View Full Version : Popups, slow computer, smitfraud detected, possible hijack?
shaconaqe
2007-04-15, 00:42
Hello:
I read through the "Rogue" sticky post and followed the instructions, and I also read through the "Before you post" sticky, so I am going to try and be thorough here. I have popup problems, both general and the smitfraud-type antivirus ones. My computer has also been running slow, and I have noticed the Java icon appear unexpectedly down on my toolbar. Sooooo...I did the smitfraud fix steps and it seems to be running a bit better for now. I also did th online Panda scan. Here are the various logs:
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 5:18:05 PM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56d301fe-6de5-4129-a1ce-8c4c9da6f929} - C:\WINDOWS\system32\ATI2chx.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmpB.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: ATI2chx - C:\WINDOWS\SYSTEM32\ATI2chx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
shaconaqe
2007-04-15, 00:43
Panda log:
Incident Status Location
Virus:Trj/Metanu.A Disinfected C:\WINDOWS\SYSTEM32\tmp14.tmp.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Gateway User\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\Gateway User\Desktop\SmitfraudFix\RESTART.EXE
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Gateway User\Cookies\gateway_user@atdmt[1].txt
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\ms-counter.jar-5aecf5b2-208f17d5.zip[BaaaaBaa.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\ms-counter.jar-5aecf5b2-208f17d5.zip[VaaaaaaaBaa.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\ms-counter.jar-5aecf5b2-208f17d5.zip[Dvnny.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\ms-counter.jar-5aecf5b2-208f17d5.zip[Baaaaa.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\ms-counter.jar-5aecf5b2-208f17d5.zip[Dex.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\ms-counter.jar-5aecf5b2-208f17d5.zip[Dix.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\ms-counter.jar-5aecf5b2-208f17d5.zip[Dux.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\crtdcghcn.jar-7ed62d00-56768872.zip[BaaaaBaa.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\crtdcghcn.jar-7ed62d00-56768872.zip[VaaaaaaaBaa.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\crtdcghcn.jar-7ed62d00-56768872.zip[Dvnny.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\crtdcghcn.jar-7ed62d00-56768872.zip[Baaaaa.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\crtdcghcn.jar-7ed62d00-56768872.zip[Dex.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\crtdcghcn.jar-7ed62d00-56768872.zip[Dix.class]
Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\crtdcghcn.jar-7ed62d00-56768872.zip[Dux.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\count.jar-43fcd038-20cc4973.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\count.jar-43fcd038-20cc4973.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\count.jar-43fcd038-20cc4973.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Gateway User\Application Data\Sun\Java\Deployment\CACHE\JAVAPI\V1.0\JAR\count.jar-43fcd038-20cc4973.zip[Beyond.class]
shaconaqe
2007-04-15, 00:49
Spybot S&D log:
--- Search result list ---
Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Araf15
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2007-03-24 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-15 advcheck.dll (1.2.1.0)
2007-01-02 Tools.dll (2.0.1.0)
2006-12-08 Includes\Dialer.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-03-21 Includes\Malware.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-03-21 Includes\Spybots.sbi (*)
2007-04-04 Includes\Hijackers.sbi (*)
2007-04-11 Includes\Trojans.sbi (*)
2007-04-11 Includes\Cookies.sbi (*)
2007-04-11 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-04-11 Includes\TrojansC.sbi (*)
2007-04-11 Includes\SpybotsC.sbi (*)
2007-04-11 Includes\SecurityC.sbi (*)
2007-04-11 Includes\PUPSC.sbi (*)
2007-04-11 Includes\MalwareC.sbi (*)
2007-04-11 Includes\KeyloggersC.sbi (*)
2007-04-11 Includes\HijackersC.sbi (*)
2007-04-11 Includes\DialerC.sbi (*)
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ DataAccess: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution
/ DirectX: DirectX Update 819696
/ DirectX: Windows Update 904706
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Player: Windows Media Update 917734
/ Windows Media Player: Windows Media Update Q308567
/ Windows Media Player: Windows Media Update 828026
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB928090)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB929969)
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901190)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911164)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923694)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Security Update for Windows XP (KB928090)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Update for Windows XP (KB929338)
/ Windows XP / SP3: Security Update for Windows XP (KB929969)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Update for Windows XP (KB931836)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
--- Startup entries list ---
Located: HK_LM:Run, AudioHQ
command: C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
file: C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
size: 204800
MD5: bc07bd65fe5aad56297b6232cfa4b39c
Located: HK_LM:Run, AVG7_CC
command: C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
file: C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
size: 411648
MD5: 2a62570d13f14f49218ce7b03caa9cb2
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 282624
MD5: 30e1f03dcc8825988528d9058312ede2
Located: HK_LM:Run, Speed racer
command: C:\Program Files\Creative\PlayCenter\CTSRReg.exe
file: C:\Program Files\Creative\PlayCenter\CTSRReg.exe
size: 5632
MD5: 8c21a9d01b5f44556ed27ba2964d1ff9
Located: HK_LM:Run, SystemTray
command: SysTray.Exe
file: C:\WINDOWS\system32\SysTray.Exe
size: 3072
MD5: 46e07fd3a40760fda18cf6b4fc691742
Located: HK_LM:Run, UpdReg
command: C:\WINDOWS\Updreg.exe
file: C:\WINDOWS\Updreg.exe
size: 86016
MD5: 73b627359f27c2fbc85590ff7808281b
Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8
Located: HK_CU:Run, Yahoo! Pager
command: "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
file: C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
size: 4670968
MD5: 84f728bcb139fa157d1756e3cb4b76d8
Located: Startup (common), Adobe Gamma Loader.lnk
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: c2ff17734176cd15221c10044ef0ba1a
Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office\OSA9.EXE
file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
size: 65588
MD5: deeb53fa66b9e47f6989942aec7648a3
Located: Startup (common), Microtek Scanner Finder.lnk
command: C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
file: C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
size: 315392
MD5: 4490aef18b3676650d3f65e9be612ae3
Located: Startup (common), Quicken Scheduled Updates.lnk
command: C:\Program Files\Quicken\bagent.exe
file: C:\Program Files\Quicken\bagent.exe
size: 57344
MD5: fb2def5acf7e1d43962e2900e1fefc14
Located: System.ini, ATI2chx
command: ATI2chx.dll
file: ATI2chx.dll
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 5/7/2005 10:53:00 AM
