View Full Version : Virtumonde - How to remove?
Extemporaneous
2007-08-09, 00:32
Hi,
[Logs as requested follow below. However, I was presented with a dilemma when I tried to post this message. My post contained over 36000 characters, and the limit is set to 20000. And no attachments... So, I have removed part of the HJT log, and would be happy to supply it in my next post (as an attachment, possibly?)]
I ended up with VirtuMonde (vundu.dll et al) on my computer about 6 weeks ago. After a lot of research and pain, I managed to remove it, although I was left with a few software anomalies.
Today VirtuMonde returned. SpyBot S&D found it, and supposedly removed it (I don't think so).
I run AdAware 2007, Ad-Watch 2007, SpyBot S&D 1.4 regularly. My virus scanner (McAfee Enterprise 8.0.0) happily tells me I have no issues.
Any help would be highly appreciated.
Thanking you in advance...
-------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 23:48:28, on 08/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
[Removed for this post]
...
F:\Download\__Incoming\HijackThis.exe
[R1 through to R3 removed for this post]
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,"C:\Enabler\server\bin\OMSShutd.exe"
[Most of O2 removed]
O2 - BHO: (no name) - {0EED2CAA-C85D-49A3-A3E7-5A1CAD9DE6D5} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: (no name) - {D9CF9E72-1E65-4EC1-B57A-19BE12030BF5} - C:\WINDOWS\system32\qomkjjg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
[O4, O8, O9 Removed]
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://dev6.tpg.au.com
[O16, O17, O18 Removed]
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\MusicIP\MusicIP Mixer\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: UDS Environment Manager 5.0.1 - Unknown owner - c:\forte\install\bin\nodemgr.exe
O23 - Service: UDS Repository Manager 5.0.1 - Unknown owner - c:\forte\install\bin\rpserver.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: ZoneTick Time (ZTime) - WR Consulting - C:\Program Files\ZoneTick\timesync.exe
--------------------------------------------------------
http://www.ca.com/us/securityadvisor/virusinfo/scan.aspx
--------------------------------------------------------
Virus scan finished. 10 viruses found.
Scan Results: 331896 files scanned. 10 viruses were detected.
File Infection Status Path
T-202477-Fruity Loops Studio 7 0 Producer Edition 2007 exe.zip.Vir Win32/Alcan.I infected C:\quarantine\
T-202477-Fruity Loops Studio 7 0 Producer Edition 2007 exe.zip.Vir.0 Win32/Alcan.I!ZIP infected C:\quarantine\
T-742753-Fruity Loops Studio v.7 XXL Edition 2007.rar.Vir Win32/Nooz.A!ZIP infected C:\quarantine\
hkmjptpv.dll.bad Win32/Vundo.DB infected C:\VundoFix Backups\
kjygscfl.dll.bad Win32/Vundo.DB infected C:\VundoFix Backups\
oqmnqaty.dll.bad Win32/Vundo.DB infected C:\VundoFix Backups\
qomkjjg.dll.bad Win32/Chisyne!generic infected C:\VundoFix Backups\
whcvwuri.dll.bad Win32/Vundo.DB infected C:\VundoFix Backups\
ngewqisj.exe Win32/Secdrop.OB infected C:\WINDOWS\system32\
nwaeurcr.exe Win32/Secdrop.OB infected C:\WINDOWS\system32\
pskelley
2007-08-09, 04:01
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Pinned to the top of the forum and posted above are the instructions. Please read and follow them and post complete HJT log with nothing removed, if you need multiple posts, that is fine.
I see a lot of infected stuff in:
C:\quarantine\ and C:\VundoFix Backups\ you may delete all of that from your computer. Remove Vundofix completely, if we need it again I will want it downloaded new.
You may also delete these infected files:
Win32/Secdrop.OB infected C:\WINDOWS\system32\ngewqisj.exe
Win32/Secdrop.OB infected C:\WINDOWS\system32\nwaeurcr.exe
Thanks
Extemporaneous
2007-08-09, 17:09
Hi,
Thanks for your response. My delay can be attributed to that I did another online scan which took the best part of 5 hours.
Anyway... as per your suggestions, I have removed the VundoFix files and the other infected files. The online scan came back clean (log at the end).
This post is in two parts, due to the size of the HJT log.
