View Full Version : Zlob.downloader.vdt removal
ohnredav
2008-06-11, 13:43
have read archived posts can some one analyse my hjt scan
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:33 PM, on 11/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - Default URLSearchHook is missing
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-725345543-1454471165-682003330-1003\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO (User '?')
O4 - HKUS\S-1-5-21-725345543-1454471165-682003330-1003\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m (User '?')
O4 - HKUS\S-1-5-21-725345543-1454471165-682003330-1003\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe" (User '?')
O4 - HKUS\S-1-5-21-725345543-1454471165-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.nrl.com
O15 - Trusted Zone: http://www.nrl.com.au
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
--
End of file - 6475 bytes
Hi ohnredav
Please post next spybot report :)
ohnredav
2008-06-14, 07:13
--- Search result list ---
Zlob.Downloader.vdt: [SBI $AC965326] IE toolbar (Registry value, fixed)
HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{51D81DD5-55B7-497F-95DB-D356429BB54E}
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-06-10 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-06-03 Includes\Adware.sbi (*)
2008-06-03 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-06-03 Includes\DialerC.sbi (*)
2008-06-03 Includes\HeavyDuty.sbi (*)
2008-06-04 Includes\Hijackers.sbi (*)
2008-06-03 Includes\HijackersC.sbi (*)
2008-06-03 Includes\Keyloggers.sbi (*)
2008-06-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-06-03 Includes\Malware.sbi (*)
2008-06-03 Includes\MalwareC.sbi (*)
2008-06-03 Includes\PUPS.sbi (*)
2008-06-03 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-03 Includes\Security.sbi (*)
2008-06-03 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-06-03 Includes\Spyware.sbi (*)
2008-06-03 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-06-03 Includes\Trojans.sbi (*)
2008-06-03 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB951376)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: 8B9145D229D4E89D15ACB820D4A3A90F
Located: HK_LM:Run, Alcmtr
command: ALCMTR.EXE
file: C:\WINDOWS\ALCMTR.EXE
size: 69632
MD5: 8B4CBBA1EA526830C7F97E7822E2493A
Located: HK_LM:Run, GrooveMonitor
command: "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
file: C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
size: 33648
MD5: 35DCD380D4D579D8B8EA91D5D8AE444C
Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\system32\hkcmd.exe
file: C:\WINDOWS\system32\hkcmd.exe
size: 163840
MD5: DDE4A991F26179573D2CFA7A093F56FA
Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\system32\igfxtray.exe
file: C:\WINDOWS\system32\igfxtray.exe
size: 131072
MD5: E79977B1ECC05C53F0194750457BBB37
Located: HK_LM:Run, ISUSPM Startup
command: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
file: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe
size: 221184
MD5: A379B75A6FFE4DFD3184F35F0141CE91
Located: HK_LM:Run, ISUSScheduler
command: "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
file: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
size: 81920
MD5: D2AEADFD998706B4216315B2BD3FA79E
Located: HK_LM:Run, MsmqIntCert
command: regsvr32 /s mqrt.dll
file: C:\WINDOWS\system32\reg.exe
size: 50176
MD5: C65122B94F7C82065FE86C32CF271F6D
Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: C93AB037A8C792D5F8A1A9FC88A7C7C5
Located: HK_LM:Run, nod32kui
command: "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
file: C:\Program Files\Eset\nod32kui.exe
size: 949376
MD5: DD855A1E52C391F52400CA4162A3BAFF
Located: HK_LM:Run, NSLauncher
command: C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
file: C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
size: 3100672
MD5: D83EB2B71ECE7D606225F8EA1F3A68A2
Located: HK_LM:Run, Persistence
command: C:\WINDOWS\system32\igfxpers.exe
file: C:\WINDOWS\system32\igfxpers.exe
size: 135168
MD5: EAF47A526B911B0961D3FECEB442E0C4
Located: HK_LM:Run, RTHDCPL
command: RTHDCPL.EXE
file: C:\WINDOWS\RTHDCPL.EXE
size: 16270848
MD5: EABE00B18DCBEAB7D5B3823FD371F008
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
size: 144784
MD5: 836DC47E6CAD975304D1D3EB2F516A1C
Located: HK_LM:Run, ThreatFire
command: C:\Program Files\ThreatFire\TFTray.exe
file: C:\Program Files\ThreatFire\TFTray.exe
size: 259392
MD5: D65A881791753DD4D280BFCE936E1B51
Located: HK_LM:Run, Windows Defender
command: "C:\Program Files\Windows Defender\MSASCui.exe" -hide
file: C:\Program Files\Windows Defender\MSASCui.exe
size: 866584
MD5: 77C03BF23AE56B0A31AE4D5BB4B3D0AC
Located: HK_CU:Run, AWMON
where: S-1-5-21-725345543-1454471165-682003330-1003...
command: "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
file: C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
size: 517632
MD5: 107AF2DE3AF10D6D09C1B36FE9EF9156
Located: HK_CU:Run, ccleaner
where: S-1-5-21-725345543-1454471165-682003330-1003...
command: "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
file: C:\Program Files\CCleaner\CCleaner.exe
size: 1197296
MD5: 39486C0DFCE9C94CED3FFAEA4643E14C
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-725345543-1454471165-682003330-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, Uniblue SpyEraser
where: S-1-5-21-725345543-1454471165-682003330-1003...
command: "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
file: C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
size: 1424648
MD5: 2A3D2E9738E1197E479E9BFA0D616502
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, igfxcui
command: igfxdev.dll
file: igfxdev.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
--- ActiveX list ---
{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool)
DPF name:
CLSID name: Office Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\OGAControl.inf
Codebase: http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
Path: C:\WINDOWS\system32\
Long name: OGACheckControl.DLL
Short name: OGACHE~1.DLL
Date (created): 4/02/2008 5:23:10 PM
Date (last access): 14/06/2008 2:43:52 PM
Date (last write): 4/02/2008 5:23:10 PM
Filesize: 693792
Attributes: archive
MD5: D1346A4683E98836E2FE003859E5DC0D
CRC32: DF1DBA7A
Version: 1.6.28.0
--- Process list ---
PID: 0 ( 0) [System]
PID: 480 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 532 ( 480) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 556 ( 480) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 600 ( 556) C:\WINDOWS\system32\services.exe
size: 108544
MD5: 0E776ED5F7CC9F94299E70461B7B8185
PID: 616 ( 556) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 776 ( 600) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 844 ( 600) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 900 ( 600) C:\Program Files\Windows Defender\MsMpEng.exe
size: 13592
MD5: F45DD1E1365D857DD08BC23563370D0E
PID: 940 ( 600) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 972 ( 600) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1048 ( 600) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1072 ( 600) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1280 ( 600) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
PID: 1408 ( 600) C:\WINDOWS\system32\msdtc.exe
size: 6144
MD5: A137F1470499A205ABBB9AAFB3B6F2B1
PID: 1600 (1504) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 1664 ( 600) C:\Program Files\a-squared Free\a2service.exe
size: 651376
MD5: 66CEA2F31A16337E30BD0F2E1FD4989F
PID: 1800 ( 600) C:\WINDOWS\system32\cisvc.exe
size: 5632
MD5: 1CFE720EB8D93A7158A4EBC3AB178BDE
PID: 1848 ( 600) C:\WINDOWS\system32\inetsrv\inetinfo.exe
size: 15360
MD5: DB3C22745C0DA4666F3BE31F1AF36B2F
PID: 1876 ( 600) C:\Program Files\Eset\nod32krn.exe
size: 552064
MD5: 82F52E10A4DF718FF4CA67D2DBDE8D07
PID: 2008 ( 600) C:\WINDOWS\system32\tcpsvcs.exe
size: 19456
MD5: 32933B07FC16D9F778BEE12545FA1B1A
PID: 160 (1600) C:\Program Files\Eset\nod32kui.exe
size: 949376
MD5: DD855A1E52C391F52400CA4162A3BAFF
PID: 168 (1600) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
size: 81920
MD5: D2AEADFD998706B4216315B2BD3FA79E
PID: 192 (1600) C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
size: 144784
MD5: 836DC47E6CAD975304D1D3EB2F516A1C
PID: 200 ( 600) C:\WINDOWS\System32\snmp.exe
size: 33280
MD5: 60C377BE6B3CC83F6A8584934B181D2E
PID: 236 (1600) C:\Program Files\ThreatFire\TFTray.exe
size: 259392
MD5: D65A881791753DD4D280BFCE936E1B51
PID: 256 (1600) C:\Program Files\Windows Defender\MSASCui.exe
size: 866584
MD5: 77C03BF23AE56B0A31AE4D5BB4B3D0AC
PID: 260 ( 600) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 268 (1600) C:\WINDOWS\RTHDCPL.EXE
size: 16270848
MD5: EABE00B18DCBEAB7D5B3823FD371F008
PID: 376 (1600) C:\WINDOWS\system32\igfxtray.exe
size: 131072
MD5: E79977B1ECC05C53F0194750457BBB37
PID: 396 (1600) C:\WINDOWS\system32\hkcmd.exe
size: 163840
MD5: DDE4A991F26179573D2CFA7A093F56FA
PID: 408 (1600) C:\WINDOWS\system32\igfxpers.exe
size: 135168
MD5: EAF47A526B911B0961D3FECEB442E0C4
PID: 1200 ( 600) C:\Program Files\ThreatFire\TFService.exe
size: 66880
MD5: 9191A964D4E08346D62FD5A8279F62FD
PID: 656 (1600) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
size: 33648
MD5: 35DCD380D4D579D8B8EA91D5D8AE444C
PID: 1488 (1600) C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
size: 1424648
MD5: 2A3D2E9738E1197E479E9BFA0D616502
PID: 1588 (1600) C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
size: 517632
MD5: 107AF2DE3AF10D6D09C1B36FE9EF9156
PID: 1752 (1600) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 2000 ( 600) C:\WINDOWS\system32\mqsvc.exe
size: 4608
MD5: AFB909B537AAE1BEAE7BBDB6A36D40B0
PID: 2912 ( 600) C:\WINDOWS\system32\mqtgsvc.exe
size: 117248
MD5: 7F955FF3B1BB93376EBE75D5ACCDC6DB
PID: 3000 ( 600) C:\WINDOWS\system32\imapi.exe
size: 150528
MD5: 30DEAF54A9755BB8546168CFE8A6B5E1
PID: 3216 ( 600) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 8C515081584A38AA007909CD02020B3D
PID: 2148 (1600) C:\Program Files\Mozilla Firefox\firefox.exe
size: 7660656
MD5: B366BB8334CDCFB5C2A58DCF5121B6BC
PID: 3044 ( 600) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 3040 (1600) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 2832 (1800) C:\WINDOWS\system32\cidaemon.exe
size: 8192
MD5: 582304F6F1946FA5068CF143D729D7ED
PID: 360 (1800) C:\WINDOWS\system32\cidaemon.exe
size: 8192
MD5: 582304F6F1946FA5068CF143D729D7ED
PID: 4 ( 0) System
PID: 3692 (1600) C:\WINDOWS\system32\NOTEPAD.EXE
size: 69120
MD5: 5E28284F9B5F9097640D58A73D38AD4C
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 14/06/2008 3:13:05 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.ebay.com.au/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: NOD32 protected [MSAFD Tcpip [TCP/IP]]
GUID: {D5D5D719-CEE1-4414-8EEB-DF1CB226979D}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 1: NOD32 protected [MSAFD Tcpip [UDP/IP]]
GUID: {920619E7-28B8-4510-94A6-A99A91B2BEB7}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 2: NOD32 protected [MSAFD Tcpip [RAW/IP]]
GUID: {CA14A6D6-4A8D-49DE-A0C4-AAECE76A82D4}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 3: NOD32 protected [RSVP UDP Service Provider]
GUID: {C5BF6CA8-5955-43D8-B208-1F6CC2D23990}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 4: NOD32 protected [RSVP TCP Service Provider]
GUID: {8C5F0EB9-8CC0-4927-8544-BA17A0CCB251}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 5: NOD32 protected [MSAFD Pgm (RDM)]
GUID: {4E5F8B81-AA43-48A3-8AC2-954D4CE91A20}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 6: NOD32 protected [MSAFD Pgm (Stream)]
GUID: {E5A7C8A1-4714-49ED-9830-D444CD8010C7}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 7: NOD32 protected [MSAFD Tcpip [TCP/IPv6]]
GUID: {82BBC9C2-3606-4C46-BFE7-41E2E420040D}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 8: NOD32 protected [MSAFD Tcpip [UDP/IPv6]]
GUID: {9ACEFB04-151E-42E2-80CA-A659AB2F04B6}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 9: NOD32 protected [MSAFD Tcpip [RAW/IPv6]]
GUID: {031EE870-115D-4AC6-AA8A-2D89EEF42F36}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 15: MSAFD Pgm (RDM)
GUID: {14044783-3201-490C-9CA2-87A42D96A199}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 16: MSAFD Pgm (Stream)
GUID: {14044783-3201-490C-9CA2-87A42D96A199}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 20: NOD32
GUID: {28A4D8DA-E908-4C6F-A926-A66CC7AD3224}
Filename: C:\WINDOWS\system32\imon.dll
Namespace Provider 0: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename: C:\WINDOWS\system32\pnrpnsp.dll
Namespace Provider 1: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename: C:\WINDOWS\system32\pnrpnsp.dll
ohnredav
2008-06-14, 07:14
if run adaware scan still locates trojan
Hi
Please post then adaware report next :)
ohnredav
2008-06-14, 13:33
Ad-Aware SE Build 1.06r1
Logfile Created on:Saturday, 14 June 2008 9:30:57 PM
Using definitions file:SE1R259 12.06.2008
Computer name:BENT
User name:bent
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):1 total references
Win32.Trojandownloader.Zlob(TAC index:10):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Ignore spanned files when scanning cab archives
Set : Scan registry for all users instead of current user only
Set : Use permanent archive caching
Set : Automatically check all objects in results lists
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Deactivate Ad-Watch during Ad-Aware scans
Set : Log Ad-Aware events
Set : Block pop-ups aggressively
Set : Load Ad-Watch minimized
Set : Hide Ad-Watch tray icon
Set : Automatically select problematic objects in results lists
Set : Reanalyze results after scanning before displaying results lists
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include info about ignored objects in log file, if detected in scan
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include used command line parameters in log file
Set : Include computer and username in log file
Set : Include reference summary in log file
Set : Create log file for removal operations
Set : Include module list in log file
Set : Include alternate data stream details in log file
Set : Show splash screen
Set : Remember window positions
Set : Limit drive selection to fixed drives
Set : Use gridlines in results lists
Set : Show detail tooltips in results lists
Set : Suppress WebUpdate confirmation dialogs
Set : Backup current definitions file before updating
Set : Play sound at scan completion if scan locates critical objects
14-06-2008 9:30:57 PM - Scan started. (Smart mode)
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 732
ThreadCreationTime : 14-06-2008 6:32:11 AM
BasePriority : Normal
Scanning Module:\SystemRoot\System32\smss.exe...