Date (last access): 4/14/2007
Date (last write): 4/16/2001 4:39:02 PM
Filesize: 37808
Attributes:
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 1.0.0.1
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name: SDHELPER.DLL
Date (created): 3/24/2007 4:38:22 PM
Date (last access): 4/14/2007
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0
{56d301fe-6de5-4129-a1ce-8c4c9da6f929} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: ATI2chx.dll
Short name: ATI2CHX.DLL
Date (created): 3/18/2007 10:38:22 PM
Date (last access): 4/14/2007
Date (last write): 3/18/2007 10:38:22 PM
Filesize: 19726
Attributes: archive
MD5: 9284ECE466E44692DA2B718B412AC0E1
CRC32: 87545867
{67C55A8D-E808-4caa-9EA7-F77102DE0BB6} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: tmpB.tmp.dll
Short name: TMPBTM~1.DLL
Date (created): 4/13/2007 8:15:36 PM
Date (last access): 4/14/2007
Date (last write): 4/13/2007 8:15:36 PM
Filesize: 37658
Attributes: archive
MD5: 573B45A29817A8061D0E3BBE061D017B
CRC32: A7B08670
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: ssv.dll
Short name: SSV.DLL
Date (created): 11/10/2005 1:03:56 PM
Date (last access): 4/14/2007
Date (last write): 11/10/2005 1:22:10 PM
Filesize: 184423
Attributes: archive
MD5: F01726F7CA8538FDD4663C9DB8FEAEDC
CRC32: 0111B892
Version: 5.0.60.5
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 2/26/2006 9:42:36 AM
Date (last access): 4/14/2007
Date (last write): 2/14/2006 8:05:22 PM
Filesize: 1158656
Attributes: readonly archive
MD5: 7DB512809C6D2483452FDAC798A08418
CRC32: BEAC7D3D
Version: 3.0.131.0
--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\SYSTEM\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
Yahoo! Pool 2 (Yahoo! Pool 2)
DPF name: Yahoo! Pool 2
CLSID name:
Installer:
Codebase: http://download.games.yahoo.com/games/clients/y/pote_x.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
{0000000A-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\wmsp9dmo.inf
Codebase: http://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
Installer: C:\WINDOWS\Downloaded Program Files\QTPlugin.inf
Codebase: http://www.apple.com/qtactivex/qtplugin.cab
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name: QTPLUGIN.OCX
Date (created): 2/16/2007 10:55:20 AM
Date (last access): 4/14/2007
Date (last write): 2/16/2007 10:55:20 AM
Filesize: 566856
Attributes: archive
MD5: E10B2F8BF84893F62A0312530533568E
CRC32: 920675CD
Version: 7.1.5.120
{0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate)
DPF name:
CLSID name: Creative Software AutoUpdate
Installer: C:\WINDOWS\Downloaded Program Files\CTSUEng.inf
Codebase: http://www.creative.com/su/ocx/15026/CTSUEng.cab
description:
classification: Legitimate
known filename: CTSUEng.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: CTSUEng.ocx
Short name: CTSUENG.OCX
Date (created): 8/11/2006 9:36:58 AM
Date (last access): 4/10/2007
Date (last write): 8/11/2006 9:36:58 AM
Filesize: 225280
Attributes: archive
MD5: C0C9BD750CA2321F764F9339A1F2E845
CRC32: 5BAF8E34
Version: 1.50.15.0
{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://go.microsoft.com/fwlink/?linkid=39204
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.dll
Short name: LEGITC~1.DLL
Date (created): 12/12/2006 10:45:04 AM
Date (last access): 4/14/2007
Date (last write): 3/15/2007 6:19:28 PM
Filesize: 1476992
Attributes:
MD5: D1CB99ADBA9397D7D02B0B2DCFE47F1A
CRC32: ED982FE3
Version: 1.7.18.5
{33564D57-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\wmv9dmo.inf
Codebase: http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
description: Microsoft WMV Video Codec
classification: Legitimate
known filename: WMV9DMO.CAB
info link:
info source: Patrick M. Kolla
shaconaqe
2007-04-15, 00:51
Spybot continued:
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Installer: C:\WINDOWS\Downloaded Program Files\opuc.inf
Codebase: http://office.microsoft.com/officeupdate/content/opuc3.cab
description:
classification: Legitimate
known filename: opuc.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\
Long name: opuc.dll
Short name: OPUC.DLL
Date (created): 11/17/2005 11:12:26 PM
Date (last access): 4/10/2007
Date (last write): 11/17/2005 11:12:26 PM
Filesize: 533504
Attributes:
MD5: 24F3058766D5FC3FD0F37F6D6EE6FE9B
CRC32: F1FAEDE3
Version: 12.0.3208.1014
{406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia)
DPF name:
CLSID name: Snapfish Activia
Installer: C:\WINDOWS\Downloaded Program Files\SnapfishActivia1000.inf
Codebase: http://photos.walmart.com/WalmartActivia.cab
description:
classification: Legitimate
known filename: SnapfishActivia1000.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLOADED PROGRAM FILES\
Long name: SnapfishActivia1000.ocx
Short name: SNAPFI~1.OCX
Date (created): 6/3/2005 12:24:32 PM
Date (last access): 4/10/2007
Date (last write): 6/3/2005 12:24:32 PM
Filesize: 286720
Attributes:
MD5: F5C79C45F1ADF877DC3AFDFF3565AE7B
CRC32: F118547A
Version: 1.0.0.10
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
DPF name:
CLSID name: MSN Photo Upload Tool
Installer: C:\WINDOWS\Downloaded Program Files\MSNPupld.inf
Codebase: http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
description:
classification: Legitimate
known filename: MsnPUpld.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLOADED PROGRAM FILES\
Long name: MsnPUpld.dll
Short name: MSNPUPLD.DLL
Date (created): 10/8/2004 4:01:22 PM
Date (last access): 4/14/2007
Date (last write): 10/8/2004 4:01:22 PM
Filesize: 372736
Attributes:
MD5: D2ED523BB0FE94F8F492BEFE1C336040
CRC32: C4677625
Version: 10.0.910.0
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer: C:\WINDOWS\Downloaded Program Files\jinstall-1_5_0_06.inf
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 11/10/2005 1:03:56 PM
Date (last access): 4/14/2007
Date (last write): 11/10/2005 1:22:10 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5
{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\iuctl.inf
Codebase: http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38571.6449189815
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\
Long name: ssv.dll
Short name: SSV.DLL
Date (created): 11/10/2005 1:03:56 PM
Date (last access): 4/14/2007
Date (last write): 11/10/2005 1:22:10 PM
Filesize: 184423
Attributes: archive
MD5: F01726F7CA8538FDD4663C9DB8FEAEDC
CRC32: 0111B892
Version: 5.0.60.5
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 11/10/2005 1:03:56 PM
Date (last access): 4/14/2007
Date (last write): 11/10/2005 1:22:10 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash9b.ocx
Short name: FLASH9B.OCX
Date (created): 11/9/2006 2:46:28 PM
Date (last access): 4/14/2007
Date (last write): 11/9/2006 2:46:28 PM
Filesize: 2262648
Attributes: readonly archive
MD5: F3B3EE66CA76C94510555ABE9D00A353
CRC32: A51F3CB4
Version: 9.0.28.0
{F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package)
DPF name:
CLSID name: Creative Software AutoUpdate Support Package
Installer: C:\WINDOWS\Downloaded Program Files\CTPID.inf
Codebase: http://www.creative.com/su/ocx/15028/CTPID.cab
description:
classification: Legitimate
known filename: CTPID.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: CTPID.ocx
Short name:
Date (created): 12/6/2006 11:10:22 AM
Date (last access): 4/10/2007
Date (last write): 12/6/2006 11:10:22 AM
Filesize: 38696
Attributes: archive