Thanks :-)
------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 17:00:30, on 09/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nutsrv4.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ZoneTick\timesync.exe
C:\Program Files\MusicIP\MusicIP Mixer\mDNSResponder.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\DesktopLightning\DesktopLightning.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ZoneTick\zonetick.exe
F:\Download\__Incoming\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://au.mcafee.com/root/campaign.asp?cid=16326
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,"C:\Enabler\server\bin\OMSShutd.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EED2CAA-C85D-49A3-A3E7-5A1CAD9DE6D5} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {D9CF9E72-1E65-4EC1-B57A-19BE12030BF5} - C:\WINDOWS\system32\qomkjjg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE BenQ Web Camera
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [DesktopLightning] C:\Program Files\DesktopLightning\DesktopLightning.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ZoneTick] C:\Program Files\ZoneTick\zonetick.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XML Spy Suite\spy.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://dev6.tpg.au.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.ap.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181335469984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157092509000
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
[O17 et al to be found in Part 2]
Extemporaneous
2007-08-09, 17:11
[Continued from Part 1]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\Software\..\Telephony: DomainName = ntl.tpg.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA9A7DA4-1174-4123-A632-45313540BE6E}: NameServer = 202.50.84.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O18 - Protocol: bw+0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: offline-8876480 - {8880FDB8-BAAF-48C0-8599-E9EB94EF7424} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\MusicIP\MusicIP Mixer\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: UDS Environment Manager 5.0.1 - Unknown owner - c:\forte\install\bin\nodemgr.exe
O23 - Service: UDS Repository Manager 5.0.1 - Unknown owner - c:\forte\install\bin\rpserver.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: ZoneTick Time (ZTime) - WR Consulting - C:\Program Files\ZoneTick\timesync.exe
--------------------------------------------------------
http://www.ca.com/us/securityadvisor/virusinfo/scan.aspx
--------------------------------------------------------
Virus scan finished. No viruses found.
Scan Results: Scan Completed. 331971 files scanned. No viruses found.
File Infection Status Path
- No Infections
pskelley
2007-08-09, 18:57
Thanks for returning a complete HJT log, let me post this information for that will help us both.
For your information, all of the 018 items in the log are the result of the Logitech Desktop Messenger which gets installed along with another Logitech program because the EULA agreement is not read. Unless you know what it is and use it, it is a resource waster and can be removed in Add Remove programs, but make sure you uninstall only what I highlite in red, this is optional:
C:\Program Files\Logitech\Desktop Messenger\ <<< uninstall only the program in red.
I need to know what this is:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,"C:\Enabler\server\bin\OMSShutd.exe"
Google shows little: http://www.google.com/search?hl=en&q=OMSShutd.exe&btnG=Google+Search
Of you do not know what it is, then use one or more of these free scanners to find out:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
You may need to show hidden files and folder to see it:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Post that information
Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log
in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Thanks
Extemporaneous
2007-08-09, 23:40
Hi,
1) Logitech Messenger
All gone :cool:
2) F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,"C:\Enabler\server\bin\OMSShutd.exe"
The c:\Enabler directory was not hidden, and it contained a Doc directory with an Administrator Manual. Apparently it is from SoftLab Enabling Technologies, and the manual was written in 1998. It is supposedly for managing datastores. There is no uninstall function, and it doesn't appear in Add/Remove Programs.
Some more digging... it seems to have been installed (or it is referenced in any case) from a piece of software called Select Component Factory:
http://www.csis.ul.ie/modules/cs5121/labs%5CComponent%20Factory%20Install%20Guide.pdf
I installed this a while ago to try it out, and subsequently removed it. Seems that it left its helper apps lying around... ummm... unless the helper app is also used by something else as well.
However... I also did a search on Google and found other HiJackThis logs where it appears as well, so I am not alone... whether that is good or bad is something I can't answer right now... :alien:
3) Running ComboFix now... logs will follow shortly.