Scanning Module:C:\WINDOWS\system32\ntdll.dll...
#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 788
ThreadCreationTime : 14-06-2008 6:32:13 AM
BasePriority : Normal
Scanning Module:\??\C:\WINDOWS\system32\csrss.exe...
Scanning Module:C:\WINDOWS\system32\CSRSRV.dll...
Scanning Module:C:\WINDOWS\system32\basesrv.dll...
Scanning Module:C:\WINDOWS\system32\winsrv.dll...
Scanning Module:C:\WINDOWS\system32\GDI32.dll...
Scanning Module:C:\WINDOWS\system32\KERNEL32.dll...
Scanning Module:C:\WINDOWS\system32\USER32.dll...
Scanning Module:C:\WINDOWS\system32\sxs.dll...
Scanning Module:C:\WINDOWS\system32\ADVAPI32.dll...
Scanning Module:C:\WINDOWS\system32\RPCRT4.dll...
Scanning Module:C:\WINDOWS\system32\Secur32.dll...
Scanning Module:C:\WINDOWS\system32\Apphelp.dll...
Scanning Module:C:\WINDOWS\system32\VERSION.dll...
#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 812
ThreadCreationTime : 14-06-2008 6:32:14 AM
BasePriority : High
Scanning Module:\??\C:\WINDOWS\system32\winlogon.exe...
Scanning Module:C:\WINDOWS\system32\AUTHZ.dll...
Scanning Module:C:\WINDOWS\system32\msvcrt.dll...
Scanning Module:C:\WINDOWS\system32\CRYPT32.dll...
Scanning Module:C:\WINDOWS\system32\MSASN1.dll...
Scanning Module:C:\WINDOWS\system32\NDdeApi.dll...
Scanning Module:C:\WINDOWS\system32\PROFMAP.dll...
Scanning Module:C:\WINDOWS\system32\NETAPI32.dll...
Scanning Module:C:\WINDOWS\system32\USERENV.dll...
Scanning Module:C:\WINDOWS\system32\PSAPI.DLL...
Scanning Module:C:\WINDOWS\system32\REGAPI.dll...
Scanning Module:C:\WINDOWS\system32\SETUPAPI.dll...
Scanning Module:C:\WINDOWS\system32\WINSTA.dll...
Scanning Module:C:\WINDOWS\system32\WINTRUST.dll...
Scanning Module:C:\WINDOWS\system32\IMAGEHLP.dll...
Scanning Module:C:\WINDOWS\system32\WS2_32.dll...
Scanning Module:C:\WINDOWS\system32\WS2HELP.dll...
Scanning Module:C:\WINDOWS\system32\IMM32.DLL...
Scanning Module:C:\WINDOWS\system32\MSGINA.dll...
Scanning Module:C:\WINDOWS\system32\COMCTL32.dll...
Scanning Module:C:\WINDOWS\system32\ODBC32.dll...
Scanning Module:C:\WINDOWS\system32\comdlg32.dll...
Scanning Module:C:\WINDOWS\system32\SHELL32.dll...
Scanning Module:C:\WINDOWS\system32\SHLWAPI.dll...
Scanning Module:C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll...
Scanning Module:C:\WINDOWS\system32\odbcint.dll...
Scanning Module:C:\WINDOWS\system32\SHSVCS.dll...
Scanning Module:C:\WINDOWS\system32\sfc.dll...
Scanning Module:C:\WINDOWS\system32\sfc_os.dll...
Scanning Module:C:\WINDOWS\system32\ole32.dll...
Scanning Module:C:\WINDOWS\system32\msctfime.ime...
Scanning Module:C:\WINDOWS\system32\WINSCARD.DLL...
Scanning Module:C:\WINDOWS\system32\WTSAPI32.dll...
Scanning Module:C:\WINDOWS\system32\uxtheme.dll...
Scanning Module:C:\WINDOWS\system32\WINMM.dll...
Scanning Module:C:\WINDOWS\system32\cscdll.dll...
Scanning Module:C:\WINDOWS\System32\dimsntfy.dll...
Scanning Module:C:\WINDOWS\system32\WlNotify.dll...
Scanning Module:C:\WINDOWS\system32\MPR.dll...
Scanning Module:C:\WINDOWS\system32\WINSPOOL.DRV...
Scanning Module:C:\WINDOWS\system32\WgaLogon.dll...
Scanning Module:C:\WINDOWS\system32\OLEAUT32.dll...
Scanning Module:C:\WINDOWS\system32\rsaenh.dll...
Scanning Module:C:\WINDOWS\system32\NTMARTA.DLL...
Scanning Module:C:\WINDOWS\system32\SAMLIB.dll...
Scanning Module:C:\WINDOWS\system32\WLDAP32.dll...
Scanning Module:C:\WINDOWS\system32\CLBCATQ.DLL...
Scanning Module:C:\WINDOWS\system32\COMRes.dll...
Scanning Module:C:\WINDOWS\system32\msv1_0.dll...
Scanning Module:C:\WINDOWS\system32\iphlpapi.dll...
Scanning Module:C:\WINDOWS\system32\cscui.dll...
Scanning Module:C:\WINDOWS\system32\xpsp2res.dll...
Scanning Module:C:\WINDOWS\system32\wdmaud.drv...
Scanning Module:C:\WINDOWS\system32\msacm32.drv...
Scanning Module:C:\WINDOWS\system32\MSACM32.dll...
Scanning Module:C:\WINDOWS\system32\midimap.dll...
Scanning Module:C:\Program Files\ThreatFire\TFNI.dll...
Scanning Module:C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll...
Scanning Module:C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll...
Scanning Module:C:\WINDOWS\system32\wbem\wbemprox.dll...
Scanning Module:C:\WINDOWS\system32\wbem\wbemcomn.dll...
Scanning Module:C:\WINDOWS\system32\wbem\wbemsvc.dll...
Scanning Module:C:\WINDOWS\system32\wbem\fastprox.dll...
Scanning Module:C:\WINDOWS\system32\MSVCP60.dll...
Scanning Module:C:\WINDOWS\system32\NTDSAPI.dll...
Scanning Module:C:\WINDOWS\system32\DNSAPI.dll...
#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 856
ThreadCreationTime : 14-06-2008 6:32:14 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-2111)
ProductVersion : 5.1.2600.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
Scanning Module:C:\WINDOWS\system32\services.exe...
Scanning Module:C:\WINDOWS\system32\NCObjAPI.DLL...
Scanning Module:C:\WINDOWS\system32\SCESRV.dll...
Scanning Module:C:\WINDOWS\system32\umpnpmgr.dll...
Scanning Module:C:\WINDOWS\system32\ShimEng.dll...
Scanning Module:C:\WINDOWS\AppPatch\AcAdProc.dll...
Scanning Module:C:\WINDOWS\system32\eventlog.dll...
Scanning Module:C:\Program Files\ThreatFire\TFWAH.dll...
#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 868
ThreadCreationTime : 14-06-2008 6:32:14 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-2113)
ProductVersion : 5.1.2600.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
Scanning Module:C:\WINDOWS\system32\lsass.exe...
Scanning Module:C:\WINDOWS\system32\LSASRV.dll...
Scanning Module:C:\WINDOWS\system32\SAMSRV.dll...
Scanning Module:C:\WINDOWS\system32\cryptdll.dll...
Scanning Module:C:\WINDOWS\AppPatch\AcGenral.DLL...
Scanning Module:C:\WINDOWS\system32\msprivs.dll...
Scanning Module:C:\WINDOWS\system32\kerberos.dll...
Scanning Module:C:\WINDOWS\system32\netlogon.dll...
Scanning Module:C:\WINDOWS\system32\w32time.dll...
Scanning Module:C:\WINDOWS\system32\schannel.dll...
Scanning Module:C:\WINDOWS\system32\wdigest.dll...
Scanning Module:C:\WINDOWS\system32\scecli.dll...
Scanning Module:C:\WINDOWS\system32\ipsecsvc.dll...
Scanning Module:C:\WINDOWS\system32\oakley.DLL...
Scanning Module:C:\WINDOWS\system32\WINIPSEC.DLL...
Scanning Module:C:\WINDOWS\system32\pstorsvc.dll...
Scanning Module:C:\WINDOWS\system32\imon.dll...
Scanning Module:C:\WINDOWS\system32\WSOCK32.dll...
Scanning Module:C:\WINDOWS\system32\psbase.dll...
Scanning Module:C:\WINDOWS\system32\mswsock.dll...
Scanning Module:C:\WINDOWS\system32\hnetcfg.dll...
Scanning Module:C:\WINDOWS\System32\wshtcpip.dll...
Scanning Module:C:\WINDOWS\system32\dssenh.dll...
#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 1036
ThreadCreationTime : 14-06-2008 6:32:15 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-2111)
ProductVersion : 5.1.2600.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:C:\WINDOWS\system32\svchost.exe...
Scanning Module:c:\windows\system32\rpcss.dll...
Scanning Module:c:\windows\system32\termsrv.dll...
Scanning Module:c:\windows\system32\ICAAPI.dll...
Scanning Module:c:\windows\system32\mstlsapi.dll...
Scanning Module:c:\windows\system32\ACTIVEDS.dll...
Scanning Module:c:\windows\system32\adsldpc.dll...
Scanning Module:c:\windows\system32\ATL.DLL...
#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 1104
ThreadCreationTime : 14-06-2008 6:32:15 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-2111)
ProductVersion : 5.1.2600.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:C:\WINDOWS\System32\wship6.dll...
Scanning Module:C:\WINDOWS\system32\pnrpnsp.dll...
Scanning Module:C:\WINDOWS\System32\winrnr.dll...
Scanning Module:C:\WINDOWS\system32\rasadhlp.dll...
#:8 [msmpeng.exe]
ModuleName : C:\Program Files\Windows Defender\MsMpEng.exe
Command Line : "C:\Program Files\Windows Defender\MsMpEng.exe"
ProcessID : 1216
ThreadCreationTime : 14-06-2008 6:32:15 AM
BasePriority : Normal
FileVersion : 1.1.1593.0
ProductVersion : 1.1.1593.0
ProductName : Windows Defender
CompanyName : Microsoft Corporation
FileDescription : Service Executable
InternalName : MsMpEng.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MsMpEng.exe
Scanning Module:C:\Program Files\Windows Defender\MsMpEng.exe...
Scanning Module:C:\Program Files\Windows Defender\MpSvc.dll...
Scanning Module:C:\Program Files\Windows Defender\MpClient.dll...
Scanning Module:C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{36453B81-3159-460D-B200-C483FE3B65F0}\mpengine.dll...
Scanning Module:C:\WINDOWS\system32\DBGHELP.DLL...
Scanning Module:C:\WINDOWS\system32\WININET.DLL...
Scanning Module:C:\WINDOWS\system32\Normaliz.dll...
Scanning Module:C:\WINDOWS\system32\iertutil.dll...
Scanning Module:C:\Program Files\Windows Defender\mprtplug.dll...
Scanning Module:C:\Program Files\Windows Defender\MpAsDesc.dll...
#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 1256
ThreadCreationTime : 14-06-2008 6:32:15 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-2111)
ProductVersion : 5.1.2600.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:c:\windows\system32\dhcpcsvc.dll...
Scanning Module:c:\windows\system32\wzcsvc.dll...
Scanning Module:c:\windows\system32\rtutils.dll...