MD5: 54FA3D94C2D2EB18F753B120799CEA88
CRC32: E299414F
Version: 1.0.34.0
--- Process list ---
PID: 0 ( 0) [System]
PID: 124 ( 4) \SystemRoot\System32\smss.exe
PID: 176 ( 124) \??\C:\WINDOWS\system32\csrss.exe
PID: 200 ( 124) \??\C:\WINDOWS\system32\winlogon.exe
PID: 244 ( 200) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 256 ( 200) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 400 ( 244) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 464 ( 244) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 520 ( 244) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 760 ( 732) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 928 ( 760) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 4/14/2007 5:11:26 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CABA5A37-A225-41DF-AC2D-507FB67C05CA}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CABA5A37-A225-41DF-AC2D-507FB67C05CA}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{09844D10-4553-4344-B54E-5696A60801C6}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{09844D10-4553-4344-B54E-5696A60801C6}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{785AF079-166F-49A8-A731-F8D86FB9EDFE}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{785AF079-166F-49A8-A731-F8D86FB9EDFE}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
shaconaqe
2007-04-15, 00:53
Spybot continued:
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
--- Uninstall list ---
ABBYY FineReader 4.0 Sprint (ABBYY FineReader 4.0 Sprint)
uninstall cmd: C:\WINDOWS\bitdeins.exe C:\PROGRA~1\ABBYYF~1.0SP\BITDEINS.INI
Adaptec Easy CD Creator 4 (Adaptec Master Setup)
uninstall cmd: "C:\Program Files\Common Files\Adaptec\ECDCUNIN\SETUP.EXE" -l0009 -fECDC.INS
(ADAPTECCreateCDKEY)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adaptec\Easy CD Creator 4\CreateCD\UNINST.ISU"
(ADAPTECCreatr32KEY)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adaptec\Easy CD Creator 4\UNINST.ISU"
(ADAPTECMASTERKEY)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adaptec\Easy CD Creator 4\UNINST.ISU"
(AddressBook)
uninstall cmd: "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /UNINSTALL /PROMPT
Adobe Acrobat 5.0 5.0 (Adobe Acrobat 5.0)
version (major): 5
install location: C:\Program Files\Adobe\Acrobat 5.0
install source: C:\WINDOWS\TEMP\pft4242~TMP\
uninstall cmd: C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\ME\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\ME\Uninst.dll"
publisher: Adobe Systems, Inc.
help link: http://www.adobe.com/prodindex/acrobat/main.html
Adobe Photoshop Elements 2.0 2.0 (Adobe Photoshop Elements 2.0)
version (major): 2
install location: C:\Program Files\Adobe\Photoshop Elements 2
install source: E:\Adobe Photoshop Elements\
uninstall cmd: C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.dll"
publisher: Adobe Systems, Inc.
(AudioHQ)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\AudioHQ.isu"
AVG 7.5 (AVG7Uninstall)
uninstall cmd: C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
(Branding)
Canon S820 (CANONBJ_Deinstall_CNMCP3k.DLL)
uninstall cmd: C:\WINDOWS\system32\CNMCP3K.EXE -@C:\WINDOWS\IsUninst.exe -f"C:\BJPrinter\CNMWINDOWS\Canon S820 Installer\Inst\DeIsL1.isu" -pCanon S820-c"C:\BJPrinter\CNMWINDOWS\Canon S820 Installer\Inst\bjinst.dll
Canon S820 (CJPDRV_Deinstall 3K)
uninstall cmd: C:\WINDOWS\SYSTEM32\CJPDEL3K.EXE
(Connection Manager)
(Creative Recorder)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Recorder\Recorder.isu"
(Creative Restore Defaults)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Restore.isu"
(Creative WaveStudio)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Wstudio.isu"
(Diagnostics)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Diagnose.isu"
(DirectAnimation)
Adaptec DirectCD (DirectCD)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adaptec\DirectCD\DCDUnins.isu" -cC:\PROGRA~1\ADAPTEC\DIRECTCD\Dcduhlp.dll
(DirectDrawEx)
(DXM_Runtime)
(expinst)
ffdshow [beta 1] [2006-12-11] 1.0 (ffdshow_is1)
install date: 20070210
install location: C:\Program Files\ffdshow\
uninstall cmd: "C:\Program Files\ffdshow\unins000.exe"
(Fontcore)
HijackThis 1.99.1 1.99.1 (HijackThis)
uninstall cmd: C:\Program Files\Hijackthis\HijackThis.exe /uninstall
publisher: Soeperman Enterprises Ltd.
Hijackthis 1.99.1 (Hijackthis_is1)
install location: C:\Program Files\Hijackthis\
uninstall cmd: "C:\Program Files\Hijackthis\unins000.exe"
publisher: Soeperman Enterprises Ltd
help link: http://www.merijn.org
(ICW)
Microsoft Internationalized Domain Names Mitigation APIs (IDNMitigationAPIs)
install date: 20070320
uninstall cmd: "C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
(IE40)
(IE4Data)
(IE5BAKEX)
Windows Internet Explorer 7 20061107.210142 (ie7)
install date: 20070320
uninstall cmd: "C:\WINDOWS\ie7\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://www.microsoft.com/ie
(IEData)
(IEREADME)
(InstallShield Uninstall Information)
Canon Utilities RemoteCapture 2.7 2.7.5 (InstallShield_{14220DB1-DD96-4BCD-B3D5-03A4EA6631C4})
version: 34013189
version (major): 2
version (minor): 7
estimated size: 11808
install date: 20050507
install source: E:\SOFTWARE\REMCAP\ENGLISH\
uninstall cmd: C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\DRIVER\7\INTEL 32\IDRIVER.EXE /M{14220DB1-DD96-4BCD-B3D5-03A4EA6631C4}
publisher: Canon
comments:
contact:
help link:
help telephone:
readme:
Canon RemoteCapture Task for ZoomBrowser EX 0.9.0 (InstallShield_{2236B741-6631-49AE-B76E-3E14CA01CC87})
version: 589824
version (minor): 9
estimated size: 131
install date: 20050507
install source: E:\SOFTWARE\ZOOMBRSR\ENGLISH\RCTASK\
uninstall cmd: C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\DRIVER\7\INTEL 32\IDRIVER.EXE /M{2236B741-6631-49AE-B76E-3E14CA01CC87}
publisher: Canon
comments:
contact:
help link:
help telephone:
Canon Utilities File Viewer Utility 1.3 1.3.2 (InstallShield_{2D1C2321-8FDB-49B8-A66B-4008DC0B6B5D})
version: 16973826
version (major): 1
version (minor): 3
estimated size: 8576
install date: 20050507
install source: E:\SOFTWARE\FVU\ENGLISH\
uninstall cmd: C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\DRIVER\7\INTEL 32\IDRIVER.EXE /M{2D1C2321-8FDB-49B8-A66B-4008DC0B6B5D}
publisher: Canon
comments:
contact:
help link:
help telephone:
readme:
Canon EOS Kiss REBEL 300D WIA Driver 5.1 (InstallShield_{31A57C3E-30DD-421F-B5C7-974DACB0D05F})
version: 83951616
version (major): 5
version (minor): 1
estimated size: 32
install date: 20050507
install source: E:\SOFTWARE\WIA\E3KR\ENGLISH\
uninstall cmd: C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\DRIVER\7\INTEL 32\IDRIVER.EXE /M{31A57C3E-30DD-421F-B5C7-974DACB0D05F}
publisher: Canon
comments:
contact:
help link:
help telephone:
readme:
Quicken 2004 13.00.0000 (InstallShield_{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8})
version: 218103808
version (major): 13
estimated size: 95072
install date: 20050410
install source: E:\DISK1\
uninstall cmd: C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\DRIVER\7\INTEL 32\IDRIVER.EXE /M{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8} anything
publisher: Intuit
comments: All URL's valid as of October 2001
contact: Customer Support Department
help link: http://www.intuit.com/support/quicken
help telephone: 1-900-555-4932
readme: Readme.txt