Thank you for your help so far, in any case :-)
Extemporaneous
2007-08-10, 00:07
ComboFix 07-08-09.3 - "Peter Abolins" 2007-08-09 23:42:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.949 [GMT 3:00]
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\PETERA~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\VKY4KQX8\www.broadcaster.com
C:\DOCUME~1\PETERA~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\PETERA~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\PETERA~1\MYDOCU~1.\pppatc~1
C:\WINDOWS\system32\dc.exe
C:\WINDOWS\system32\dd.exe
C:\WINDOWS\system32\gunzip.exe
C:\WINDOWS\system32\pr.exe
C:\WINDOWS\system32\test.exe
F:\Autorun.inf
G:\Autorun.inf
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_IPRIP
-------\Iprip
((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))
2007-08-09 23:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 23:14 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-08-06 10:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-28 10:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logishrd
2007-07-25 16:49 <DIR> d-------- C:\Program Files\CCleaner
2007-07-19 12:40 <DIR> d-------- C:\Program Files\iTunes
2007-07-19 12:40 <DIR> d-------- C:\Program Files\iPod
2007-07-19 12:40 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-19 11:26 <DIR> d-------- C:\Program Files\Microsoft Enterprise Library January 2006
2007-07-13 10:05 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-13 10:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-09 22:51 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2007-07-09 00:38 <DIR> d-------- C:\Program Files\Dantz
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-09 23:47 --------- d-------- C:\DOCUME~1\PETERA~1\APPLIC~1\Skype
2007-08-09 22:54 --------- d-------- C:\Program Files\Logitech
2007-08-09 22:48 --------- d-------- C:\Program Files\ZoneTick
2007-08-09 00:42 --------- d-------- C:\Program Files\SpywareBlaster
2007-08-08 15:31 --------- d-------- C:\Program Files\Windows Grep
2007-08-06 10:20 --------- d-------- C:\Program Files\Lavasoft
2007-08-06 10:20 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-05 15:12 --------- d-------- C:\Program Files\Picasa2
2007-07-28 10:15 --------- d-------- C:\Program Files\Common Files\LogiShrd
2007-07-28 01:43 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-07-25 14:16 --------- d-------- C:\Program Files\LimeWire
2007-07-13 10:07 --------- d-------- C:\Program Files\QuickTime
2007-07-08 22:47 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-08 22:46 --------- d-------- C:\Program Files\Maxtor
2007-07-08 17:20 --------- d-------- C:\Program Files\Microsoft SQL Server
2007-07-08 17:04 --------- d-------- C:\Program Files\DAEMON Tools
2007-07-08 16:36 682232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-08 16:15 --------- d-------- C:\Program Files\DaemonTools_WhenUSaveNow_Installer
2007-07-05 11:14 5 --a------ C:\WINDOWS\system32\drivers\DELL_XPS_MM061 .MRK
2007-07-05 11:14 5 --a------ C:\WINDOWS\system32\drivers\1028_DELL_XPS_MM061 .MRK
2007-07-05 11:11 --------- d-------- C:\Program Files\Dell
2007-07-01 07:53 --------- d-------- C:\Program Files\Common Files\Mercury Interactive
2007-06-30 15:16 --------- d-------- C:\Program Files\VP Suite 3.0
2007-06-30 13:27 --------- d-------- C:\Program Files\Visual Paradigm
2007-06-26 11:27 363520 --a--c--- C:\WINDOWS\system32\dllcache\w3svc.dll
2007-06-25 19:55 --------- d-------- C:\Program Files\Common Files\Skype
2007-06-22 11:45 --------- d-------- C:\DOCUME~1\PETERA~1\APPLIC~1\SecondLife
2007-06-19 20:59 --------- d-------- C:\Program Files\Latvijas Pasts
2007-06-15 16:58 1688 --a------ C:\WINDOWS\mozver.dat
2007-06-14 11:38 --------- d-------- C:\Program Files\CheckPoint
2007-06-13 16:02 --------- d-------- C:\DOCUME~1\PETERA~1\APPLIC~1\Help
2007-06-10 11:10 --------- d-------- C:\Program Files\Red Gate
2007-06-10 11:07 --------- d-------- C:\Program Files\Network Stumbler
2007-06-10 10:57 --------- d-------- C:\Program Files\ActiveState Komodo 3.5
2007-06-09 23:18 --------- d-------- C:\Program Files\Common Files\Scanner
2007-06-08 22:43 28044 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-05-29 17:31 737280 --a------ C:\WINDOWS\iun6002.exe
2007-05-16 18:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 18:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 18:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 18:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 18:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 18:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-14 11:42 323584 --a------ C:\WINDOWS\system32\swt-win32-3232.dll
2007-05-09 21:51 490272 --a------ C:\WINDOWS\system32\LVUI2.dll
2007-05-09 21:51 465696 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2007-05-09 21:48 416544 --a------ C:\WINDOWS\system32\lvcodec2.dll
2007-05-09 21:48 195360 --a------ C:\WINDOWS\system32\lvci1100.dll
2007-05-09 20:37 15558 --a------ C:\WINDOWS\system32\Repository.reg
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0EED2CAA-C85D-49A3-A3E7-5A1CAD9DE6D5}]
C:\WINDOWS\system32\ddabx.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:00]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 04:28]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 04:28]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 06:48]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 12:41]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-26 20:02]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 11:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 11:50]
"NuTCSetupEnviron"="C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe" [2001-01-02 10:25]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 13:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-05 20:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 02:48]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2003-01-21 08:19]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 16:47]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 01:29]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 09:40]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-30 22:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 00:48]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-16 02:15]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20]