Scanning Module:c:\windows\system32\WMI.dll...
Scanning Module:c:\windows\system32\EapolQec.dll...
Scanning Module:c:\windows\system32\QUtil.dll...
Scanning Module:c:\windows\system32\dot3api.dll...
Scanning Module:c:\windows\system32\ESENT.dll...
Scanning Module:C:\WINDOWS\System32\rastls.dll...
Scanning Module:C:\WINDOWS\system32\CRYPTUI.dll...
Scanning Module:C:\WINDOWS\System32\MPRAPI.dll...
Scanning Module:C:\WINDOWS\System32\RASAPI32.dll...
Scanning Module:C:\WINDOWS\System32\rasman.dll...
Scanning Module:C:\WINDOWS\System32\TAPI32.dll...
Scanning Module:C:\WINDOWS\System32\raschap.dll...
Scanning Module:c:\windows\system32\schedsvc.dll...
Scanning Module:C:\WINDOWS\System32\MSIDLE.DLL...
Scanning Module:c:\windows\system32\audiosrv.dll...
Scanning Module:c:\windows\system32\wkssvc.dll...
Scanning Module:c:\windows\system32\qmgr.dll...
Scanning Module:c:\windows\system32\SHFOLDER.dll...
Scanning Module:c:\windows\system32\WINHTTP.dll...
Scanning Module:C:\WINDOWS\System32\netman.dll...
Scanning Module:C:\WINDOWS\System32\netshell.dll...
Scanning Module:C:\WINDOWS\System32\credui.dll...
Scanning Module:C:\WINDOWS\System32\dot3dlg.dll...
Scanning Module:C:\WINDOWS\System32\OneX.DLL...
Scanning Module:C:\WINDOWS\System32\eappcfg.dll...
Scanning Module:C:\WINDOWS\System32\eappprxy.dll...
Scanning Module:C:\WINDOWS\System32\WZCSAPI.DLL...
Scanning Module:c:\windows\system32\cryptsvc.dll...
Scanning Module:c:\windows\system32\certcli.dll...
Scanning Module:c:\windows\pchealth\helpctr\binaries\pchsvc.dll...
Scanning Module:c:\windows\system32\ersvc.dll...
Scanning Module:c:\windows\system32\es.dll...
Scanning Module:c:\windows\system32\dmserver.dll...
Scanning Module:c:\windows\system32\iprip.dll...
Scanning Module:c:\windows\system32\srvsvc.dll...
Scanning Module:c:\windows\system32\seclogon.dll...
Scanning Module:c:\windows\system32\sens.dll...
Scanning Module:c:\windows\system32\srsvc.dll...
Scanning Module:c:\windows\system32\POWRPROF.dll...
Scanning Module:c:\windows\system32\tapisrv.dll...
Scanning Module:c:\windows\system32\trkwks.dll...
Scanning Module:c:\windows\system32\wbem\wmisvc.dll...
Scanning Module:C:\WINDOWS\system32\VSSAPI.DLL...
Scanning Module:c:\windows\system32\wuauserv.dll...
Scanning Module:C:\WINDOWS\system32\wuaueng.dll...
Scanning Module:C:\WINDOWS\System32\Cabinet.dll...
Scanning Module:C:\WINDOWS\System32\mspatcha.dll...
Scanning Module:C:\WINDOWS\system32\comsvcs.dll...
Scanning Module:C:\WINDOWS\system32\colbact.DLL...
Scanning Module:C:\WINDOWS\system32\MTXCLU.DLL...
Scanning Module:C:\WINDOWS\System32\CLUSAPI.DLL...
Scanning Module:C:\WINDOWS\System32\RESUTILS.DLL...
Scanning Module:c:\windows\system32\ipnathlp.dll...
Scanning Module:c:\windows\system32\wscsvc.dll...
Scanning Module:c:\windows\system32\msi.dll...
Scanning Module:C:\WINDOWS\system32\WBEM\wbemcore.dll...
Scanning Module:C:\WINDOWS\system32\WBEM\esscli.dll...
Scanning Module:C:\WINDOWS\system32\wbem\wmiutils.dll...
Scanning Module:C:\WINDOWS\system32\wbem\repdrvfs.dll...
Scanning Module:C:\WINDOWS\system32\wbem\wmiprvsd.dll...
Scanning Module:C:\WINDOWS\system32\wbem\wbemess.dll...
Scanning Module:C:\WINDOWS\system32\wbem\ncprov.dll...
Scanning Module:c:\windows\system32\browser.dll...
Scanning Module:C:\WINDOWS\system32\upnp.dll...
Scanning Module:C:\WINDOWS\system32\SSDPAPI.dll...
Scanning Module:C:\WINDOWS\system32\netcfgx.dll...
Scanning Module:C:\WINDOWS\System32\rasmans.dll...
Scanning Module:C:\WINDOWS\System32\rastapi.dll...
Scanning Module:C:\WINDOWS\System32\unimdm.tsp...
Scanning Module:C:\WINDOWS\System32\uniplat.dll...
Scanning Module:C:\WINDOWS\System32\kmddsp.tsp...
Scanning Module:C:\WINDOWS\System32\ndptsp.tsp...
Scanning Module:C:\WINDOWS\System32\ipconf.tsp...
Scanning Module:C:\WINDOWS\System32\h323.tsp...
Scanning Module:C:\WINDOWS\System32\hidphone.tsp...
Scanning Module:C:\WINDOWS\System32\HID.DLL...
Scanning Module:C:\WINDOWS\System32\rasppp.dll...
Scanning Module:C:\WINDOWS\System32\ntlsapi.dll...
Scanning Module:C:\WINDOWS\System32\RASQEC.DLL...
Scanning Module:C:\WINDOWS\System32\RASDLG.dll...
Scanning Module:C:\WINDOWS\system32\urlmon.dll...
Scanning Module:C:\WINDOWS\system32\advpack.dll...
Scanning Module:C:\WINDOWS\system32\wups.dll...
Scanning Module:C:\WINDOWS\system32\msxml3.dll...
Scanning Module:C:\WINDOWS\system32\wups2.dll...
Scanning Module:C:\WINDOWS\system32\wuapi.dll...
Scanning Module:C:\WINDOWS\system32\rsvpsp.dll...
#:10 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
ProcessID : 1288
ThreadCreationTime : 14-06-2008 6:32:15 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-2111)
ProductVersion : 5.1.2600.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:c:\windows\system32\wudfsvc.dll...
Scanning Module:c:\windows\system32\WUDFPlatform.dll...
#:11 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k NetworkService
ProcessID : 1352
ThreadCreationTime : 14-06-2008 6:32:15 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-2111)
ProductVersion : 5.1.2600.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:c:\windows\system32\dnsrslvr.dll...
#:12 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k LocalService
ProcessID : 1504
ThreadCreationTime : 14-06-2008 6:32:15 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-2111)
ProductVersion : 5.1.2600.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:c:\windows\system32\lmhsvc.dll...
Scanning Module:c:\windows\system32\webclnt.dll...
Scanning Module:c:\windows\system32\regsvc.dll...
Scanning Module:c:\windows\system32\ssdpsrv.dll...
Scanning Module:C:\WINDOWS\system32\httpapi.dll...
#:13 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1728
ThreadCreationTime : 14-06-2008 6:32:16 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-0852)
ProductVersion : 5.1.2600.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
Scanning Module:C:\WINDOWS\system32\spoolsv.exe...
Scanning Module:C:\WINDOWS\system32\SPOOLSS.DLL...
Scanning Module:C:\WINDOWS\system32\localspl.dll...
Scanning Module:C:\WINDOWS\system32\cnbjmon.dll...
Scanning Module:C:\WINDOWS\system32\CNMLM5y.DLL...
Scanning Module:C:\WINDOWS\system32\lprmon.dll...
Scanning Module:C:\WINDOWS\system32\LPRHELP.dll...
Scanning Module:C:\WINDOWS\system32\FXSMON.DLL...
Scanning Module:C:\WINDOWS\system32\FXSEVENT.dll...
Scanning Module:C:\WINDOWS\system32\pjlmon.dll...
Scanning Module:C:\WINDOWS\system32\msonpmon.dll...
Scanning Module:C:\WINDOWS\system32\tcpmon.dll...
Scanning Module:C:\WINDOWS\system32\usbmon.dll...
Scanning Module:C:\WINDOWS\System32\spool\PRTPROCS\W32X86\CNMPD5y.DLL...
Scanning Module:C:\WINDOWS\System32\spool\PRTPROCS\W32X86\msonpppr.dll...
Scanning Module:C:\WINDOWS\system32\win32spl.dll...
Scanning Module:C:\WINDOWS\system32\NETRAP.dll...
Scanning Module:C:\WINDOWS\system32\inetpp.dll...
#:14 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 1984
ThreadCreationTime : 14-06-2008 6:32:17 AM
BasePriority : Normal
FileVersion : 6.00.2900.5512 (xpsp.080413-2105)
ProductVersion : 6.00.2900.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
Scanning Module:C:\WINDOWS\Explorer.EXE...
Scanning Module:C:\WINDOWS\system32\BROWSEUI.dll...
Scanning Module:C:\WINDOWS\system32\SHDOCVW.dll...
Scanning Module:C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll...
Scanning Module:C:\Program Files\Microsoft Office\Office12\GrooveUtil.DLL...
Scanning Module:C:\Program Files\Microsoft Office\Office12\GrooveNew.DLL...
Scanning Module:C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.DLL...
Scanning Module:C:\WINDOWS\system32\MSImg32.dll...
Scanning Module:C:\WINDOWS\system32\themeui.dll...
Scanning Module:C:\WINDOWS\system32\LINKINFO.dll...
Scanning Module:C:\WINDOWS\system32\ntshrui.dll...
Scanning Module:C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll...
Scanning Module:C:\WINDOWS\system32\MSCTF.dll...
Scanning Module:C:\WINDOWS\system32\shdoclc.dll...
Scanning Module:C:\WINDOWS\system32\webcheck.dll...
Scanning Module:C:\WINDOWS\system32\IEFRAME.dll...
Scanning Module:C:\WINDOWS\system32\stobject.dll...
Scanning Module:C:\WINDOWS\system32\BatMeter.dll...
Scanning Module:C:\WINDOWS\system32\upnpui.dll...
Scanning Module:C:\WINDOWS\system32\WPDShServiceObj.dll...
Scanning Module:C:\WINDOWS\system32\PortableDeviceTypes.dll...
Scanning Module:C:\WINDOWS\system32\PortableDeviceApi.dll...
Scanning Module:C:\WINDOWS\system32\fxsst.dll...
Scanning Module:C:\WINDOWS\system32\FXSAPI.dll...
Scanning Module:C:\WINDOWS\System32\drprov.dll...
Scanning Module:C:\WINDOWS\System32\ntlanman.dll...
Scanning Module:C:\WINDOWS\System32\NETUI0.dll...
Scanning Module:C:\WINDOWS\System32\NETUI1.dll...
Scanning Module:C:\WINDOWS\System32\davclnt.dll...
Scanning Module:C:\Program Files\Microsoft Office\Office12\GrooveMisc.dll...
Scanning Module:C:\WINDOWS\system32\wzcdlg.dll...
Scanning Module:C:\PROGRA~1\WIFD1F~1\MpShHook.dll...
Scanning Module:C:\WINDOWS\system32\MSISIP.DLL...
Scanning Module:C:\WINDOWS\system32\wshext.dll...
#:15 [nod32kui.exe]
ModuleName : C:\Program Files\Eset\nod32kui.exe
Command Line : "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
ProcessID : 208
ThreadCreationTime : 14-06-2008 6:32:19 AM
BasePriority : Normal
FileVersion : 2, 70, 39
ProductVersion : 2, 70, 39
ProductName : NOD32 Antivirus System
CompanyName : Eset
FileDescription : NOD32 Control Center GUI
InternalName : NOD32 Control Center GUI
LegalCopyright : Copyright (c) 1992-2005 Eset
LegalTrademarks : NOD, NOD32, AMON, ESET are registered trademarks of Eset
OriginalFilename : nod32kui.exe
Scanning Module:C:\Program Files\Eset\nod32kui.exe...
Scanning Module:C:\WINDOWS\system32\MFC42u.DLL...
Scanning Module:C:\Program Files\Eset\pu_amon.dll...
Scanning Module:C:\Program Files\Eset\pu_dmon.dll...
Scanning Module:C:\Program Files\Eset\pu_emon.dll...
Scanning Module:C:\Program Files\Eset\pu_imon.dll...
Scanning Module:C:\Program Files\Eset\pu_nod32.dll...
Scanning Module:C:\Program Files\Eset\pu_upd.dll...
#:16 [issch.exe]
ModuleName : C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
Command Line : "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
ProcessID : 236
ThreadCreationTime : 14-06-2008 6:32:19 AM
BasePriority : Normal
FileVersion : 4, 10, 100, 25539
ProductVersion : 4, 10
ProductName : InstallShield Update Service
CompanyName : InstallShield Software Corporation
FileDescription : InstallShield Update Service Scheduler
InternalName : Scheduler
LegalCopyright : Copyright (C) 1990-2004 InstallShield Software Corporation
OriginalFilename : issch.exe
Scanning Module:C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe...