Canon Camera Window for ZoomBrowser EX 4.5.2 (InstallShield_{A29EA741-24F7-4C07-9B2C-06CB6491BE4A})
version: 67436546
version (major): 4
version (minor): 5
estimated size: 18900
install date: 20050507
install source: E:\SOFTWARE\CW\ENGLISH\
uninstall cmd: C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\DRIVER\7\INTEL 32\IDRIVER.EXE /M{A29EA741-24F7-4C07-9B2C-06CB6491BE4A}
publisher: Canon
comments:
contact:
help link:
help telephone:
readme:
Canon Utilities PhotoStitch 3.1 3.1.10 (InstallShield_{F11A403B-0DE9-4953-B790-7A2F014FBB2B})
version: 50397194
version (major): 3
version (minor): 1
estimated size: 1472
install date: 20050507
install source: E:\SOFTWARE\PSTITCH\ENGLISH\
uninstall cmd: C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\DRIVER\7\INTEL 32\IDRIVER.EXE /M{F11A403B-0DE9-4953-B790-7A2F014FBB2B}
publisher: Canon
comments:
contact:
help link:
help telephone:
readme:
Canon RAW Image Task for ZoomBrowser EX 0.9.0 (InstallShield_{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23})
version: 589824
version (minor): 9
estimated size: 133
install date: 20050507
install source: E:\SOFTWARE\ZOOMBRSR\ENGLISH\RAWTASK\
uninstall cmd: C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\DRIVER\7\INTEL 32\IDRIVER.EXE /M{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}
publisher: Canon
comments:
contact:
help link:
help telephone:
Intel Security Driver (Intel Security Driver)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Intel\Intel Security Driver\Uninst.isu"
Windows XP Hotfix - KB873339 20041117.092459 (KB873339)
uninstall cmd: C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=873339
(KB884016)
Windows XP Hotfix - KB885835 20041027.181713 (KB885835)
uninstall cmd: C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=885835
Windows XP Hotfix - KB885836 20041028.173203 (KB885836)
uninstall cmd: C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=885836
Windows XP Hotfix - KB886185 20041021.090540 (KB886185)
uninstall cmd: C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=886185
Windows XP Hotfix - KB887472 20041014.162858 (KB887472)
uninstall cmd: C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=887472
Windows XP Hotfix - KB888302 20041207.111426 (KB888302)
uninstall cmd: C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=888302
Windows XP Hotfix - KB890859 1 (KB890859)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=890859
Windows XP Hotfix - KB891781 20050110.165439 (KB891781)
uninstall cmd: C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=891781
Security Update for Windows XP (KB893756) 1 (KB893756)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=893756
(KB893803)
Windows Installer 3.1 (KB893803) 3.1 (KB893803v2)
uninstall cmd: "C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://go.microsoft.com/fwlink/?LinkId=42467
Update for Windows XP (KB894391) 1 (KB894391)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=894391
Security Update for Windows XP (KB896358) 1 (KB896358)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=896358
Security Update for Windows XP (KB896423) 1 (KB896423)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=896423
Security Update for Windows XP (KB896424) 1 (KB896424)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=896424
Security Update for Windows XP (KB896428) 1 (KB896428)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=896428
Update for Windows XP (KB898461) 1 (KB898461)
install date: 20070318
uninstall cmd: "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=898461
Security Update for Windows XP (KB899587) 1 (KB899587)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=899587
Security Update for Windows XP (KB899591) 1 (KB899591)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=899591
Update for Windows XP (KB900485) 2 (KB900485)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=900485
Security Update for Windows XP (KB900725) 1 (KB900725)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=900725
Security Update for Windows XP (KB901017) 1 (KB901017)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=901017
Security Update for Windows XP (KB901190) 1 (KB901190)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=901190
Security Update for Windows XP (KB901214) 1 (KB901214)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=901214
Security Update for Windows XP (KB902400) 1 (KB902400)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=902400
Security Update for Windows XP (KB904706) 2 (KB904706)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=904706
Security Update for Windows XP (KB905414) 1 (KB905414)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=905414
Security Update for Windows XP (KB905749) 1 (KB905749)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=905749
Security Update for Windows XP (KB908519) 1 (KB908519)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=908519
Update for Windows XP (KB908531) 2 (KB908531)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=908531
Update for Windows XP (KB910437) 1 (KB910437)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=910437
Update for Windows XP (KB911164) 1 (KB911164)
install date: 20070318
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=911164
Update for Windows XP (KB911280) 2 (KB911280)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=911280
Security Update for Windows XP (KB911562) 1 (KB911562)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=911562
Security Update for Windows Media Player (KB911564) (KB911564)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com/?kbid=911564
Security Update for Windows XP (KB911927) 1 (KB911927)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=911927
Security Update for Windows XP (KB912919) 1 (KB912919)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=912919
Security Update for Windows XP (KB913580) 1 (KB913580)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=913580
Security Update for Windows XP (KB914388) 1 (KB914388)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=914388
Security Update for Windows XP (KB914389) 1 (KB914389)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=914389
Hotfix for Windows XP (KB915865) 10 (KB915865)
install date: 20070320
uninstall cmd: "C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=915865
shaconaqe
2007-04-15, 00:56
SPybot continued:
Update for Windows XP (KB916595) 1 (KB916595)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=916595
Security Update for Windows XP (KB917344) 1 (KB917344)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=917344
Security Update for Windows XP (KB917422) 1 (KB917422)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=917422
Security Update for Windows Media Player 9 (KB917734) (KB917734_WMP9)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com/?kbid=917734
Security Update for Windows XP (KB917953) 1 (KB917953)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=917953
Security Update for Windows XP (KB918118) 1 (KB918118)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=918118
Security Update for Windows XP (KB918439) 1 (KB918439)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=918439
Security Update for Windows XP (KB919007) 1 (KB919007)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=919007
Security Update for Windows XP (KB920213) 1 (KB920213)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=920213