"DesktopLightning"="C:\Program Files\DesktopLightning\DesktopLightning.exe" [2006-11-09 04:00]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 11:29]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 C:\WINDOWS\KHALMNPR.Exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-15 01:22]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 C:\WINDOWS\KHALMNPR.Exe]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 11:30 C:\WINDOWS\stsystra.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2003-10-10 11:23]
"MaxtorOneTouch"="C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2004-08-31 09:23]
"MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" [2003-10-10 11:23]
"RetroExpress"="C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe" [2004-07-30 15:47]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-17 10:52]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-05-17 10:53]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-07-26 09:57]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 16:29]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-30 17:04]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-06-08 15:18]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 13:49]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-05-28 16:31]
"ZoneTick"="C:\Program Files\ZoneTick\zonetick.exe" [2007-08-04 16:19]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"IETI"=C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 13:28:28]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-25 22:48:37]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-05-19 14:41:12]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2006-09-24 14:30:46]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 17:07:32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2003-04-08 17:45 24666 C:\WINDOWS\system32\ckpNotify.dll
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R2 IISADMIN;IIS Admin;C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys
R2 MsDtsServer;SQL Server Integration Services;"C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe"
R2 MSFtpsvc;FTP Publishing;C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 MSSQL$MICROSOFTSMLBIZ;MSSQL$MICROSOFTSMLBIZ;"C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ
R2 NuTCRACKERService;NuTCRACKER Service;C:\WINDOWS\system32\nutsrv4.exe
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys
R2 SimpTcp;Simple TCP/IP Services;C:\WINDOWS\system32\tcpsvcs.exe
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
R2 SQLBrowser;SQL Server Browser;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys
R2 ZTime;ZoneTick Time;"C:\Program Files\ZoneTick\timesync.exe"
R3 ElbyCDFL;ElbyCDFL;C:\WINDOWS\system32\Drivers\ElbyCDFL.sys
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys
R3 L8042Kbd;Logitech SetPoint Keyboard Driver;C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
R3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
R3 LMouKE;Logitech SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
R3 MXOFX;USB Storage Adapter FX (MXO);C:\WINDOWS\system32\DRIVERS\MXOFX.SYS
R3 MXOPSWD;Maxtor OneTouch Security Driver;C:\WINDOWS\system32\DRIVERS\mxopswd.sys
R3 w39n51;Intel(R) PRO/Wireless 3945ABG Adapter Driver;C:\WINDOWS\system32\DRIVERS\w39n51.sys
S3 GT680x;GrandTechICNameNT;C:\WINDOWS\system32\Drivers\gt680x.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver;C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
S3 LHidKe;Logitech SetPoint HID Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
S3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
S3 LPDSVC;TCP/IP Print Server;C:\WINDOWS\system32\tcpsvcs.exe
S3 nm;Network Monitor Driver;C:\WINDOWS\system32\DRIVERS\NMnt.sys
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\NSNDIS5.SYS
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PD1170VID;Creative WebCam Notebook;C:\WINDOWS\system32\DRIVERS\p1170vid.sys
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);"C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe"
S3 rimmptsk;rimmptsk;C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
S3 rimsptsk;rimsptsk;C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
S3 rismxdp;Ricoh xD-Picture Card Driver;C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
S3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe
S3 SQLAgent$MICROSOFTSMLBIZ;SQLAgent$MICROSOFTSMLBIZ;"C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ
S3 UDS Environment Manager 5.0.1;UDS Environment Manager 5.0.1;c:\forte\install\bin\nodemgr.exe
S3 UDS Repository Manager 5.0.1;UDS Repository Manager 5.0.1;c:\forte\install\bin\rpserver.exe
S3 Wdf01000;Wdf01000;C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
S3 Z302Mic;BenQ Web Camera Mic Audio Filter Driver;C:\WINDOWS\system32\drivers\UsbMicfilt.sys
S3 ZSMC302;BenQ Web Camera;C:\WINDOWS\system32\Drivers\usbvm302.sys
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
S4 UDS Environment Manager 5.0.3;UDS Environment Manager 5.0.3;c:\forte\install\bin\nodemgr.exe
S4 UDS Repository Manager 5.0.3;UDS Repository Manager 5.0.3;c:\forte\install\bin\rpserver.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
Contents of the 'Scheduled Tasks' folder
2007-08-09 09:33:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 23:56:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
Completion time: 2007-08-10 0:01:29
C:\ComboFix-quarantined-files.txt ... 2007-08-10 00:01
--- E O F ---
Extemporaneous
2007-08-10, 00:11
Logfile of HijackThis v1.99.1