#:17 [jusched.exe]
ModuleName : C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
Command Line : "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
ProcessID : 244
ThreadCreationTime : 14-06-2008 6:32:19 AM
BasePriority : Normal
Scanning Module:C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe...
#:18 [tftray.exe]
ModuleName : C:\Program Files\ThreatFire\TFTray.exe
Command Line : n/a
ProcessID : 272
ThreadCreationTime : 14-06-2008 6:32:19 AM
BasePriority : Normal
FileVersion : 3.8.4.24
ProductVersion : 3.5.0.21
ProductName : ThreatFire
CompanyName : PC Tools
FileDescription : PC Tools ThreatFire Tray App
InternalName : TrayApp
LegalCopyright : Copyright © 2005-2008 PC Tools. All Rights Reserved.
LegalTrademarks : ThreatFire(tm) is a trademark of PC Tools
OriginalFilename : TrayApp.exe
Scanning Module:C:\Program Files\ThreatFire\TFTray.exe...
Scanning Module:C:\Program Files\ThreatFire\TFAPI.dll...
Scanning Module:C:\Program Files\ThreatFire\TFRes-en.dll...
#:19 [msascui.exe]
ModuleName : C:\Program Files\Windows Defender\MSASCui.exe
Command Line : "C:\Program Files\Windows Defender\MSASCui.exe" -hide
ProcessID : 368
ThreadCreationTime : 14-06-2008 6:32:19 AM
BasePriority : Normal
FileVersion : 1.1.1593.0
ProductVersion : 1.1.1593.0
ProductName : Windows Defender
CompanyName : Microsoft Corporation
FileDescription : Windows Defender User Interface
InternalName : MSASCUI
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MSASCUI.exe
Scanning Module:C:\Program Files\Windows Defender\MSASCui.exe...
Scanning Module:C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll...
Scanning Module:C:\WINDOWS\system32\OLEACC.dll...
Scanning Module:C:\Program Files\Windows Defender\MsMpRes.dll...
Scanning Module:C:\Program Files\Windows Defender\MpRtMon.DLL...
Scanning Module:C:\WINDOWS\system32\MSFTEDIT.DLL...
Scanning Module:C:\WINDOWS\system32\WshRm.dll...
#:20 [rthdcpl.exe]
ModuleName : C:\WINDOWS\RTHDCPL.EXE
Command Line : "C:\WINDOWS\RTHDCPL.EXE"
ProcessID : 376
ThreadCreationTime : 14-06-2008 6:32:19 AM
BasePriority : Normal
FileVersion : 2.1.1.1
ProductVersion : 2.1.1.1
ProductName : Realtek HD Audio Sound Effect Manager
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek HD Audio Control Panel
LegalCopyright : Copyright (c) 2004 Realtek Semiconductor Corp.
OriginalFilename : RTHDCPL.EXE
Scanning Module:C:\WINDOWS\RTHDCPL.EXE...
Scanning Module:C:\WINDOWS\system32\DSOUND.DLL...
Scanning Module:C:\WINDOWS\system32\HHCTRL.OCX...
Scanning Module:C:\WINDOWS\system32\KsUser.dll...
#:21 [igfxtray.exe]
ModuleName : C:\WINDOWS\system32\igfxtray.exe
Command Line : "C:\WINDOWS\system32\igfxtray.exe"
ProcessID : 424
ThreadCreationTime : 14-06-2008 6:32:19 AM
BasePriority : Normal
FileVersion : 6.14.10.4764
ProductVersion : 6.14.10.4764
ProductName : Intel(R) Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
LegalCopyright : Copyright 1999-2006, Intel Corporation
OriginalFilename : IGFXTRAY.EXE
Scanning Module:C:\WINDOWS\system32\igfxtray.exe...
Scanning Module:C:\WINDOWS\system32\hccutils.DLL...
Scanning Module:C:\WINDOWS\system32\igfxsrvc.dll...
Scanning Module:C:\WINDOWS\system32\igfxres.dll...
Scanning Module:C:\WINDOWS\system32\igfxress.dll...
#:22 [hkcmd.exe]
ModuleName : C:\WINDOWS\system32\hkcmd.exe
Command Line : "C:\WINDOWS\system32\hkcmd.exe"
ProcessID : 444
ThreadCreationTime : 14-06-2008 6:32:19 AM
BasePriority : Normal
FileVersion : 6.14.10.4764
ProductVersion : 6.14.10.4764
ProductName : Intel(R) Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2006, Intel Corporation
OriginalFilename : HKCMD.EXE
Scanning Module:C:\WINDOWS\system32\hkcmd.exe...
#:23 [igfxpers.exe]
ModuleName : C:\WINDOWS\system32\igfxpers.exe
Command Line : "C:\WINDOWS\system32\igfxpers.exe"
ProcessID : 456
ThreadCreationTime : 14-06-2008 6:32:19 AM
BasePriority : Normal
FileVersion : 6.14.10.4764
ProductVersion : 6.14.10.4764
ProductName : Intel(R) Common User Interface
CompanyName : Intel Corporation
FileDescription : persistence Module
InternalName : PERSISTENCE
LegalCopyright : Copyright 1999-2006, Intel Corporation
OriginalFilename : IGFXPERS.EXE
Scanning Module:C:\WINDOWS\system32\igfxpers.exe...
#:24 [groovemonitor.exe]
ModuleName : C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
Command Line : "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
ProcessID : 572
ThreadCreationTime : 14-06-2008 6:32:19 AM
BasePriority : Normal
Scanning Module:C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe...
#:25 [spyeraser.exe]
ModuleName : C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
Command Line : "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
ProcessID : 608
ThreadCreationTime : 14-06-2008 6:32:19 AM
BasePriority : Normal
FileVersion : 2.0.1.1531
ProductVersion : 2.0.1.1531
ProductName : SpyEraser
CompanyName : Uniblue Software
FileDescription : SpyEraser
InternalName : SpyEraser
LegalCopyright : Copyright (C) 2003-2006 Uniblue Software. All rights reserved.
LegalTrademarks : Uniblue Software
OriginalFilename : SpyEraser
Comments : http://www.Uniblue.com
Scanning Module:C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe...
Scanning Module:C:\Program Files\Uniblue\SpyEraser\SEEng.dll...
Scanning Module:C:\Program Files\Uniblue\SpyEraser\zlibwapi.dll...
Scanning Module:C:\Program Files\Uniblue\SpyEraser\XceedZip.dll...
Scanning Module:C:\Program Files\Uniblue\SpyEraser\spyeraser.dll...
Scanning Module:C:\Program Files\Uniblue\SpyEraser\ubvarse.dll...
Scanning Module:C:\WINDOWS\system32\inetmib1.dll...
Scanning Module:C:\WINDOWS\system32\snmpapi.dll...
Scanning Module:C:\WINDOWS\system32\mstask.dll...
Scanning Module:C:\WINDOWS\system32\RICHED20.DLL...
Scanning Module:C:\WINDOWS\system32\mshtml.dll...
Scanning Module:C:\WINDOWS\system32\msls31.dll...
#:26 [ad-watch.exe]
ModuleName : C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
Command Line : "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
ProcessID : 616
ThreadCreationTime : 14-06-2008 6:32:19 AM
BasePriority : High
FileVersion : 3.1.2.17
ProductVersion : 3.2
ProductName : Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Watch System Protector
InternalName : Ad-Watch.exe
LegalCopyright : 1999-2004 Team Lavasoft
OriginalFilename : Ad-Watch.exe
Scanning Module:C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe...
Scanning Module:C:\WINDOWS\system32\olepro32.dll...
Scanning Module:C:\WINDOWS\system32\RICHED32.DLL...
#:27 [ctfmon.exe]
ModuleName : C:\WINDOWS\system32\ctfmon.exe
Command Line : "C:\WINDOWS\system32\ctfmon.exe"
ProcessID : 632
ThreadCreationTime : 14-06-2008 6:32:20 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-2105)
ProductVersion : 5.1.2600.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE
Scanning Module:C:\WINDOWS\system32\ctfmon.exe...
Scanning Module:C:\WINDOWS\system32\MSUTB.dll...
#:28 [msdtc.exe]
ModuleName : C:\WINDOWS\system32\msdtc.exe
Command Line : C:\WINDOWS\system32\msdtc.exe
ProcessID : 1276
ThreadCreationTime : 14-06-2008 6:32:25 AM
BasePriority : Normal
FileVersion : 2001.12.4414.700
ProductVersion : 03.01.00.4414
ProductName : Microsoft Distributed Transaction Coordinator
CompanyName : Microsoft Corporation
FileDescription : MS DTC console program
InternalName : MSDTC.EXE
LegalCopyright : Copyright (C) Microsoft Corp. 1995-1998
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation
Scanning Module:C:\WINDOWS\system32\msdtc.exe...
Scanning Module:C:\WINDOWS\system32\MSDTCTM.dll...
Scanning Module:C:\WINDOWS\system32\MSDTCLOG.dll...
Scanning Module:C:\WINDOWS\system32\MSDTCPRX.dll...
Scanning Module:C:\WINDOWS\system32\XOLEHLP.dll...
Scanning Module:C:\WINDOWS\system32\MTxOCI.Dll...
#:29 [a2service.exe]
ModuleName : C:\Program Files\a-squared Free\a2service.exe
Command Line : "C:\Program Files\a-squared Free\a2service.exe"
ProcessID : 1432
ThreadCreationTime : 14-06-2008 6:32:27 AM
BasePriority : Normal
FileVersion : 3.0.0.448
ProductVersion : 3.0.0.0
ProductName : a-squared
CompanyName : Emsi Software GmbH
FileDescription : a-squared Service
InternalName : a2service
LegalCopyright : (C) 2003-2008 Emsi Software GmbH
OriginalFilename : a2service.exe
Scanning Module:C:\Program Files\a-squared Free\a2service.exe...
#:30 [cisvc.exe]
ModuleName : C:\WINDOWS\system32\cisvc.exe
Command Line : C:\WINDOWS\system32\cisvc.exe
ProcessID : 1528
ThreadCreationTime : 14-06-2008 6:32:28 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-0852)
ProductVersion : 5.1.2600.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cisvc.exe
Scanning Module:C:\WINDOWS\system32\cisvc.exe...
Scanning Module:C:\WINDOWS\system32\query.dll...
Scanning Module:C:\WINDOWS\system32\ADMWPROX.DLL...
#:31 [inetinfo.exe]
ModuleName : C:\WINDOWS\system32\inetsrv\inetinfo.exe
Command Line : C:\WINDOWS\system32\inetsrv\inetinfo.exe
ProcessID : 1872
ThreadCreationTime : 14-06-2008 6:32:29 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-0852)
ProductVersion : 5.1.2600.5512
ProductName : Internet Information Services
CompanyName : Microsoft Corporation
FileDescription : Internet Information Services
InternalName : INETINFO.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : INETINFO.EXE
Scanning Module:C:\WINDOWS\system32\inetsrv\inetinfo.exe...
Scanning Module:C:\WINDOWS\system32\IisRTL.DLL...
Scanning Module:C:\WINDOWS\system32\inetsrv\rpcref.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\iisadmin.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\COADMIN.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\metadata.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\nsepm.dll...
Scanning Module:C:\WINDOWS\system32\IISMAP.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\wamreg.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\admexs.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\svcext.dll...
Scanning Module:C:\WINDOWS\system32\Security.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\w3svc.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\INFOCOMM.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\ISATQ.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\IISFECNV.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\lonsint.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\ftpsvc2.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\SMTPSVC.dll...
Scanning Module:C:\WINDOWS\system32\FCACHDLL.dll...
Scanning Module:C:\WINDOWS\system32\RWNH.dll...
Scanning Module:C:\WINDOWS\system32\exstrace.dll...
Scanning Module:C:\WINDOWS\system32\STAXMEM.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\iscomlog.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\sspifilt.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\compfilt.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\seo.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\gzip.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\pwsdata.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\md5filt.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\aqueue.dll...
Scanning Module:C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\fpexedll.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\iislog.dll...
Scanning Module:C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\ntfsdrv.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\httpext.dll...
#:32 [nod32krn.exe]
ModuleName : C:\Program Files\Eset\nod32krn.exe
Command Line : "C:\Program Files\Eset\nod32krn.exe"
ProcessID : 1952
ThreadCreationTime : 14-06-2008 6:32:29 AM
BasePriority : Normal
FileVersion : 2, 70, 39
ProductVersion : 2, 70, 39
ProductName : NOD32 Antivirus System
CompanyName : Eset
FileDescription : NOD32 Kernel Service
InternalName : NOD32 Kernel
LegalCopyright : Copyright (c) 1992-2005 Eset
LegalTrademarks : NOD, NOD32, AMON, ESET are registered trademarks of Eset
OriginalFilename : nod32krn.exe
Scanning Module:C:\Program Files\Eset\nod32krn.exe...
Scanning Module:C:\Program Files\Eset\ps_amon.dll...
Scanning Module:C:\Program Files\Eset\ps_dmon.dll...
Scanning Module:C:\Program Files\Eset\ps_emon.dll...
Scanning Module:C:\Program Files\Eset\ps_nod32.dll...
Scanning Module:C:\Program Files\Eset\ps_upd.dll...