Security Update for Windows XP (KB920670) 1 (KB920670)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=920670
Security Update for Windows XP (KB920683) 1 (KB920683)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=920683
Security Update for Windows XP (KB920685) 1 (KB920685)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=920685
Update for Windows XP (KB920872) 1 (KB920872)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=920872
Update for Windows XP (KB922582) 1 (KB922582)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=922582
Security Update for Windows XP (KB922819) 1 (KB922819)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=922819
Security Update for Windows XP (KB923191) 1 (KB923191)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=923191
Security Update for Windows XP (KB923414) 1 (KB923414)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=923414
Security Update for Windows XP (KB923689) (KB923689)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=923689
Security Update for Windows XP (KB923694) 1 (KB923694)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=923694
Security Update for Windows XP (KB923980) 1 (KB923980)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=923980
Security Update for Windows XP (KB924191) 1 (KB924191)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=924191
Security Update for Windows XP (KB924270) 1 (KB924270)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=924270
Security Update for Windows XP (KB924496) 1 (KB924496)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=924496
Security Update for Windows XP (KB924667) 1 (KB924667)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=924667
Security Update for Windows Media Player 6.4 (KB925398) (KB925398_WMP64)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com/?kbid=925398
Security Update for Windows XP (KB925902) 1 (KB925902)
install date: 20070405
uninstall cmd: "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=925902
Security Update for Windows XP (KB926255) 1 (KB926255)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=926255
Security Update for Windows XP (KB926436) 1 (KB926436)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=926436
Security Update for Windows XP (KB927779) 1 (KB927779)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=927779
Security Update for Windows XP (KB927802) 1 (KB927802)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=927802
Security Update for Windows XP (KB928090) 1 (KB928090)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=928090
Security Update for Windows Internet Explorer 7 (KB928090) 20070117.120000 (KB928090-IE7)
install date: 20070322
uninstall cmd: "C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=928090
Security Update for Windows XP (KB928255) 1 (KB928255)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=928255
Security Update for Windows XP (KB928843) 1 (KB928843)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=928843
Update for Windows XP (KB929338) 1 (KB929338)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=929338
Security Update for Windows Internet Explorer 7 (KB929969) 20061222.120000 (KB929969)
install date: 20070322
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=929969
Security Update for Windows XP (KB930178) 1 (KB930178)
install date: 20070411
uninstall cmd: "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=930178
Security Update for Windows XP (KB931261) 1 (KB931261)
install date: 20070411
uninstall cmd: "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=931261
Security Update for Windows XP (KB931784) 1 (KB931784)
install date: 20070411
uninstall cmd: "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=931784
Update for Windows XP (KB931836) 1 (KB931836)
install date: 20070319
uninstall cmd: "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=931836
Security Update for Windows XP (KB932168) 1 (KB932168)
install date: 20070411
uninstall cmd: "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=932168
(Launcher)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Launcher\Launcher.isu"
LiveAdvisor (Symantec Corporation) 2.0.0.840 (LiveAdvisor)
install location: C:\Program Files\Common Files\Symantec Shared\LiveAdvisor
uninstall cmd: C:\Program Files\Common Files\Symantec Shared\LiveAdvisor\VCSETUP.EXE /REMOVE
publisher: Symantec Corporation
LiveUpdate 1.6 (Symantec Corporation) (LiveUpdate1.6)
install location: C:\Program Files\Symantec\LiveUpdate
uninstall cmd: C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
publisher: Symantec Corporation
(Midi Samples)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Midi.isu"
(MobileOptionPack)
(MPlayer2)
(MSI30-Beta1)
(MSI30-Beta2)
(MSI30-KB884016)
(MSI30-RC1)
(MSI30-RC2)
(MSI30a-KB884016)
(MSI31-Beta)
(MSI31-RC1)
(MSTASK)
(NetMeeting)
Microsoft National Language Support Downlevel APIs (NLSDownlevelMapping)
install date: 20070320
uninstall cmd: "C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
(OutlookExpress)
(PCHealth)
uninstall cmd: rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
(PhotoRecord)
(PlayCenter)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\PlayCenter\Player.isu"
Internet Explorer Q903235 (Q903235)
uninstall cmd: C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=903235
(SchedulingAgent)
Adobe Flash Player 9 ActiveX 9 (ShockwaveFlash)
uninstall cmd: C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
publisher: Adobe Systems
help link: http://www.adobe.com/go/flashplayer_support/
(Sound Blaster Live!)
(Sound Blaster Live! Experience)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\SBLiveXP.isu"
Sound Blaster Live! Value (Sound Blaster Live! Value)
uninstall cmd: C:\Program Files\Creative\SBLive\PROGRAM\CTUNINST.EXE
(SoundFont Banks)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\SoundFont.isu"
Spybot - Search & Destroy 1.4 1.4 (Spybot - Search & Destroy_is1)
install location: C:\Program Files\Spybot - Search & Destroy\
uninstall cmd: "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited
TurboTax Basic 2004 (TurboTax Basic 2004)
uninstall cmd: C:\Program Files\TurboTax\Basic 2004\TaxUnst.EXE "C:\Program Files\TurboTax\Basic 2004\Uninstall.log" -NoGui
TurboTax Basic 2005 (TurboTax Basic 2005)
uninstall cmd: C:\Program Files\TurboTax\Basic 2005\TaxUnst.EXE "C:\Program Files\TurboTax\Basic 2005\Uninstall.log" -NoGui
TurboTax Basic 2006 (TurboTax Basic 2006)
uninstall cmd: C:\Program Files\TurboTax\Basic 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Basic 2006\Uninstall.log" -NoGui
Tweak UI (Tweak UI 2.10)
uninstall cmd: "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
(VGX)
Windows Genuine Advantage Notifications (KB905474) 1.7.0018.5 (WgaNotify)
install date: 20070405
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=905474
Windows XP Uninstall (Windows)
install location: C:\undo
uninstall cmd: %SYSTEMROOT%\system32\osuninst.exe
Yahoo! Messenger (Yahoo! Messenger)
uninstall cmd: C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
Microsoft Office 2000 SR-1 Professional 9.00.3821 ({00010409-78E1-11D2-B60F-006097C998E7})
version: 150998765
version (major): 9
estimated size: 223977
install date: 20050407
install source: D:\
uninstall cmd: MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
