg.dll
file: wzcdlg.dll
Thanks Again...