#:33 [tcpsvcs.exe]
ModuleName : C:\WINDOWS\system32\tcpsvcs.exe
Command Line : C:\WINDOWS\system32\tcpsvcs.exe
ProcessID : 2220
ThreadCreationTime : 14-06-2008 6:32:30 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : TCP/IP Services Application
InternalName : TCPSVCS.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : TCPSVCS.EXE
Scanning Module:C:\WINDOWS\system32\tcpsvcs.exe...
Scanning Module:C:\WINDOWS\system32\simptcp.dll...
#:34 [snmp.exe]
ModuleName : C:\WINDOWS\System32\snmp.exe
Command Line : C:\WINDOWS\System32\snmp.exe
ProcessID : 2272
ThreadCreationTime : 14-06-2008 6:32:30 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-0852)
ProductVersion : 5.1.2600.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : SNMP Service
InternalName : snmp.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : snmp.exe
Scanning Module:C:\WINDOWS\System32\snmp.exe...
Scanning Module:C:\WINDOWS\System32\lmmib2.dll...
Scanning Module:C:\WINDOWS\System32\hostmib.dll...
Scanning Module:C:\WINDOWS\System32\snmpmib.dll...
Scanning Module:C:\WINDOWS\System32\evntagnt.dll...
Scanning Module:C:\WINDOWS\System32\igmpagnt.dll...
Scanning Module:C:\WINDOWS\System32\mcastmib.dll...
Scanning Module:C:\WINDOWS\System32\rtipxmib.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\httpmib.dll...
Scanning Module:C:\WINDOWS\system32\INFOADMN.dll...
Scanning Module:C:\WINDOWS\system32\inetsrv\ftpmib.dll...
Scanning Module:C:\WINDOWS\System32\perfos.dll...
#:35 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k imgsvc
ProcessID : 2376
ThreadCreationTime : 14-06-2008 6:32:31 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-2111)
ProductVersion : 5.1.2600.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:c:\windows\system32\wiaservc.dll...
Scanning Module:c:\windows\system32\CFGMGR32.dll...
Scanning Module:c:\windows\system32\mscms.dll...
Scanning Module:C:\WINDOWS\system32\ACTXPRXY.DLL...
#:36 [tfservice.exe]
ModuleName : C:\Program Files\ThreatFire\TFService.exe
Command Line : n/a
ProcessID : 2448
ThreadCreationTime : 14-06-2008 6:32:31 AM
BasePriority : Normal
FileVersion : 3.8.4.24
ProductVersion : 3.5.0.21
ProductName : ThreatFire
CompanyName : PC Tools
FileDescription : PC Tools ThreatFire Service
InternalName : OCService
LegalCopyright : Copyright © 2005-2008 PC Tools. All Rights Reserved.
LegalTrademarks : ThreatFire(tm) is a trademark of PC Tools
OriginalFilename : OCService.dll
Scanning Module:C:\Program Files\ThreatFire\TFService.exe...
Scanning Module:C:\Program Files\ThreatFire\TFServer.dll...
Scanning Module:C:\Program Files\ThreatFire\TFE.dll...
Scanning Module:C:\Program Files\ThreatFire\TFMisc.dll...
Scanning Module:C:\Program Files\ThreatFire\TFLog.dll...
Scanning Module:C:\Program Files\ThreatFire\TFMon.dll...
Scanning Module:C:\Program Files\ThreatFire\TFUndo.dll...
Scanning Module:C:\Program Files\ThreatFire\TFSF.dll...
Scanning Module:C:\Program Files\ThreatFire\TFRK.dll...
Scanning Module:C:\Program Files\ThreatFire\TFQT.dll...
Scanning Module:C:\Program Files\ThreatFire\TFScan.dll...
Scanning Module:C:\Program Files\ThreatFire\TFAVE.dll...
Scanning Module:C:\Program Files\ThreatFire\TFDBM.dll...
Scanning Module:C:\Program Files\ThreatFire\TFTM.dll...
Scanning Module:C:\Program Files\ThreatFire\TFO.dll...
Scanning Module:C:\Program Files\ThreatFire\TFCR.dll...
Scanning Module:C:\Program Files\ThreatFire\TFWS.dll...
Scanning Module:C:\WINDOWS\system32\cryptnet.dll...
Scanning Module:C:\WINDOWS\system32\SensApi.dll...
#:37 [mqsvc.exe]
ModuleName : C:\WINDOWS\system32\mqsvc.exe
Command Line : C:\WINDOWS\system32\mqsvc.exe
ProcessID : 3008
ThreadCreationTime : 14-06-2008 6:32:35 AM
BasePriority : Normal
FileVersion : 5.01.1110
ProductVersion : 5.01.1110
ProductName : Microsoft Message Queue
CompanyName : Microsoft Corporation
FileDescription : Message Queuing Service
LegalCopyright : Copyright (C) Microsoft Corporation. 1981-2000
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation. Windows NT(TM) is a trademark of Microsoft Corporation
OriginalFilename : MQSVC.EXE
Scanning Module:C:\WINDOWS\system32\mqsvc.exe...
Scanning Module:C:\WINDOWS\system32\MQQM.dll...
Scanning Module:C:\WINDOWS\system32\mqutil.dll...
Scanning Module:C:\WINDOWS\system32\mqsec.dll...
Scanning Module:C:\WINDOWS\system32\MqLogMgr.dll...
#:38 [mqtgsvc.exe]
ModuleName : C:\WINDOWS\system32\mqtgsvc.exe
Command Line : C:\WINDOWS\system32\mqtgsvc.exe
ProcessID : 3464
ThreadCreationTime : 14-06-2008 6:32:39 AM
BasePriority : Normal
FileVersion : 5.01.1110
ProductVersion : 5.01.1110
ProductName : Microsoft Message Queue
CompanyName : Microsoft Corporation
FileDescription : Windows NT MSMQ Trigger Service
LegalCopyright : Copyright (C) Microsoft Corporation. 1981-2000
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation. Windows NT(TM) is a trademark of Microsoft Corporation
OriginalFilename : QMTGSVC.EXE
Scanning Module:C:\WINDOWS\system32\mqtgsvc.exe...
Scanning Module:C:\WINDOWS\system32\mqrt.dll...
Scanning Module:C:\WINDOWS\system32\MQTRIG.DLL...
#:39 [imapi.exe]
ModuleName : C:\WINDOWS\system32\imapi.exe
Command Line : C:\WINDOWS\system32\imapi.exe
ProcessID : 3532
ThreadCreationTime : 14-06-2008 6:32:41 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-2105)
ProductVersion : 5.1.2600.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Image Mastering API
InternalName : imapi
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : imapi.exe
Scanning Module:C:\WINDOWS\system32\imapi.exe...
#:40 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 3864
ThreadCreationTime : 14-06-2008 6:32:41 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-0852)
ProductVersion : 5.1.2600.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe
Scanning Module:C:\WINDOWS\System32\alg.exe...
#:41 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k HTTPFilter
ProcessID : 3840
ThreadCreationTime : 14-06-2008 6:32:51 AM
BasePriority : Normal
FileVersion : 5.1.2600.5512 (xpsp.080413-2111)
ProductVersion : 5.1.2600.5512
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:c:\windows\system32\w3ssl.dll...
Scanning Module:C:\WINDOWS\System32\strmfilt.dll...
#:42 [cidaemon.exe]
ModuleName : C:\WINDOWS\system32\cidaemon.exe
Command Line : "cidaemon.exe" DownLevelDaemon "c:\system volume information\catalog.wci" 196672l 1528l
ProcessID : 2752
ThreadCreationTime : 14-06-2008 6:40:05 AM
BasePriority : Idle
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cidaemon.exe
Scanning Module:C:\WINDOWS\system32\cidaemon.exe...
#:43 [firefox.exe]
ModuleName : C:\Program Files\Mozilla Firefox\firefox.exe
Command Line : "C:\Program Files\Mozilla Firefox\firefox.exe"
ProcessID : 780
ThreadCreationTime : 14-06-2008 11:29:09 AM
BasePriority : Normal
Scanning Module:C:\Program Files\Mozilla Firefox\firefox.exe...
Scanning Module:C:\Program Files\Mozilla Firefox\js3250.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\nspr4.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\xpcom_core.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\plc4.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\plds4.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\smime3.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\nss3.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\softokn3.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\ssl3.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\xpcom_compat.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\components\myspell.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\components\jar50.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL...
Scanning Module:C:\WINDOWS\system32\msimtf.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\freebl3.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\nssckbi.dll...
Scanning Module:C:\Documents and Settings\bent\Application Data\Mozilla\Firefox\Profiles\fjiorepz.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\xpcom.dll...
Scanning Module:C:\Program Files\Mozilla Firefox\components\spellchk.dll...
#:44 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe"
ProcessID : 2800
ThreadCreationTime : 14-06-2008 11:30:38 AM
BasePriority : Normal
FileVersion : 6.2.0.238
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Scanning Module:C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe...
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Win32.Trojandownloader.Zlob Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-725345543-1454471165-682003330-1003\software\microsoft\internet explorer\toolbar\Webbrowser
Value : {51d81dd5-55b7-497f-95db-d356429bb54e}
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Disk Scan Result for C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Disk Scan Result for C:\DOCUME~1\bent\LOCALS~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
8750 entries scanned.
New critical objects:0
Objects found so far: 1
MRU List Object Recognized!
Location: : C:\Documents and Settings\bent\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2
9:32:22 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:01:25.140
Objects scanned:151835
Objects identified:1
Objects ignored:0
New critical objects:1
Reanalyzing scan result
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
No objects have been removed from the result list.
Hi
Did it remove Win32.Trojandownloader.Zlob object?
ohnredav
2008-06-14, 13:37
yes removes it but if rescan is back again
Hi
I see.
Let's run these next:
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
Post:
- mbam report
- dss logs (taken after mbam run)
ohnredav
2008-06-14, 13:53
Malwarebytes' Anti-Malware 1.17
Database version: 846
9:52:45 PM 14/06/2008
mbam-log-6-14-2008 (21-52-40).txt
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 77654
Time elapsed: 10 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{51d81dd5-55b7-497f-95db-d356429bb54e} (Trojan.Zlob) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
ohnredav
2008-06-14, 13:53
it removed it for now
Hi
Please post also dss logs.
ohnredav
2008-06-14, 13:59
Deckard's System Scanner v20071014.68
Run by bent on 2008-06-14 21:54:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Failed to create restore point; unknown error code 0x00000001
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as bent.exe) ------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:27 PM, on 14/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\bent\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\bent.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - Default URLSearchHook is missing
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-725345543-1454471165-682003330-1003\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO (User '?')
O4 - HKUS\S-1-5-21-725345543-1454471165-682003330-1003\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m (User '?')
O4 - HKUS\S-1-5-21-725345543-1454471165-682003330-1003\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe" (User '?')
O4 - HKUS\S-1-5-21-725345543-1454471165-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.nrl.com
O15 - Trusted Zone: http://www.nrl.com.au
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
--
End of file - 6350 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------
backup-20080611-204806-458 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
backup-20080611-204806-467 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
backup-20080611-204806-501 O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
backup-20080611-204806-584 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
backup-20080611-204806-643 O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
backup-20080611-204806-655 O4 - HKUS\S-1-5-21-725345543-1454471165-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
backup-20080611-204807-713 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
backup-20080611-204854-497 R3 - Default URLSearchHook is missing
backup-20080611-205451-954 O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
backup-20080611-205451-961 O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')
backup-20080611-211227-126 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.scr - scrfile - shell\open\command - "%1" %*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
All drivers whitelisted.
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
All services whitelisted.
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-06-14 16:35:27 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-06-11 19:57:02 262 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
2008-06-11 18:40:18 256 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2008-05-12 15:30:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-03-17 18:00:01 384 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job
-- Files created between 2008-05-14 and 2008-06-14 -----------------------------
2008-06-14 16:32:17 0 d--h----- C:\Documents and Settings\bent\Recent
2008-06-11 22:01:12 0 d-------- C:\Program Files\SpywareBlaster
2008-06-11 21:14:30 0 d-------- C:\Documents and Settings\bent\Application Data\Malwarebytes
2008-06-11 21:14:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 21:14:28 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 20:33:05 0 d-------- C:\Program Files\Trend Micro
2008-06-03 20:12:34 0 d-------- C:\Documents and Settings\bent\Application Data\Lavasoft
2008-05-31 14:13:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2008-05-31 14:10:33 0 d-------- C:\Documents and Settings\bent\Application Data\NSeries
2008-05-31 14:02:37 0 d-------- C:\Program Files\Nokia
2008-05-31 14:00:03 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-05-31 13:55:46 0 d-------- C:\Program Files\Common Files\PCSuite
2008-05-31 13:55:45 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-31 13:55:35 0 d-------- C:\Program Files\DIFX
2008-05-31 13:55:22 0 d-------- C:\Program Files\PC Connectivity Solution
2008-05-31 13:53:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-05-31 13:49:16 0 d-------- C:\Documents and Settings\bent\Application Data\Nokia
2008-05-31 13:49:03 0 d-------- C:\WINDOWS\Downloaded Installations
2008-05-31 13:42:25 0 d-------- C:\Documents and Settings\bent\Application Data\PC Suite
2008-05-18 16:47:30 0 d-------- C:\Program Files\Ventrilo
2008-05-18 16:47:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 13:09:27 0 d-------- C:\WINDOWS\system32\URTTEMP
-- Find3M Report ---------------------------------------------------------------
2008-06-14 15:15:21 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-06-10 19:34:52 0 --a------ C:\Program Files\bios.ini
2008-06-10 19:34:45 528 --a------ C:\Program Files\CONFIG.INI
2008-06-10 19:34:28 0 --a------ C:\Program Files\new_ver.ini
2008-06-04 22:47:47 0 d-------- C:\Program Files\a-squared Free
2008-06-03 21:04:23 0 d-------- C:\Program Files\Yahoo!