publisher: Microsoft Corporation
help link: http://www.microsoft.com/support
readme: C:\Program Files\Microsoft Office\Office\ofread9.txt
RemoteCapture 2.7.5 2.7.5 ({14220DB1-DD96-4BCD-B3D5-03A4EA6631C4})
version: 34013189
version (major): 2
version (minor): 7
estimated size: 11808
install date: 20050507
install source: E:\SOFTWARE\REMCAP\ENGLISH\
publisher: Canon
comments:
contact:
help link:
help telephone:
readme:
RemoteCapture Task 0.9.0 ({2236B741-6631-49AE-B76E-3E14CA01CC87})
version: 589824
version (minor): 9
estimated size: 131
install date: 20050507
install source: E:\SOFTWARE\ZOOMBRSR\ENGLISH\RCTASK\
publisher: Canon
comments:
contact:
help link:
help telephone:
Google Toolbar for Internet Explorer ({2318C2B1-4965-11d4-9B18-009027A5CD4F})
uninstall cmd: regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
File Viewer Utility 1.3.2 1.3.2 ({2D1C2321-8FDB-49B8-A66B-4008DC0B6B5D})
version: 16973826
version (major): 1
version (minor): 3
estimated size: 8576
install date: 20050507
install source: E:\SOFTWARE\FVU\ENGLISH\
publisher: Canon
comments:
contact:
help link:
help telephone:
readme:
TurboTax ItsDeductible 2005 9.05.0000 ({2E7595EC-4FB1-4E29-93D4-9083C8A9B107})
version: 151322624
version (major): 9
version (minor): 5
estimated size: 29893
install date: 20060325
install location: C:\Program Files\ItsDeductible2005\
install source: E:\ID\Setup\
uninstall cmd: MsiExec.exe /X{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}
publisher: Intuit
Canon Camera WIA Driver 5.1 ({31A57C3E-30DD-421F-B5C7-974DACB0D05F})
version: 83951616
version (major): 5
version (minor): 1
estimated size: 32
install date: 20050507
install source: E:\SOFTWARE\WIA\E3KR\ENGLISH\
publisher: Canon
comments:
contact:
help link:
help telephone:
readme:
J2SE Runtime Environment 5.0 Update 6 1.5.0.60 ({3248F0A8-6813-11D6-A77B-00B0D0150060})
version: 17104896
version (major): 1
version (minor): 5
estimated size: 245185
install date: 20060209
install source: http://jdl.sun.com/webapps/download/GetFile/1.5.0_06-b05/windows-i586//
uninstall cmd: MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
publisher: Sun Microsystems, Inc.
contact: http://java.com
help link: http://java.com
readme: C:\Program Files\Java\jre1.5.0_06\README.txt
Microtek FineReader OCR Engine ({345C90FB-FA10-11D5-9C2A-0080C85A0C2D})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{345C90FB-FA10-11D5-9C2A-0080C85A0C2D}\setup.exe"
WebFldrs XP 9.50.7523 ({350C97B0-3D7C-4EE8-BAA9-00BCB3D54227})
version: 154279267
version (major): 9
version (minor): 50
estimated size: 2484
install date: 20070318
install source: C:\WINDOWS\system32\
publisher: Microsoft Corporation
help link: http://www.microsoft.com/windows
ItsDeductible Express 1.00.0000 ({36495C59-089C-49D1-BD15-9E5BD86DC9A1})
version: 16777216
version (major): 1
estimated size: 27570
install date: 20050410
install location: C:\Program Files\ItsDeductibleEX\
install source: E:\ID\Setup\
uninstall cmd: MsiExec.exe /X{36495C59-089C-49D1-BD15-9E5BD86DC9A1}
publisher: Intuit
({3FCAADB8-EB1B-11D6-AB2D-0090271A23A2})
Quicken 2004 13.00.0000 ({54DE0B75-6CD9-44C4-B10A-1F25DA9899D8})
version: 218103808
version (major): 13
estimated size: 95072
install date: 20050410
install source: E:\DISK1\
publisher: Intuit
comments: All URL's valid as of October 2001
contact: Customer Support Department
help link: http://www.intuit.com/support/quicken
help telephone: 1-900-555-4932
readme: Readme.txt
shaconaqe
2007-04-15, 00:57
Spybot continued (to end):
QuickTime 7.1.5.120 ({5E863175-E85D-44A6-8968-82507D34AE7F})
version: 117506053
version (major): 7
version (minor): 1
estimated size: 75171
install date: 20070325
install location: C:\Program Files\QuickTime\
install source: C:\DOCUME~1\GATEWA~1\LOCALS~1\Temp\IXP475.TMP\
uninstall cmd: MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.apple.com/support/
help telephone: 1-800-275-2273
Ad-Aware SE Personal 1.0.6 ({78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747})
version: 16777222
version (major): 1
estimated size: 3121
install date: 20070325
install source: C:\Program Files\Common Files\Wise Installation Wizard\
uninstall cmd: MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
publisher: Lavasoft AB
help link: http://www.lavasoftsupport.com
Camera Window 4.5.2 ({A29EA741-24F7-4C07-9B2C-06CB6491BE4A})
version: 67436546
version (major): 4
version (minor): 5
estimated size: 18900
install date: 20050507
install source: E:\SOFTWARE\CW\ENGLISH\
publisher: Canon
comments:
contact:
help link:
help telephone:
readme:
Microsoft IntelliPoint ({ABEA93FA-8D65-11D2-98AB-00C04F79C5D1})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ABEA93FA-8D65-11D2-98AB-00C04F79C5D1}\setup.exe" Uninstall
TurboTax ItsDeductible 2006 10.00.0000 ({AFF1EA96-9C23-4249-B7D4-CD4B54D4582F})
version: 167772160
version (major): 10
estimated size: 22662
install date: 20070324
install location: C:\Program Files\ItsDeductible2006\
install source: E:\ID\Setup\
uninstall cmd: MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
publisher: Intuit
ScanWizard 5 ({B08D262E-D902-11D5-9C28-0080C85A0C2D})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B08D262E-D902-11D5-9C28-0080C85A0C2D}\setup.exe"
Canon PhotoRecord 02.00.00029 ({BEF56F2D-56ED-4176-BF72-7B68D4A3B98D})
version: 33554461
version (major): 2
install date: 20050507
install source: E:\SOFTWARE\PR2\
uninstall cmd: MsiExec.exe /X{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}
publisher: Cisra
Canon Utilities ZoomBrowser EX 04.05.01148 ({C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2})
version: 67437692
version (major): 4
version (minor): 5
install date: 20050507
install source: E:\SOFTWARE\ZOOMBRSR\ENGLISH\
uninstall cmd: MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
publisher: CISRA
Ulead DVD PictureShow SE Basic ({CAAD3C25-8664-11D5-BEAF-0010B5557565})
version (major): 1
install location: C:\Program Files\Ulead Systems\Ulead DVD PictureShow
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CAAD3C25-8664-11D5-BEAF-0010B5557565}\SETUP.EXE"
publisher: Ulead System
Ulead Photo Explorer 7.0 SE ({E38E1721-7FE7-11D4-A898-0000E83DCDA6})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E38E1721-7FE7-11D4-A898-0000E83DCDA6}\SETUP.EXE"
PhotoStitch 3.1.10 ({F11A403B-0DE9-4953-B790-7A2F014FBB2B})
version: 50397194
version (major): 3
version (minor): 1
estimated size: 1472
install date: 20050507
install source: E:\SOFTWARE\PSTITCH\ENGLISH\
publisher: Canon
comments:
contact:
help link:
help telephone:
readme:
RAW Image Task 0.9.0 ({FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23})
version: 589824
version (minor): 9
estimated size: 133
install date: 20050507
install source: E:\SOFTWARE\ZOOMBRSR\ENGLISH\RAWTASK\
publisher: Canon
comments:
contact:
help link:
help telephone:
shaconaqe
2007-04-15, 01:00
OK, last post. I thought I should post a new HJT log since the last one was before the Panda scan:
Logfile of HijackThis v1.99.1
Scan saved at 6:58:51 PM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56d301fe-6de5-4129-a1ce-8c4c9da6f929} - C:\WINDOWS\system32\ATI2chx.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmpB.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: ATI2chx - C:\WINDOWS\SYSTEM32\ATI2chx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
shaconaqe
2007-04-15, 01:01
By the way-- THANK YOU!!!