Scan saved at 00:09:37, on 10/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nutsrv4.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ZoneTick\timesync.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\MusicIP\MusicIP Mixer\mDNSResponder.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\DesktopLightning\DesktopLightning.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\MXOALDR.EXE
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINDOWS\explorer.exe
C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Download\__Incoming\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://au.mcafee.com/root/campaign.asp?cid=16326
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EED2CAA-C85D-49A3-A3E7-5A1CAD9DE6D5} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE BenQ Web Camera
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [DesktopLightning] C:\Program Files\DesktopLightning\DesktopLightning.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [ZoneTick] C:\Program Files\ZoneTick\zonetick.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XML Spy Suite\spy.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://dev6.tpg.au.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.ap.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181335469984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157092509000
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\Software\..\Telephony: DomainName = ntl.tpg.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA9A7DA4-1174-4123-A632-45313540BE6E}: NameServer = 202.50.84.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\MusicIP\MusicIP Mixer\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: UDS Environment Manager 5.0.1 - Unknown owner - c:\forte\install\bin\nodemgr.exe
O23 - Service: UDS Repository Manager 5.0.1 - Unknown owner - c:\forte\install\bin\rpserver.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: ZoneTick Time (ZTime) - WR Consulting - C:\Program Files\ZoneTick\timesync.exe
pskelley
2007-08-10, 00:36
Thanks for returning your information and the feedback. I want you to know I read all you said about this: C:\Enabler\server\bin\OMSShutd.exe and since you did not say to remove it, I will leave that decision up to you.
HJT must run from a drive to safely store backups in case the are needed in an emergency. Please move it from F:\ to C:\HJT\HijackThis.exe
I see a few things that are basically leftovers and NOT malware:
O2 - BHO: (no name) - {0EED2CAA-C85D-49A3-A3E7-5A1CAD9DE6D5} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
and I question this one, do you know it is safe:
O15 - Trusted Zone: http://dev6.tpg.au.com
Reason I show you is Adwatch and TeaTimer must be disabled to do that and you may prefer just to leave them, they can do no harm.
Can you tell me how the computer is running now, any malware issues at all?
Thanks
Extemporaneous
2007-08-10, 01:05
Hi PSKelley,
Thanks again for your help. It appears that things are running without any malware interference now, and I am hopeful that this will remain the case.
Regarding the items you highlighted. I suspect the trusted zone was set up by the LavaSoft Firewall I installed a couple of months ago (and yes - it is a valid, trusted zone). I had to uninstall the Firewall, because the VirtuMonde virus (incarnation 1) got to my machine before the firewall was set up properly, and was hence inside (rather than outside). My plan is to reinstall the firewall shortly.
Given that I already have a lot of stuff on my computer, I would prefer if the O2-BHO "leftovers" could be removed. Is it a simple process to remove these?
Thanks :)
Latest HJT log in separate post (following)
Extemporaneous
2007-08-10, 01:07
Logfile of HijackThis v1.99.1
Scan saved at 00:50:37, on 10/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nutsrv4.exe
C:\WINDOWS\Explorer.EXE
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\ZoneTick\timesync.exe
C:\Program Files\MusicIP\MusicIP Mixer\mDNSResponder.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\DesktopLightning\DesktopLightning.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\MXOALDR.EXE
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\ZoneTick\zonetick.exe
C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
[remainder in part 2]
Extemporaneous
2007-08-10, 01:08
[Following from part 1]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://au.mcafee.com/root/campaign.asp?cid=16326
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EED2CAA-C85D-49A3-A3E7-5A1CAD9DE6D5} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {D9CF9E72-1E65-4EC1-B57A-19BE12030BF5} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE BenQ Web Camera
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [DesktopLightning] C:\Program Files\DesktopLightning\DesktopLightning.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [ZoneTick] C:\Program Files\ZoneTick\zonetick.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XML Spy Suite\spy.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://dev6.tpg.au.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.ap.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181335469984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157092509000
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\Software\..\Telephony: DomainName = ntl.tpg.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA9A7DA4-1174-4123-A632-45313540BE6E}: NameServer = 202.50.84.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\MusicIP\MusicIP Mixer\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: UDS Environment Manager 5.0.1 - Unknown owner - c:\forte\install\bin\nodemgr.exe
O23 - Service: UDS Repository Manager 5.0.1 - Unknown owner - c:\forte\install\bin\rpserver.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: ZoneTick Time (ZTime) - WR Consulting - C:\Program Files\ZoneTick\timesync.exe
pskelley
2007-08-10, 02:16
G'day and thanks for that information, please follow these instructions.
http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs
1) Spybot S&D (Teatimer)
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.