2008-06-03 20:59:02 0 d-------- C:\Program Files\Lavasoft
2008-05-31 13:55:46 0 d-------- C:\Program Files\Common Files
2008-05-22 19:51:13 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-13 19:31:02 0 d-------- C:\Program Files\Messenger
2008-05-13 19:30:34 0 d-------- C:\Program Files\Movie Maker
2008-05-13 19:27:39 0 d-------- C:\Program Files\Windows NT
2008-05-07 17:27:18 0 d-------- C:\Program Files\Clipsal Integrated Systems
2008-04-30 17:58:15 0 d-------- C:\Documents and Settings\bent\Application Data\System Tweaker
2008-04-30 17:52:58 0 d-------- C:\Program Files\ThreatFire
2008-04-30 17:51:22 0 d-------- C:\Program Files\Ashampoo
2008-04-27 17:10:27 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-25 18:19:28 27156 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-19 11:24:45 0 d-------- C:\Program Files\Apple Software Update
2008-04-17 21:33:27 0 d-------- C:\Documents and Settings\bent\Application Data\Ventrilo
2008-04-17 20:35:14 0 d-------- C:\Documents and Settings\bent\Application Data\Adobe
2008-04-17 20:34:33 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-26 17:16:39 127354 --a------ C:\Documents and Settings\bent\Application Data\Cosmos Prefs
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [06/01/2008 11:03 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [17/02/2005 06:15 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [17/02/2005 06:15 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 03:25 AM]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [25/04/2008 08:52 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 06:20 PM]
"RTHDCPL"="RTHDCPL.EXE" [14/11/2006 07:21 PM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [03/05/2005 08:43 PM C:\WINDOWS\Alcmtr.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [13/01/2007 09:47 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [13/01/2007 09:47 AM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [13/01/2007 09:46 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [12/01/2006 02:40 PM]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [07/09/2007 02:44 PM]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 10:16 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 06:00 AM]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [29/05/2008 12:40 AM]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [29/01/2008 07:52 AM]
"AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe" [25/05/2005 12:12 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 10:12 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"=99 (0x63)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
eapsvcs eaphost
dot3svc dot3svc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc
*Newly Created Service* - MBAMCATCHME
-- Hosts -----------------------------------------------------------------------
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
8741 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2008-06-14 21:57:20 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Architecture: X86; Language: English
Percentage of Memory in Use: 38%
Physical Memory (total/avail): 2039.48 MiB / 1259.91 MiB
Pagefile Memory (total/avail): 5978.39 MiB / 5434.83 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1896.9 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 19.53 GiB total, 5.9 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 278.55 GiB total, 266.72 GiB free.
F: is CDROM (No Media)
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\bent\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BENT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\bent
LOGONSERVER=\\BENT
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;E:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\bent\LOCALS~1\Temp
TMP=C:\DOCUME~1\bent\LOCALS~1\Temp
USERDOMAIN=BENT
USERNAME=bent
USERPROFILE=C:\Documents and Settings\bent
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
bent [I](admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
@BIOS B06.1124.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B2DC3F08-2EB2-49A5-AA24-15DFC8B1CB83}\setup.exe" -l0x9 -removeonly
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
a-squared Free 3.0 --> "C:\Program Files\a-squared Free\unins000.exe"
Ad-Aware SE Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Ashampoo WinOptimizer 2007 --> "C:\Program Files\Ashampoo\Ashampoo WinOptimizer 2007\Uninstall\1506_Uninstall.exe"
C-Bus Toolkit 1.8.3 build(343) --> "e:\Clipsal\CBusToolkit\unins000.exe"
Canon PIXMA iP1500 --> C:\WINDOWS\system32\CNMCP5y.exe "-PRINTERNAMECanon PIXMA iP1500" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1500 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1500 Installer\Inst2\cnmi0409.dll"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
DMIView B06.1227.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EE1008C-11A1-4F4F-8DB7-27573924DE78}\setup.exe" -l0x9 -removeonly
EasyTune5 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Gigabyte\ET5\Uninst.isu" -c"C:\Program Files\Gigabyte\ET5\uninstdrv.dll"
Face_Wizard B06.1129.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E76FCE6B-9999-4250-8C75-B2DA4AD41268}\setup.exe" -l0x9 -removeonly
Guild Wars --> "E:\Guild Wars\Gw.exe" -uninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
i-Cool --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28184E01-D57A-4933-A09B-F65403F16D82}\setup.exe" -l0x9 -uninst -removeonly
Intel(R) Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.14) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.14) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
Nokia Connectivity Cable Driver --> MsiExec.exe /X{4F1DCA42-2030-437C-A94E-736692A499C1}
Nokia Lifeblog 2.5 --> MsiExec.exe /I{E94603CA-2996-4154-8EE2-A5FCD4BFB500}
Nokia NSeries Application Installer --> MsiExec.exe /I{FD349381-D79C-4E5C-8980-015DFFB962D5}
Nokia NSeries Content Copier --> MsiExec.exe /X{F779EC8D-6703-4C4A-817C-37B07898E647}
Nokia NSeries Multimedia Player --> MsiExec.exe /I{FA25FAF6-3097-43C9-BBB2-A77CE8AF1881}
Nokia NSeries One Touch Access --> MsiExec.exe /I{F4EE8763-EAA8-4BC1-8594-8501F5F00414}
Nokia NSeries System Utilities --> MsiExec.exe /X{96E94E18-54D6-42C1-8FC4-24DACEDC3395}
Nokia Software Launcher --> MsiExec.exe /I{A8C856AD-63CD-4613-AA29-E6C85607EA06}
Nokia Software Updater --> MsiExec.exe /X{3186AEAE-E104-424D-9152-1BF6A4404758}
PC Connectivity Solution --> MsiExec.exe /I{AC599724-5755-48C1-ABE7-ABB857652930}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
REALTEK GbE & FE Ethernet PCI NIC Driver --> C:\Program Files\InstallShield Installation Information\{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}\Setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
ThreatFire 3.0 --> "C:\Program Files\ThreatFire\unins000.exe"
Uniblue SpyEraser --> "C:\Program Files\Uniblue\SpyEraser\unins000.exe"
Uniblue System Tweaker --> "C:\Program Files\Uniblue\System Tweaker\unins000.exe"
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Driver Package - Nokia Modem (03/05/2008 3.7) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokia_blue_635B28EFCFA9395123BB1C251595CB16129E2560\nokia_bluetooth.inf
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccsmcfd_4A1E30386F4D0DEC8F5DF262CFBD8845EEBAB175\pccsmcfd.inf
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{0ED47137-C071-46CC-A243-E5E33271E10E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
-- Application Event Log -------------------------------------------------------
Event Record #/Type2554 / Error
Event Submitted/Written: 06/14/2008 04:40:24 PM
Event ID/Source: 4118 / Ci
Event Description:
A content scan could not be completed on c:\.
Event Record #/Type2553 / Error
Event Submitted/Written: 06/14/2008 04:40:06 PM
Event ID/Source: 4127 / Ci
Event Description:
Content index on c:\inetpub\catalog.wci could not be initialized. Error 3221225529.
Event Record #/Type2549 / Warning
Event Submitted/Written: 06/14/2008 04:32:35 PM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'
Event Record #/Type2548 / Warning
Event Submitted/Written: 06/14/2008 04:32:35 PM
Event ID/Source: 32026 / Microsoft Fax
Event Description:
Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.
Event Record #/Type2547 / Warning
Event Submitted/Written: 06/14/2008 04:32:35 PM
Event ID/Source: 1015 / EvntAgnt
Event Description:
TraceLevel parameter not located in registry;
Default trace level used is 32.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type9768 / Error
Event Submitted/Written: 06/14/2008 04:32:32 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The IPv6 Helper Service service terminated with the following error:
%%2
Event Record #/Type9762 / Warning
Event Submitted/Written: 06/14/2008 03:17:27 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%BENT27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %BENT27 can't undo changes that you allow.
For more information please see the following:
%BENT275
Scan ID: {26C8A323-3984-48CB-BBC1-E1088E37DE29}
User: BENT\bent
Name: %BENT271
ID: %BENT272
Severity: 1.1.1593.05
Category: 1.1.1593.06
Path Found: %BENT276
Alert Type: %BENT278
Detection Type: 1.1.1593.02
Event Record #/Type9761 / Warning
Event Submitted/Written: 06/14/2008 03:17:27 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%BENT27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %BENT27 can't undo changes that you allow.
For more information please see the following:
%BENT275
Scan ID: {D009486C-AE61-48C1-B596-ED2BFD1C4668}
User: BENT\bent
Name: %BENT271
ID: %BENT272
Severity: 1.1.1593.05
Category: 1.1.1593.06
Path Found: %BENT276
Alert Type: %BENT278
Detection Type: 1.1.1593.02
Event Record #/Type9760 / Warning
Event Submitted/Written: 06/14/2008 03:02:14 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%BENT27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %BENT27 can't undo changes that you allow.
For more information please see the following:
%BENT275
Scan ID: {6E5EDA2F-9E0F-426B-BBA4-40901161167F}
User: BENT\bent
Name: %BENT271
ID: %BENT272
Severity: 1.1.1593.05
Category: 1.1.1593.06
Path Found: %BENT276
Alert Type: %BENT278
Detection Type: 1.1.1593.02
Event Record #/Type9738 / Error
Event Submitted/Written: 06/14/2008 02:36:19 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The IPv6 Helper Service service terminated with the following error:
%%2
-- End of Deckard's System Scanner: finished at 2008-06-14 21:57:20 ------------
Hi and sorry for delay
I didn't get email notification for some reason.
Log looks good.
Still problems?
ohnredav
2008-06-18, 09:48
still exists
--- Search result list ---
Zlob.Downloader.vdt: [SBI $AC965326] IE toolbar (Registry value, fixed)
HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{51D81DD5-55B7-497F-95DB-D356429BB54E}
Common Dialogs: History (6 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt
Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log
Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log
Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log
MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (5 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (63 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $B7EBA926] Last visited history (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1003\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Cache: [SBI $49804B54] Cache (27) (Cache, nothing done)
History: [SBI $49804B54] History (3) (History, nothing done)
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-06-10 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-06-03 Includes\Adware.sbi (*)
2008-06-10 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-06-10 Includes\DialerC.sbi (*)
2008-06-03 Includes\HeavyDuty.sbi (*)
2008-06-04 Includes\Hijackers.sbi (*)
2008-06-03 Includes\HijackersC.sbi (*)
2008-06-03 Includes\Keyloggers.sbi (*)
2008-06-10 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-06-03 Includes\Malware.sbi (*)
2008-06-11 Includes\MalwareC.sbi (*)
2008-06-03 Includes\PUPS.sbi (*)
2008-06-10 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-10 Includes\Security.sbi (*)
2008-06-10 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-06-03 Includes\Spyware.sbi (*)
2008-06-03 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti (*)
2008-06-11 Includes\Trojans.sbi (*)
2008-06-11 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB951376)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: 8B9145D229D4E89D15ACB820D4A3A90F
Located: HK_LM:Run, Alcmtr
command: ALCMTR.EXE
file: C:\WINDOWS\ALCMTR.EXE
size: 69632
MD5: 8B4CBBA1EA526830C7F97E7822E2493A
Located: HK_LM:Run, GrooveMonitor
command: "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
file: C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
size: 33648
MD5: 35DCD380D4D579D8B8EA91D5D8AE444C
Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\system32\hkcmd.exe
file: C:\WINDOWS\system32\hkcmd.exe
size: 163840
MD5: DDE4A991F26179573D2CFA7A093F56FA
Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\system32\igfxtray.exe
file: C:\WINDOWS\system32\igfxtray.exe
size: 131072
MD5: E79977B1ECC05C53F0194750457BBB37
Located: HK_LM:Run, ISUSPM Startup
command: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
file: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe
size: 221184
MD5: A379B75A6FFE4DFD3184F35F0141CE91
Located: HK_LM:Run, ISUSScheduler
command: "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
file: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
size: 81920
MD5: D2AEADFD998706B4216315B2BD3FA79E
Located: HK_LM:Run, MsmqIntCert
command: regsvr32 /s mqrt.dll
file: C:\WINDOWS\system32\reg.exe
size: 50176
MD5: C65122B94F7C82065FE86C32CF271F6D
Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: C93AB037A8C792D5F8A1A9FC88A7C7C5
Located: HK_LM:Run, nod32kui
command: "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
file: C:\Program Files\Eset\nod32kui.exe
size: 949376
MD5: DD855A1E52C391F52400CA4162A3BAFF
Located: HK_LM:Run, NSLauncher
command: C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
file: C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
size: 3100672
MD5: D83EB2B71ECE7D606225F8EA1F3A68A2
Located: HK_LM:Run, Persistence
command: C:\WINDOWS\system32\igfxpers.exe
file: C:\WINDOWS\system32\igfxpers.exe
size: 135168
MD5: EAF47A526B911B0961D3FECEB442E0C4
Located: HK_LM:Run, RTHDCPL
command: RTHDCPL.EXE
file: C:\WINDOWS\RTHDCPL.EXE
size: 16270848
MD5: EABE00B18DCBEAB7D5B3823FD371F008
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
size: 144784
MD5: 836DC47E6CAD975304D1D3EB2F516A1C
Located: HK_LM:Run, ThreatFire
command: C:\Program Files\ThreatFire\TFTray.exe
file: C:\Program Files\ThreatFire\TFTray.exe
size: 259392
MD5: D65A881791753DD4D280BFCE936E1B51
Located: HK_LM:Run, Windows Defender
command: "C:\Program Files\Windows Defender\MSASCui.exe" -hide
file: C:\Program Files\Windows Defender\MSASCui.exe
size: 866584
MD5: 77C03BF23AE56B0A31AE4D5BB4B3D0AC
Located: HK_CU:Run, AWMON
where: S-1-5-21-725345543-1454471165-682003330-1003...