Hello shaconaqe and welcome to the Forums :)
Sorry for the long delay...we usually look for 0 reply topics - this is propably why you had to wait this long...
you're infected...
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
shaconaqe
2007-04-20, 05:55
Thanks Mr. JAk3!
Here is the Vundo log:
VundoFix V6.3.19
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 11:35:48 PM 4/19/2007
Listing files found while scanning....
C:\WINDOWS\SYSTEM32\ATI2chx.dll
C:\WINDOWS\system32\tmp14.tmp.dll
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\ATI2chx.dll
C:\WINDOWS\SYSTEM32\ATI2chx.dll Has been deleted!
Performing Repairs to the registry.
Done!
Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:50:59 PM, on 4/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56d301fe-6de5-4129-a1ce-8c4c9da6f929} - C:\WINDOWS\system32\ATI2chx.dll (file missing)
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmpB.tmp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
Hello :)
We'll continue...
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
shaconaqe
2007-04-22, 04:35
Here is the combofix log:
"Gateway User" - 07-04-21 22:21:12 Service Pack 2
ComboFix 07-04-21.2V - Running from: C:\Documents and Settings\Gateway User\Desktop\
(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\tmpB.tmp.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\tmpB.tmp.dll
C:\WINDOWS\start.exe
((((((((((((((((((((((((((((((( Files Created from 2007-03-21 to 2007-04-21 ))))))))))))))))))))))))))))))))))
2007-04-19 23:35 <DIR> d-------- C:\VundoFix Backups
2007-04-14 17:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-04-14 13:56 106,767 --a------ C:\WINDOWS\rqolmj.dll
2007-04-01 12:55 <DIR> d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\Help
2007-03-31 17:38 1,774 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-03-25 16:52 <DIR> d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\Apple Computer
2007-03-25 16:47 <DIR> d-------- C:\Program Files\QuickTime
2007-03-25 16:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-03-25 15:50 <DIR> d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\vlc
2007-03-25 14:30 <DIR> d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\Lavasoft
2007-03-25 14:29 <DIR> d-------- C:\Program Files\Lavasoft
2007-03-25 14:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-03-24 16:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-03-24 12:34 <DIR> d-------- C:\Program Files\ItsDeductible2006
2007-03-24 12:29 <DIR> d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\InstallShield
2007-03-24 11:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-03-24 11:09 <DIR> d-------- C:\Program Files\Yahoo!
2007-03-24 10:43 <DIR> d-------- C:\WINDOWS\canonbj
2007-03-24 10:42 97,280 --------- C:\WINDOWS\SYSTEM32\CNMLM3k.DLL
2007-03-24 10:42 5,632 --a------ C:\WINDOWS\SYSTEM32\CNMVS3k.DLL
2007-03-24 10:42 36,864 --a------ C:\WINDOWS\SYSTEM32\CNMCP3K.EXE
2007-03-24 10:42 <DIR> d--h----- C:\BJPrinter
2007-03-24 10:33 <DIR> d--hs---- C:\Recycled
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-19 23:56 4841082 --ah----- C:\DOCUME~1\GATEWA~1\APPLIC~1\iconcache.db
2007-03-25 12:53 30072 --a------ C:\DOCUME~1\GATEWA~1\APPLIC~1\gdipfontcachev1.dat
2007-03-19 21:07 -------- d-------- C:\Program Files\alwil software
2007-03-18 22:38 27149 --a------ C:\WINDOWS\SYSTEM32\cbxww.exe
2007-03-18 22:08 -------- d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\versiontracker pro
2007-03-18 17:28 -------- d-------- C:\Program Files\microsoft frontpage
2007-03-18 17:26 5092 --a------ C:\WINDOWS\lnkstub.dat
2007-03-18 17:19 -------- d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\support.com
2007-03-18 17:19 -------- d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\snapfish
2007-03-18 17:19 -------- d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\participatory culture foundation
2007-03-18 17:19 -------- d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\msn6
2007-03-18 17:19 -------- d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\intuit
2007-03-18 17:19 -------- d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\intertrust
2007-03-18 17:19 -------- d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\google
2007-03-18 17:14 21640 --a------ C:\WINDOWS\SYSTEM32\emptyregdb.dat
2007-03-18 17:14 -------- d-------- C:\Program Files\Common Files\mssoap
2007-03-18 17:12 -------- d-------- C:\Program Files\windows nt
2007-03-18 17:05 62 --ahs---- C:\DOCUME~1\GATEWA~1\APPLIC~1\desktop.ini
2007-03-17 20:12 241 --a------ C:\DOCUME~1\GATEWA~1\APPLIC~1\dw.log
2007-03-17 09:43 292864 --a------ C:\WINDOWS\SYSTEM32\winsrv.dll
2007-03-14 22:35 23552 --a------ C:\Program Files\http.doc
2007-03-08 11:36 577536 --a------ C:\WINDOWS\SYSTEM32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\SYSTEM32\win32k.sys
2007-02-10 18:36 98304 --a------ C:\WINDOWS\SYSTEM32\qttask.exe
2007-02-10 17:15 57344 --a------ C:\WINDOWS\uneng.exe
2007-02-10 17:15 49152 --a------ C:\WINDOWS\SYSTEM32\cdrtc.dll
2007-02-10 17:15 45056 --a------ C:\WINDOWS\SYSTEM32\cdral.dll
2007-02-05 16:17 185344 --a------ C:\WINDOWS\SYSTEM32\upnphost.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{56d301fe-6de5-4129-a1ce-8c4c9da6f929} C:\WINDOWS\system32\ATI2chx.dll [x]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar1.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SystemTray"="SysTray.Exe"
"Speed racer"="C:\\Program Files\\Creative\\PlayCenter\\CTSRReg.exe"
"AudioHQ"="C:\\Program Files\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"UpdReg"="C:\\WINDOWS\\Updreg.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"CDRAutoRun"=hex:00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"CDRAutoRun"=hex:00,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="interceptor.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"AtiPTA"="Atiptaxx.exe"
"POINTER"="point32.exe"
"LoadQM"="loadqm.exe"
"Speed racer"="C:\\Program Files\\Creative\\PlayCenter\\CTSRReg.exe"
"AudioHQ"="C:\\Program Files\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"UpdReg"="C:\\WINDOWS\\Updreg.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM32\\qttask.exe\" -atboottime"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Tune-up Application Start.job
C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job
********************************************************************
catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-21 22:24:10
Windows 5.1.2600 Service Pack 2 FAT
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-21 22:24:17
C:\ComboFix-quarantined-files.txt ... 07-04-21 22:24
Hello, we'll continue :)
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\SYSTEM32\cbxww.exe
Click on Send
Wait for the scan to end.