2) Ad-Aware Ad-Watch
Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both of those boxes.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {0EED2CAA-C85D-49A3-A3E7-5A1CAD9DE6D5} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {D9CF9E72-1E65-4EC1-B57A-19BE12030BF5} - (no file)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
You should be good to go. If you would like to run a good scan to look for anything that may be hidden, do this:
Make sure you delete combofix and the c:\qoofix\quarantine folders, the scan will see that as infections.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
If you are satisfied your computer is running as it should, and see no need for the additional scan, then do this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Cheers...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Extemporaneous
2007-08-11, 12:14
Hi pskelley,
I did the Online Scan (Kaspersky) after doing some cleaning up:
-- Turned off TeaTimer
-- Turned off Ad-Watch RealTime
-- HJT System Scan / Removed orphans.
-- Downloaded and ran ATF Cleaner
-- Went through my Installed Programs and removed anything I didn't need.
-- Downloaded and ran StartupLite to clean out startup entries.
I have also installed a new firewall (LavaSoft). I did this before the above procedures.
Next steps are: I will clear out the System Restore files, and will delete any of the infected files mentioned in the Kaspersky Log. (Most of the infected stuff seems to be in backups of my system before I started cleaning it).
Thank you for all your help, so far :-) (I can see the light at the end of the tunnel) :)
-----------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, August 11, 2007 1:54:48 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 10/08/2007
Kaspersky Anti-Virus database records: 354470
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 534231
Number of viruses found: 6
Number of infected objects: 14
Number of suspicious objects: 4
Duration of the scan process: 15:18:37
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\184a97c0e6d56c03dc9d471eb6962bd9_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\25ffd969d838423b1aaef05af6fb9748_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\29b55450e6c156aef970196b5456ded1_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\66b20ccdc59dd3a04df988b7270ad661_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\68cbf9c1acb676a9bbdf9b81a4f6b4aa_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bfc621c8de351052c9ef3607138f75ee_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e43dda76f980309c3dcfec9a66a77592_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f7dc23d6e7b5ae9064b24889a6c72039_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ff8b66678c7314d84d615302215db357_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070810_Time-100715406_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070810_Time-100715406_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_EPHEMERA.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_EPHEMERA.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\AUPNP.log Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Mozilla\Firefox\Profiles\wnezlb6p.default\cert8.db Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Mozilla\Firefox\Profiles\wnezlb6p.default\history.dat Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Mozilla\Firefox\Profiles\wnezlb6p.default\key3.db Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Mozilla\Firefox\Profiles\wnezlb6p.default\parent.lock Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Mozilla\Firefox\Profiles\wnezlb6p.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Mozilla\Firefox\Profiles\wnezlb6p.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\call256.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\chat1024.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\chat256.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\chat4096.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\chat512.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\chat8192.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\chatmsg16384.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\chatmsg32768.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\chatmsg4096.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\chatmsg8192.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\chatsync\d9\d9b926cc1ce9d2c7.dat Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\index2.dat Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\profile4096.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\sms256.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\sms512.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\transfer512.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\user1024.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\user16384.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\user256.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\user4096.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\Skype\onepluszero\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\XemiComputers\Active Desktop Calendar\Data\Active Desktop Calendar.xdat Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\XemiComputers\Active Desktop Calendar\Log\ADC Errors Log.txt Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\XemiComputers\Active Desktop Calendar\Log\ADC Internet Errors Log.txt Object is locked skipped
C:\Documents and Settings\Peter Abolins\Application Data\XemiComputers\Active Desktop Calendar\Log\ADCLog.log Object is locked skipped