command: "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
file: C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
size: 517632
MD5: 107AF2DE3AF10D6D09C1B36FE9EF9156
Located: HK_CU:Run, ccleaner
where: S-1-5-21-725345543-1454471165-682003330-1003...
command: "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
file: C:\Program Files\CCleaner\CCleaner.exe
size: 1197296
MD5: 39486C0DFCE9C94CED3FFAEA4643E14C
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-725345543-1454471165-682003330-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, Uniblue SpyEraser
where: S-1-5-21-725345543-1454471165-682003330-1003...
command: "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
file: C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
size: 1424648
MD5: 2A3D2E9738E1197E479E9BFA0D616502
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, igfxcui
command: igfxdev.dll
file: igfxdev.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
--- ActiveX list ---
{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool)
DPF name:
CLSID name: Office Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\OGAControl.inf
Codebase: http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
Path: C:\WINDOWS\system32\
Long name: OGACheckControl.DLL
Short name: OGACHE~1.DLL
Date (created): 4/02/2008 5:23:10 PM
Date (last access): 18/06/2008 5:04:58 PM
Date (last write): 4/02/2008 5:23:10 PM
Filesize: 693792
Attributes: archive
MD5: D1346A4683E98836E2FE003859E5DC0D
CRC32: DF1DBA7A
Version: 1.6.28.0
--- Process list ---
PID: 0 ( 0) [System]
PID: 720 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 788 ( 720) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 812 ( 720) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 856 ( 812) C:\WINDOWS\system32\services.exe
size: 108544
MD5: 0E776ED5F7CC9F94299E70461B7B8185
PID: 868 ( 812) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 1040 ( 856) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1108 ( 856) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1220 ( 856) C:\Program Files\Windows Defender\MsMpEng.exe
size: 13592
MD5: F45DD1E1365D857DD08BC23563370D0E
PID: 1260 ( 856) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1292 ( 856) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1372 ( 856) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1484 ( 856) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1704 ( 856) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
PID: 1984 (1916) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 188 (1984) C:\Program Files\Eset\nod32kui.exe
size: 949376
MD5: DD855A1E52C391F52400CA4162A3BAFF
PID: 212 (1984) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
size: 81920
MD5: D2AEADFD998706B4216315B2BD3FA79E
PID: 240 (1984) C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
size: 144784
MD5: 836DC47E6CAD975304D1D3EB2F516A1C
PID: 264 (1984) C:\Program Files\ThreatFire\TFTray.exe
size: 259392
MD5: D65A881791753DD4D280BFCE936E1B51
PID: 376 (1984) C:\Program Files\Windows Defender\MSASCui.exe
size: 866584
MD5: 77C03BF23AE56B0A31AE4D5BB4B3D0AC
PID: 384 (1984) C:\WINDOWS\RTHDCPL.EXE
size: 16270848
MD5: EABE00B18DCBEAB7D5B3823FD371F008
PID: 428 (1984) C:\WINDOWS\system32\igfxtray.exe
size: 131072
MD5: E79977B1ECC05C53F0194750457BBB37
PID: 468 (1984) C:\WINDOWS\system32\hkcmd.exe
size: 163840
MD5: DDE4A991F26179573D2CFA7A093F56FA
PID: 480 (1984) C:\WINDOWS\system32\igfxpers.exe
size: 135168
MD5: EAF47A526B911B0961D3FECEB442E0C4
PID: 544 (1984) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
size: 33648
MD5: 35DCD380D4D579D8B8EA91D5D8AE444C
PID: 580 (1984) C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
size: 1424648
MD5: 2A3D2E9738E1197E479E9BFA0D616502
PID: 420 (1984) C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
size: 517632
MD5: 107AF2DE3AF10D6D09C1B36FE9EF9156
PID: 644 (1984) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 1308 ( 856) C:\WINDOWS\system32\msdtc.exe
size: 6144
MD5: A137F1470499A205ABBB9AAFB3B6F2B1
PID: 1468 ( 856) C:\Program Files\a-squared Free\a2service.exe
size: 651376
MD5: 66CEA2F31A16337E30BD0F2E1FD4989F
PID: 1632 ( 856) C:\WINDOWS\system32\cisvc.exe
size: 5632
MD5: 1CFE720EB8D93A7158A4EBC3AB178BDE
PID: 1836 ( 856) C:\WINDOWS\system32\inetsrv\inetinfo.exe
size: 15360
MD5: DB3C22745C0DA4666F3BE31F1AF36B2F
PID: 1928 ( 856) C:\Program Files\Eset\nod32krn.exe
size: 552064
MD5: 82F52E10A4DF718FF4CA67D2DBDE8D07
PID: 2092 ( 856) C:\WINDOWS\system32\tcpsvcs.exe
size: 19456
MD5: 32933B07FC16D9F778BEE12545FA1B1A
PID: 2172 ( 856) C:\WINDOWS\System32\snmp.exe
size: 33280
MD5: 60C377BE6B3CC83F6A8584934B181D2E
PID: 2204 ( 856) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 2276 ( 856) C:\Program Files\ThreatFire\TFService.exe
size: 66880
MD5: 9191A964D4E08346D62FD5A8279F62FD
PID: 2944 ( 856) C:\WINDOWS\system32\mqsvc.exe
size: 4608
MD5: AFB909B537AAE1BEAE7BBDB6A36D40B0
PID: 3440 ( 856) C:\WINDOWS\system32\mqtgsvc.exe
size: 117248
MD5: 7F955FF3B1BB93376EBE75D5ACCDC6DB
PID: 3496 ( 856) C:\WINDOWS\system32\imapi.exe
size: 150528
MD5: 30DEAF54A9755BB8546168CFE8A6B5E1
PID: 3896 ( 856) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 8C515081584A38AA007909CD02020B3D
PID: 1600 ( 856) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 2388 (2592) C:\Program Files\Mozilla Firefox\firefox.exe
size: 307712
MD5: D3D5F1B5AFC85B7EE35DD5F46F1D2CDB
PID: 3924 ( 264) C:\Program Files\ThreatFire\TFGui.exe
size: 1033536
MD5: 87F278BF6ACD7FC561A82E606C154BD1
PID: 3424 (1632) C:\WINDOWS\system32\cidaemon.exe
size: 8192
MD5: 582304F6F1946FA5068CF143D729D7ED
PID: 2856 (1632) C:\WINDOWS\system32\cidaemon.exe
size: 8192
MD5: 582304F6F1946FA5068CF143D729D7ED
PID: 2916 (1984) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 18/06/2008 5:47:03 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.ebay.com.au/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: NOD32 protected [MSAFD Tcpip [TCP/IP]]
GUID: {D5D5D719-CEE1-4414-8EEB-DF1CB226979D}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 1: NOD32 protected [MSAFD Tcpip [UDP/IP]]
GUID: {920619E7-28B8-4510-94A6-A99A91B2BEB7}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 2: NOD32 protected [MSAFD Tcpip [RAW/IP]]
GUID: {CA14A6D6-4A8D-49DE-A0C4-AAECE76A82D4}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 3: NOD32 protected [RSVP UDP Service Provider]
GUID: {C5BF6CA8-5955-43D8-B208-1F6CC2D23990}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 4: NOD32 protected [RSVP TCP Service Provider]
GUID: {8C5F0EB9-8CC0-4927-8544-BA17A0CCB251}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 5: NOD32 protected [MSAFD Pgm (RDM)]
GUID: {4E5F8B81-AA43-48A3-8AC2-954D4CE91A20}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 6: NOD32 protected [MSAFD Pgm (Stream)]
GUID: {E5A7C8A1-4714-49ED-9830-D444CD8010C7}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 7: NOD32 protected [MSAFD Tcpip [TCP/IPv6]]
GUID: {82BBC9C2-3606-4C46-BFE7-41E2E420040D}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 8: NOD32 protected [MSAFD Tcpip [UDP/IPv6]]
GUID: {9ACEFB04-151E-42E2-80CA-A659AB2F04B6}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 9: NOD32 protected [MSAFD Tcpip [RAW/IPv6]]
GUID: {031EE870-115D-4AC6-AA8A-2D89EEF42F36}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 15: MSAFD Pgm (RDM)
GUID: {14044783-3201-490C-9CA2-87A42D96A199}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 16: MSAFD Pgm (Stream)
GUID: {14044783-3201-490C-9CA2-87A42D96A199}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 20: NOD32
GUID: {28A4D8DA-E908-4C6F-A926-A66CC7AD3224}
Filename: C:\WINDOWS\system32\imon.dll
Namespace Provider 0: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename: C:\WINDOWS\system32\pnrpnsp.dll
Namespace Provider 1: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename: C:\WINDOWS\system32\pnrpnsp.dll
ohnredav
2008-06-18, 11:10
it also keeps trying to turn my teatimer off
Hi
Yes but it got fixed.
Does it re-appear?
ohnredav
2008-06-19, 12:16
yes it reappears almost straight away
Hi
Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
IMPORTANT: Do NOT run any other options until you are asked to do so!
**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
ohnredav
2008-06-22, 10:35
SmitFraudFix v2.328
Scan done at 18:30:43.65, Sun 22/06/2008
Run from C:\Documents and Settings\bent\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\bent
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\bent\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\bent\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:29:49, on 22/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wudfhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - Default URLSearchHook is missing
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-725345543-1454471165-682003330-1003\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO (User '?')
O4 - HKUS\S-1-5-21-725345543-1454471165-682003330-1003\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m (User '?')
O4 - HKUS\S-1-5-21-725345543-1454471165-682003330-1003\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe" (User '?')
O4 - HKUS\S-1-5-21-725345543-1454471165-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.nrl.com
O15 - Trusted Zone: http://www.nrl.com.au
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
--
End of file - 6338 bytes
Hi
OK, nothing there.
Please disable Ad-Watch next:
1. Right click on the Ad-Watch icon in the system tray.
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
3. Uncheck both of those boxes.
After that, re-scan with spybot and tell me if it stills comes back.