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\rqolmj.dll
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
shaconaqe
2007-04-24, 06:46
Sorry for the slow reply-- I have been busy and away. It looks like my computer has been hosting malware orgies. Here are the scans:
Complete scanning result of "cbxww.exe", received in VirusTotal at 04.24.2007, 06:29:57 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.4.24.0 04.23.2007 no virus found
AntiVir 7.4.0.14 04.23.2007 HEUR/Crypted
Authentium 4.93.8 04.23.2007 no virus found
Avast 4.7.981.0 04.23.2007 no virus found
AVG 7.5.0.464 04.23.2007 no virus found
BitDefender 7.2 04.24.2007 MemScan:Trojan.Duntek.A
CAT-QuickHeal 9.00 04.23.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 04.24.2007 no virus found
DrWeb 4.33 04.23.2007 Trojan.Packed.49
eSafe 7.0.15.0 04.23.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3589 04.23.2007 no virus found
Ewido 4.0 04.23.2007 no virus found
FileAdvisor 1 04.24.2007 no virus found
Fortinet 2.85.0.0 04.24.2007 suspicious
F-Prot 4.3.2.48 04.23.2007 no virus found
F-Secure 6.70.13030.0 04.24.2007 no virus found
Ikarus T3.1.1.5 04.24.2007 Trojan-Downloader.Win32.Zlob.and
Kaspersky 4.0.2.24 04.24.2007 no virus found
McAfee 5015 04.23.2007 New Malware.aj
Microsoft 1.2405 04.24.2007 no virus found
NOD32v2 2213 04.23.2007 no virus found
Norman 5.80.02 04.23.2007 W32/Suspicious_U.gen
Panda 9.0.0.4 04.23.2007 Suspicious file
Prevx1 V2 04.24.2007 no virus found
Sophos 4.16.0 04.23.2007 no virus found
Sunbelt 2.2.907.0 04.19.2007 no virus found
Symantec 10 04.24.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.4 04.23.2007 Trojan.Packed.49
VirusBuster 4.3.7:9 04.23.2007 Packed/Upack
Webwasher-Gateway 6.0.1 04.24.2007 Heuristic.Crypted
Aditional Information
File size: 27149 bytes
MD5: 0caccfd12f5c7a91e04030583390dd50
SHA1: 6e5d0288e89c7ab0a4c700ba21ccf83adc52ed6d
packers: UPack
***When I tried to upload the second file AVG popped up and said it was a threat. When it asked what I wanted to do I clicked on "heal" and AVG said that it was healed. I tried to upload it again and nothing appeared on the screen but:
0 bytes size received / Se ha recibido un archivo vacio
Ok we'll continue :)
Let's end the malware party....
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O2 - BHO: (no name) - {56d301fe-6de5-4129-a1ce-8c4c9da6f929} - C:\WINDOWS\system32\ATI2chx.dll (file missing)
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmpB.tmp.dll
Go to the My Computer and delete the following file (if present):
C:\WINDOWS\SYSTEM32\cbxww.exe
Restart the computer and post a fresh HijackThis log
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
shaconaqe
2007-04-25, 03:35
OK, here is the new HJT log, which was run before the online scan:
Logfile of HijackThis v1.99.1
Scan saved at 9:34:04 PM, on 4/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
shaconaqe
2007-04-25, 03:48
I could not do the online scan. After I agree to install the ActiveX control, the website just sends me back to the screen where I accept or decline their privacy statement, etc. THe only problem is that this time, there are no accept or decline buttons, so I am forced to close out of that screen and try again. I did this at least 5 times but got the same result. I have never tried that scanner before.
Any thoughts? Thanks!
shaconaqe
2007-04-25, 04:06
After looking harder at the scanner problem I noticed that IE was blocking a bunch of cookies from the site. This continued dispite me adding their domain to the "Always Allow" cookie list. I even changed my settings to allow all cookies, even 3rd party, and IE was still blocking them. I don't know if this has anything to do with the problem.
Hello :)
We may use another scanner then.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
shaconaqe
2007-04-28, 06:51
Hello--
I did as you asked, so here is the Cure-it report:
setupme.exe;C:\CABS\WinME\Modem\Redowl;Probably BACKDOOR.Trojan;Incurable.Moved.;
Process.exe;C:\Documents and Settings\Gateway User\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
A0005744.exe;C:\System Volume Information\_restore{B5DA4CB7-5EF9-4308-B713-A455BE3ADC57}\RP7;Probably DLOADER.Trojan;Incurable.Moved.;
A0005859.exe;C:\System Volume Information\_restore{B5DA4CB7-5EF9-4308-B713-A455BE3ADC57}\RP7;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0006198.exe;C:\System Volume Information\_restore{B5DA4CB7-5EF9-4308-B713-A455BE3ADC57}\RP16;Tool.Prockill;Incurable.Moved.;
A0008618.EXE;C:\System Volume Information\_restore{B5DA4CB7-5EF9-4308-B713-A455BE3ADC57}\RP20;Tool.ShutDown.11;Incurable.Moved.;
A0008701.dll;C:\System Volume Information\_restore{B5DA4CB7-5EF9-4308-B713-A455BE3ADC57}\RP20;Trojan.Juan;Deleted.;
A0008809.exe;C:\System Volume Information\_restore{B5DA4CB7-5EF9-4308-B713-A455BE3ADC57}\RP21;Trojan.Packed.49;Deleted.;
tmpB.tmp.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Trojan.Juan;Deleted.;
Here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:50:13 AM, on 4/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
Hello :)
How is the computer running now?
Fix this entry with HijackThis:
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
Restart the computer and post a fresh HijackThis log :bigthumb:
shaconaqe
2007-04-30, 03:40
Well my computer seems to be running without problems! Thank you very much. If my HJT log looks good, could you give me some pointers about what I need to protect my computer? And is my Java version correct?
Here is the updated HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:36:34 PM, on 4/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
Hi again, it is looking clean now :)
You can remove the tools we used.
Then you should update your Java to the latest version (6u1) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 6
Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)