C:\Documents and Settings\Peter Abolins\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Peter Abolins\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Peter Abolins\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Peter Abolins\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Peter Abolins\Local Settings\Application Data\Mozilla\Firefox\Profiles\wnezlb6p.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Peter Abolins\Local Settings\Application Data\Mozilla\Firefox\Profiles\wnezlb6p.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Peter Abolins\Local Settings\Application Data\Mozilla\Firefox\Profiles\wnezlb6p.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Peter Abolins\Local Settings\Application Data\Mozilla\Firefox\Profiles\wnezlb6p.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Peter Abolins\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Peter Abolins\Local Settings\History\History.IE5\MSHist012007081020070811\index.dat Object is locked skipped
C:\Documents and Settings\Peter Abolins\Local Settings\Temp\Perflib_Perfdata_fa4.dat Object is locked skipped
C:\Documents and Settings\Peter Abolins\Local Settings\Temp\Perflib_Perfdata_fd0.dat Object is locked skipped
C:\Documents and Settings\Peter Abolins\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Peter Abolins\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Peter Abolins\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Peter Abolins\ntuser.dat.LOG Object is locked skipped
C:\lms\DataBase\lmsint2.mdf Object is locked skipped
C:\lms\DataBase\lmsint2_log.ldf Object is locked skipped
C:\oracle\ora92\oramts\trace\OracleMTSRecoveryService(2400).trc Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\SR_Service-000061.log Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\SR_Service-000061.logaccount_ptr Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\SR_Service-000061.loginitial_ptr Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\SR_Service-000061.logLuuidDB Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\SR_Service-000061.logptr Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\sr_gui_tde.log Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\sr_service_tde.log Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\sr_watchdog_tde.log Object is locked skipped
C:\Program Files\Lavasoft\Personal Firewall\lf_data.ldb Object is locked skipped
C:\Program Files\Lavasoft\Personal Firewall\lf_data.mdb Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\Inventory2003SQL.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\Inventory2003SQL.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\ReportServer.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\ReportServerTempDB.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\ReportServerTempDB_log.LDF Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\ReportServer_log.LDF Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\sysdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\sysdb_log.LDF Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\test_platform_db.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\test_platform_db_log.LDF Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_578.trc Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Log\FlightRecorderCurrent.trc Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Log\msmdsrv.log Object is locked skipped
C:\Program Files\ZoneTick\timesync.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP108\A0026015.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP108\A0026016.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP108\A0026019.dll Infected: Trojan.Win32.BHO.o skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP108\A0026020.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
[The remainder is in part 2]
Extemporaneous
2007-08-11, 12:15
[continued from part 1 - Kaspersky Online Scan]
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\ckpNotify.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\Logfiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JETEF51.tmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_138.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_898.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_8bc.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_a80.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\20070608\WINDOWS\system32\aylpkyyn.dll Infected: Trojan.Win32.BHO.o skipped
F:\20070608\WINDOWS\system32\ebcmlklm.dll Suspicious: Packed.Win32.Morphine.a skipped
F:\20070608\WINDOWS\system32\ngewqisj.exe Infected: Trojan.Win32.Agent.anr skipped
F:\20070608\WINDOWS\system32\nwaeurcr.exe Infected: Trojan.Win32.Agent.anr skipped
F:\20070608\_Peter\Shared\FL Studio 6.0.8 Crack.aka Fruity loops all plugins unlocked XXL Edition 2 .zip/crack.exe Infected: Trojan-Downloader.Win32.Small.ehb skipped
F:\20070608\_Peter\Shared\FL Studio 6.0.8 Crack.aka Fruity loops all plugins unlocked XXL Edition 2 .zip ZIP: infected - 1 skipped
F:\20070608\_Peter\Shared\Fruity loops 7 RC6 crack and YES it is real i hate fake stuff ENJOY.zip/crack.exe Infected: Trojan-Downloader.Win32.Small.ehb skipped
F:\20070608\_Peter\Shared\Fruity loops 7 RC6 crack and YES it is real i hate fake stuff ENJOY.zip ZIP: infected - 1 skipped
F:\20070608\_Peter\Shared\fruity loops CRACK.zip/fruity loops.exe/crack1.exe Infected: Trojan.Win32.StartPage.aog skipped
F:\20070608\_Peter\Shared\fruity loops CRACK.zip/fruity loops.exe/crack.exe Infected: Trojan-Downloader.Win32.Small.ehb skipped
F:\20070608\_Peter\Shared\fruity loops CRACK.zip/fruity loops.exe Infected: Trojan-Downloader.Win32.Small.ehb skipped
F:\20070608\_Peter\Shared\fruity loops CRACK.zip ZIP: infected - 3 skipped
F:\Download\Outlook Folders\archive_20030617.pst/Archive Folder 20030617/Inbox/26 Sep 2002 22:21 from fishsal:Let's be friends.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Download\Outlook Folders\archive_20030617.pst Mail MS Mail: suspicious - 1 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\change.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\change.log Object is locked skipped
Scan process completed.
Extemporaneous
2007-08-11, 13:02
H pskelley,
Thank you very much for all your assistance and help!