ohnredav
2008-06-22, 12:19
thanks for being patient
--- Search result list ---
Zlob.Downloader.vdt: [SBI $AC965326] IE toolbar (Registry value, fixed)
HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{51D81DD5-55B7-497F-95DB-D356429BB54E}
Common Dialogs: History (12 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt
Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log
Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log
Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (30 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $B7EBA926] Last visited history (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-725345543-1454471165-682003330-1003\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
History: [SBI $49804B54] History (1) (History, nothing done)
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-06-10 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-06-17 Includes\Adware.sbi (*)
2008-06-18 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-06-10 Includes\DialerC.sbi (*)
2008-06-03 Includes\HeavyDuty.sbi (*)
2008-06-16 Includes\Hijackers.sbi (*)
2008-06-17 Includes\HijackersC.sbi (*)
2008-06-03 Includes\Keyloggers.sbi (*)
2008-06-17 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-06-18 Includes\Malware.sbi (*)
2008-06-17 Includes\MalwareC.sbi (*)
2008-06-17 Includes\PUPS.sbi (*)
2008-06-17 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-10 Includes\Security.sbi (*)
2008-06-18 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-06-17 Includes\Spyware.sbi (*)
2008-06-17 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti (*)
2008-06-11 Includes\Trojans.sbi (*)
2008-06-18 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB951376)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: 8B9145D229D4E89D15ACB820D4A3A90F
Located: HK_LM:Run, Alcmtr
command: ALCMTR.EXE
file: C:\WINDOWS\ALCMTR.EXE
size: 69632
MD5: 8B4CBBA1EA526830C7F97E7822E2493A
Located: HK_LM:Run, GrooveMonitor
command: "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
file: C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
size: 33648
MD5: 35DCD380D4D579D8B8EA91D5D8AE444C
Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\system32\hkcmd.exe
file: C:\WINDOWS\system32\hkcmd.exe
size: 163840
MD5: DDE4A991F26179573D2CFA7A093F56FA
Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\system32\igfxtray.exe
file: C:\WINDOWS\system32\igfxtray.exe
size: 131072
MD5: E79977B1ECC05C53F0194750457BBB37
Located: HK_LM:Run, ISUSPM Startup
command: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
file: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe
size: 221184
MD5: A379B75A6FFE4DFD3184F35F0141CE91
Located: HK_LM:Run, ISUSScheduler
command: "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
file: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
size: 81920
MD5: D2AEADFD998706B4216315B2BD3FA79E
Located: HK_LM:Run, MsmqIntCert
command: regsvr32 /s mqrt.dll
file: C:\WINDOWS\system32\reg.exe
size: 50176
MD5: C65122B94F7C82065FE86C32CF271F6D
Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: C93AB037A8C792D5F8A1A9FC88A7C7C5
Located: HK_LM:Run, nod32kui
command: "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
file: C:\Program Files\Eset\nod32kui.exe
size: 949376
MD5: DD855A1E52C391F52400CA4162A3BAFF
Located: HK_LM:Run, NSLauncher
command: C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
file: C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
size: 3100672
MD5: D83EB2B71ECE7D606225F8EA1F3A68A2
Located: HK_LM:Run, Persistence
command: C:\WINDOWS\system32\igfxpers.exe
file: C:\WINDOWS\system32\igfxpers.exe
size: 135168
MD5: EAF47A526B911B0961D3FECEB442E0C4
Located: HK_LM:Run, RTHDCPL
command: RTHDCPL.EXE
file: C:\WINDOWS\RTHDCPL.EXE
size: 16270848
MD5: EABE00B18DCBEAB7D5B3823FD371F008
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
size: 144784
MD5: 836DC47E6CAD975304D1D3EB2F516A1C
Located: HK_LM:Run, ThreatFire
command: C:\Program Files\ThreatFire\TFTray.exe
file: C:\Program Files\ThreatFire\TFTray.exe
size: 259392
MD5: D65A881791753DD4D280BFCE936E1B51
Located: HK_LM:Run, Windows Defender
command: "C:\Program Files\Windows Defender\MSASCui.exe" -hide
file: C:\Program Files\Windows Defender\MSASCui.exe
size: 866584
MD5: 77C03BF23AE56B0A31AE4D5BB4B3D0AC
Located: HK_CU:Run, AWMON
where: S-1-5-21-725345543-1454471165-682003330-1003...
command: "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
file: C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
size: 517632
MD5: 107AF2DE3AF10D6D09C1B36FE9EF9156
Located: HK_CU:Run, ccleaner
where: S-1-5-21-725345543-1454471165-682003330-1003...
command: "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
file: C:\Program Files\CCleaner\CCleaner.exe
size: 1197296
MD5: 39486C0DFCE9C94CED3FFAEA4643E14C
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-725345543-1454471165-682003330-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, Uniblue SpyEraser
where: S-1-5-21-725345543-1454471165-682003330-1003...
command: "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
file: C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
size: 1424648
MD5: 2A3D2E9738E1197E479E9BFA0D616502
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, igfxcui
command: igfxdev.dll
file: igfxdev.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 10/06/2008 7:35:24 PM
Date (last access): 22/06/2008 7:56:38 PM
Date (last write): 28/01/2008 11:43:28 AM
Filesize: 1554256
Attributes: archive
MD5: 5248E02EFBCB64D328647CD00E384B85
CRC32: C1B426A9
Version: 1.5.0.11
--- ActiveX list ---
{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool)
DPF name:
CLSID name: Office Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\OGAControl.inf
Codebase: http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
Path: C:\WINDOWS\system32\
Long name: OGACheckControl.DLL
Short name: OGACHE~1.DLL
Date (created): 4/02/2008 5:23:10 PM
Date (last access): 22/06/2008 8:00:16 PM
Date (last write): 4/02/2008 5:23:10 PM
Filesize: 693792
Attributes: archive
MD5: D1346A4683E98836E2FE003859E5DC0D
CRC32: DF1DBA7A
Version: 1.6.28.0
--- Process list ---
PID: 0 ( 0) [System]
PID: 740 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 788 ( 740) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 812 ( 740) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 856 ( 812) C:\WINDOWS\system32\services.exe
size: 108544
MD5: 0E776ED5F7CC9F94299E70461B7B8185
PID: 892 ( 812) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 1048 ( 856) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1116 ( 856) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1248 ( 856) C:\Program Files\Windows Defender\MsMpEng.exe
size: 13592
MD5: F45DD1E1365D857DD08BC23563370D0E
PID: 1308 ( 856) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1344 ( 856) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1460 ( 856) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1672 ( 856) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1780 (1748) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 1868 ( 856) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
PID: 1916 (1344) C:\WINDOWS\System32\wudfhost.exe
size: 142848
MD5: 96F4266C594D6C880949E98D8F6A2B91
PID: 272 (1780) C:\Program Files\Eset\nod32kui.exe
size: 949376
MD5: DD855A1E52C391F52400CA4162A3BAFF
PID: 356 (1780) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
size: 81920
MD5: D2AEADFD998706B4216315B2BD3FA79E
PID: 372 (1780) C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
size: 144784
MD5: 836DC47E6CAD975304D1D3EB2F516A1C
PID: 396 (1780) C:\Program Files\ThreatFire\TFTray.exe
size: 259392
MD5: D65A881791753DD4D280BFCE936E1B51
PID: 428 (1780) C:\Program Files\Windows Defender\MSASCui.exe
size: 866584
MD5: 77C03BF23AE56B0A31AE4D5BB4B3D0AC
PID: 444 (1780) C:\WINDOWS\RTHDCPL.EXE
size: 16270848
MD5: EABE00B18DCBEAB7D5B3823FD371F008
PID: 464 (1780) C:\WINDOWS\system32\igfxtray.exe
size: 131072
MD5: E79977B1ECC05C53F0194750457BBB37
PID: 476 (1780) C:\WINDOWS\system32\hkcmd.exe
size: 163840
MD5: DDE4A991F26179573D2CFA7A093F56FA
PID: 524 (1780) C:\WINDOWS\system32\igfxpers.exe
size: 135168
MD5: EAF47A526B911B0961D3FECEB442E0C4
PID: 612 (1780) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
size: 33648
MD5: 35DCD380D4D579D8B8EA91D5D8AE444C
PID: 660 (1780) C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
size: 1424648
MD5: 2A3D2E9738E1197E479E9BFA0D616502
PID: 676 (1780) C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
size: 517632
MD5: 107AF2DE3AF10D6D09C1B36FE9EF9156
PID: 276 (1780) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 1468 ( 856) C:\WINDOWS\system32\msdtc.exe
size: 6144
MD5: A137F1470499A205ABBB9AAFB3B6F2B1
PID: 1540 ( 856) C:\Program Files\a-squared Free\a2service.exe
size: 651376
MD5: 66CEA2F31A16337E30BD0F2E1FD4989F
PID: 1584 ( 856) C:\WINDOWS\system32\cisvc.exe
size: 5632
MD5: 1CFE720EB8D93A7158A4EBC3AB178BDE
PID: 1716 ( 856) C:\WINDOWS\system32\inetsrv\inetinfo.exe
size: 15360
MD5: DB3C22745C0DA4666F3BE31F1AF36B2F
PID: 1268 ( 856) C:\Program Files\Eset\nod32krn.exe
size: 552064
MD5: 82F52E10A4DF718FF4CA67D2DBDE8D07
PID: 728 ( 856) C:\WINDOWS\system32\tcpsvcs.exe
size: 19456
MD5: 32933B07FC16D9F778BEE12545FA1B1A
PID: 776 ( 856) C:\WINDOWS\System32\snmp.exe
size: 33280
MD5: 60C377BE6B3CC83F6A8584934B181D2E
PID: 1764 ( 856) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 2096 ( 856) C:\Program Files\ThreatFire\TFService.exe
size: 66880
MD5: 9191A964D4E08346D62FD5A8279F62FD
PID: 2472 ( 856) C:\WINDOWS\system32\mqsvc.exe
size: 4608
MD5: AFB909B537AAE1BEAE7BBDB6A36D40B0
PID: 3284 ( 856) C:\WINDOWS\system32\mqtgsvc.exe
size: 117248
MD5: 7F955FF3B1BB93376EBE75D5ACCDC6DB
PID: 3380 ( 856) C:\WINDOWS\system32\imapi.exe
size: 150528
MD5: 30DEAF54A9755BB8546168CFE8A6B5E1
PID: 3724 ( 856) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 8C515081584A38AA007909CD02020B3D
PID: 3604 ( 856) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 4060 (1584) C:\WINDOWS\system32\cidaemon.exe
size: 8192
MD5: 582304F6F1946FA5068CF143D729D7ED
PID: 2020 (1584) C:\WINDOWS\system32\cidaemon.exe
size: 8192
MD5: 582304F6F1946FA5068CF143D729D7ED
PID: 2348 (1780) C:\Program Files\Mozilla Firefox\firefox.exe
size: 307712
MD5: D3D5F1B5AFC85B7EE35DD5F46F1D2CDB
PID: 2876 (1780) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 22/06/2008 8:18:10 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.ebay.com.au/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: NOD32 protected [MSAFD Tcpip [TCP/IP]]
GUID: {D5D5D719-CEE1-4414-8EEB-DF1CB226979D}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 1: NOD32 protected [MSAFD Tcpip [UDP/IP]]
GUID: {920619E7-28B8-4510-94A6-A99A91B2BEB7}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 2: NOD32 protected [MSAFD Tcpip [RAW/IP]]
GUID: {CA14A6D6-4A8D-49DE-A0C4-AAECE76A82D4}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 3: NOD32 protected [RSVP UDP Service Provider]
GUID: {C5BF6CA8-5955-43D8-B208-1F6CC2D23990}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 4: NOD32 protected [RSVP TCP Service Provider]
GUID: {8C5F0EB9-8CC0-4927-8544-BA17A0CCB251}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 5: NOD32 protected [MSAFD Pgm (RDM)]
GUID: {4E5F8B81-AA43-48A3-8AC2-954D4CE91A20}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 6: NOD32 protected [MSAFD Pgm (Stream)]
GUID: {E5A7C8A1-4714-49ED-9830-D444CD8010C7}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 7: NOD32 protected [MSAFD Tcpip [TCP/IPv6]]
GUID: {82BBC9C2-3606-4C46-BFE7-41E2E420040D}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 8: NOD32 protected [MSAFD Tcpip [UDP/IPv6]]
GUID: {9ACEFB04-151E-42E2-80CA-A659AB2F04B6}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 9: NOD32 protected [MSAFD Tcpip [RAW/IPv6]]
GUID: {031EE870-115D-4AC6-AA8A-2D89EEF42F36}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 10: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 11: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 12: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 13: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 14: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 15: MSAFD Pgm (RDM)
GUID: {14044783-3201-490C-9CA2-87A42D96A199}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 16: MSAFD Pgm (Stream)
GUID: {14044783-3201-490C-9CA2-87A42D96A199}
Filename: %SystemRoot%\system32\mswsock.dll
Protocol 17: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 18: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 19: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 20: NOD32
GUID: {28A4D8DA-E908-4C6F-A926-A66CC7AD3224}
Filename: C:\WINDOWS\system32\imon.dll
Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{3DE41F10-CD9B-4BD1-886A-23F5BD565D91}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{3DE41F10-CD9B-4BD1-886A-23F5BD565D91}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{F424CD64-1E14-4B87-BF7C-F05247A0C4DE}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{F424CD64-1E14-4B87-BF7C-F05247A0C4DE}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{A96C03DD-5405-4F1E-A5E4-FC11E30825AB}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 26: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{A96C03DD-5405-4F1E-A5E4-FC11E30825AB}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 27: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3DE41F10-CD9B-4BD1-886A-23F5BD565D91}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 28: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3DE41F10-CD9B-4BD1-886A-23F5BD565D91}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 29: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F424CD64-1E14-4B87-BF7C-F05247A0C4DE}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 30: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F424CD64-1E14-4B87-BF7C-F05247A0C4DE}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 31: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3FFF616F-11D4-4C49-AC8D-FCED1A3FCD45}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 32: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3FFF616F-11D4-4C49-AC8D-FCED1A3FCD45}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 33: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DEF57C31-FABA-4183-BB44-148D243F45B6}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 34: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DEF57C31-FABA-4183-BB44-148D243F45B6}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename: C:\WINDOWS\system32\pnrpnsp.dll
Namespace Provider 1: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename: C:\WINDOWS\system32\pnrpnsp.dll
Namespace Provider 2: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 3: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 4: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Hi
Does it now re-appear in next spybot scan?
ohnredav
2008-06-22, 13:42
hi thanks the zlob didnt appear in the spybot scan but runniong adaware scan again to see as this is where i found it first
Hi
OK, post back after that then :)
ohnredav
2008-06-22, 14:26
didnt appear in adaware but cant launch internet explorer now
Hi
Then you can try to either perform repair installation of IE 7 or upgrade it to IE 8.
ohnredav
2008-06-23, 10:27
hi
thanks for that seems to be gone no trace so far
thank you for your patience and help
Hi
Great :)
Any other issues left?
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.