This is the last HJT... I hope :-)
The machine appears to be running well now :-)
:bigthumb:
---------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:52:52, on 11/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nutsrv4.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ZoneTick\timesync.exe
C:\Program Files\MusicIP\MusicIP Mixer\mDNSResponder.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\DesktopLightning\DesktopLightning.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\ZoneTick\zonetick.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://au.mcafee.com/root/campaign.asp?cid=16326
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE BenQ Web Camera
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [DesktopLightning] C:\Program Files\DesktopLightning\DesktopLightning.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [ZoneTick] C:\Program Files\ZoneTick\zonetick.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XML Spy Suite\spy.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://dev6.tpg.au.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.ap.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181335469984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157092509000
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} (Java Plug-in 1.4.2_12) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\Software\..\Telephony: DomainName = ntl.tpg.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA9A7DA4-1174-4123-A632-45313540BE6E}: NameServer = 202.50.84.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = ntl.tpg.local
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\MusicIP\MusicIP Mixer\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Personal Firewall Service (LavasoftFirewall) - Agnitum Ltd. - C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: UDS Environment Manager 5.0.1 - Unknown owner - c:\forte\install\bin\nodemgr.exe
O23 - Service: UDS Repository Manager 5.0.1 - Unknown owner - c:\forte\install\bin\rpserver.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: ZoneTick Time (ZTime) - WR Consulting - C:\Program Files\ZoneTick\timesync.exe
pskelley
2007-08-11, 15:42
Thanks for returning your information and the feedback.
KASPERSKY ONLINE SCANNER REPORT Saturday, August 11, 2007 1:54:48 AM
Number of infected objects: 14
Number of suspicious objects: 4
C:\System Volume Information\_restore (4)
F:\20070608\WINDOWS\system32\ebcmlklm.dll Suspicious: Packed.Win32.Morphine.a skipped
F:\20070608\WINDOWS\system32\ngewqisj.exe Infected: Trojan.Win32.Agent.anr skipped
F:\20070608\WINDOWS\system32\nwaeurcr.exe Infected: Trojan.Win32.Agent.anr skipped
F:\20070608\_Peter\Shared\FL Studio 6.0.8 Crack.aka Fruity loops all plugins unlocked XXL Edition 2 .zip/crack.exe Infected: Trojan-Downloader.Win32.Small.ehb skipped
F:\20070608\_Peter\Shared\FL Studio 6.0.8 Crack.aka Fruity loops all plugins unlocked XXL Edition 2 .zip ZIP: infected - 1 skipped
F:\20070608\_Peter\Shared\Fruity loops 7 RC6 crack and YES it is real i hate fake stuff ENJOY.zip/crack.exe Infected: Trojan-Downloader.Win32.Small.ehb skipped
F:\20070608\_Peter\Shared\Fruity loops 7 RC6 crack and YES it is real i hate fake stuff ENJOY.zip ZIP: infected - 1 skipped
F:\20070608\_Peter\Shared\fruity loops CRACK.zip/fruity loops.exe/crack1.exe Infected: Trojan.Win32.StartPage.aog skipped
F:\20070608\_Peter\Shared\fruity loops CRACK.zip/fruity loops.exe/crack.exe Infected: Trojan-Downloader.Win32.Small.ehb skipped
F:\20070608\_Peter\Shared\fruity loops CRACK.zip/fruity loops.exe Infected: Trojan-Downloader.Win32.Small.ehb skipped
F:\20070608\_Peter\Shared\fruity loops CRACK.zip ZIP: infected - 3 skipped
(I would clean out those archives were it me)
F:\Download\Outlook Folders\archive_20030617.pst/Archive Folder 20030617/Inbox/26 Sep 2002 22:21 from fishsal:Let's be friends.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
Before I look at the HJT log, let me comment:
1) the System Restore items will be gone once you clean those files, be sure you remove all of the junk in Kaspersky or the SR files may get infected again when you set a new point.
2) New let me mention cracks just briefly. Not only are they illegal, they are extremely dangerous. If you fool with that junk you are going to stay infected and you can also wonder when the knock on the door will happen to inform you about stealing software. Do not doubt for a moment this is not known.
Make sure you delete the files in red and I strongly urge you to remove all of that from your computer. HJT is clean.
Thanks and safe surfing.
Extemporaneous
2007-08-11, 16:27
:bigthumb:
Thanks again... A few notes on your comments:
*) I removed all the old system restore stuff, and I manually deleted the other files mentioned by Kaspersky.
*) As far as cracks go, I am quite aware that letting them onto my computer is like playing with matches while sitting in a bathtub of petrol. The knock on the door is more of a moral/ethical decision, since given where I live, no-one seems to care about the legality or otherwise of software. - In any case, I agree with your comments about cracked software.
Even if I have worked with computers since 1984, I encountered my first virus ever in June this year, so I had essentially adopted the very common attitude of "It happens to other people".
I do appreciate all your assistance and help over the last few days.
:crowned:
pskelley
2007-08-18, 03:25
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.