View Full Version : Virtumondo help
screweycazooey
2008-06-12, 20:19
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:22 PM, on 6/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Windows\twain_32\ScanWiz5\SDII.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\afan\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A30B575B-0E87-446B-BB58-DD22D0F61DE0} - C:\Windows\system32\fcccdEXP.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\fcccdEXP.dll,#1
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\afan\AppData\Local\Temp\geBrsPhG.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\afan\AppData\Local\Temp\geBssrSm.dll,c
O4 - HKCU\..\Run: [1d304d6b] rundll32.exe "C:\Users\afan\AppData\Local\Temp\vffuweuo.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Windows\twain_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O21 - SSODL: xkefqtgs - {CD58E104-9F8F-4A20-8196-81C6851F3CA7} - C:\Windows\xkefqtgs.dll (file missing)
O21 - SSODL: rnopbfgt - {A21010EF-D894-4A03-893B-988C6367DC44} - C:\Windows\rnopbfgt.dll (file missing)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 11986 bytes
Hi
Please uninstall Spybot for now to make sure TeaTimer won't interfere fixing. You may reinstall it after system is clean :)
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
screweycazooey
2008-06-14, 07:12
Apologies for the delay. Thanks a lot for you help.
ComboFix 08-06-12.2 - afan 2008-06-13 23:45:52.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1326 [GMT -4:00]
Running from: C:\Users\afan\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\Fonts\CALIBRIB.TTF
C:\Windows\system32\fcccdEXP.dll
C:\Windows\system32\x64
.
((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.
2008-06-12 16:55 . 2008-06-12 16:55 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-06-12 03:10 . 2008-06-12 03:10 118 --a------ C:\Windows\System32\MRT.INI
2008-06-12 02:48 . 2008-04-26 04:08 1,314,816 --a------ C:\Windows\System32\quartz.dll
2008-06-12 02:48 . 2008-05-09 21:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-12 02:47 . 2008-04-24 22:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-12 02:47 . 2008-04-25 00:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-12 00:59 . 2008-06-12 00:59 <DIR> d-------- C:\Windows\Sun
2008-06-11 22:31 . 2008-06-11 23:05 135 --a------ C:\Windows\wininit.ini
2008-06-10 15:46 . 2008-06-10 11:30 94,208 --a------ C:\Windows\eslf.exe
2008-06-10 15:46 . 2008-06-10 11:30 81,920 --a------ C:\Windows\pebgkxwq.exe
2008-06-10 15:37 . 2008-06-10 15:37 <DIR> d-------- C:\Program Files\Daniusoft
2008-06-10 15:04 . 2008-06-10 15:08 <DIR> d--h----- C:\Windows\msdownld.tmp
2008-06-10 14:46 . 2008-06-10 14:46 <DIR> d-------- C:\Program Files\Free WMA to MP3 Converter
2008-06-10 13:43 . 2008-06-10 13:43 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-06-07 23:01 . 2008-06-07 23:01 <DIR> d-------- C:\Windows\System32\Color
2008-06-07 23:01 . 2008-06-07 23:01 <DIR> d-------- C:\Windows\Driver Cache
2008-06-07 23:01 . 2008-06-07 23:01 <DIR> d-------- C:\Microtek
2008-06-07 23:01 . 2008-06-07 23:01 <DIR> d-------- C:\Kpcms
2008-06-07 23:01 . 1998-01-23 12:22 304,128 --a------ C:\Windows\IsUninst.exe
2008-06-07 23:01 . 2001-06-20 15:32 15,389 --a------ C:\Windows\System32\msmusd5.dll
2008-06-07 23:01 . 2001-06-20 15:44 13,962 --a------ C:\Windows\System32\msmusd6.dll
2008-06-07 23:01 . 2001-06-20 15:30 10,909 --a------ C:\Windows\System32\msmusd7.dll
2008-06-05 22:18 . 2008-06-05 22:18 <DIR> d-------- C:\Users\Guest\AppData\Roaming\acccore
2008-06-03 15:48 . 2007-04-09 13:23 28,040 --a------ C:\Windows\System32\mdimon.dll
2008-06-03 15:46 . 2008-06-03 15:46 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-06-03 15:45 . 2008-06-03 15:45 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-06-03 15:09 . 2008-06-13 00:45 <DIR> d-------- C:\Users\All Users\Google Updater
2008-06-03 15:09 . 2008-06-13 00:45 <DIR> d-------- C:\ProgramData\Google Updater
2008-06-03 14:35 . 2008-06-03 14:37 <DIR> d-------- C:\Program Files\Microsoft Streets and Trips
2008-05-29 17:30 . 2008-03-07 22:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-29 17:30 . 2008-03-08 00:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 03:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-14 03:33 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-06-13 06:02 --------- d-----w C:\Users\afan_2\AppData\Roaming\OpenOffice.org2
2008-06-12 07:19 --------- d-----w C:\Program Files\Windows Mail
2008-06-10 18:52 --------- d-----w C:\Users\afan_2\AppData\Roaming\goombah
2008-06-10 17:07 --------- d-----w C:\Users\afan_2\AppData\Roaming\Ruckus Network
2008-06-03 20:44 --------- d-----w C:\Program Files\Google
2008-06-03 20:09 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-03 19:45 --------- d-----w C:\Program Files\Microsoft Office XP
2008-05-30 18:19 507,400 ----a-w C:\Windows\System32\XAudio2_1.dll
2008-05-30 18:18 238,088 ----a-w C:\Windows\System32\xactengine3_1.dll
2008-05-30 18:17 65,032 ----a-w C:\Windows\System32\XAPOFX1_0.dll
2008-05-30 18:17 25,608 ----a-w C:\Windows\System32\X3DAudio1_4.dll
2008-05-30 18:11 467,984 ----a-w C:\Windows\System32\d3dx10_38.dll
2008-05-30 18:11 3,850,760 ----a-w C:\Windows\System32\D3DX9_38.dll
2008-05-30 18:11 1,491,992 ----a-w C:\Windows\System32\D3DCompiler_38.dll
2008-05-15 16:56 --------- d-----w C:\Program Files\HP
2008-05-14 19:01 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-09 22:18 --------- d-----w C:\Program Files\iTunes
2008-05-09 22:18 --------- d-----w C:\Program Files\iPod
2008-05-09 22:17 --------- d-----w C:\ProgramData\Apple Computer
2008-05-09 22:15 --------- d-----w C:\Program Files\QuickTime
2008-05-09 07:11 --------- d-----w C:\Users\afan_2\AppData\Roaming\Bao_Nguyen
2008-05-09 06:48 --------- d-----w C:\Program Files\Switcher
2008-05-09 04:27 174 --sha-w C:\Program Files\desktop.ini
2008-05-09 04:16 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-09 04:16 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-05-09 04:16 --------- d-----w C:\Program Files\Windows Journal
2008-05-09 04:16 --------- d-----w C:\Program Files\Windows Defender
2008-05-09 04:16 --------- d-----w C:\Program Files\Windows Collaboration
2008-05-09 04:16 --------- d-----w C:\Program Files\Windows Calendar
2008-05-09 03:55 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-05-09 03:55 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-05-07 19:39 --------- d-----w C:\Users\afan_2\AppData\Roaming\Aston
2008-05-06 22:40 --------- d--h--w C:\ProgramData\{A850D4D9-871B-4234-908D-21C457767270}
2008-05-06 22:40 --------- d-----w C:\Program Files\Stardock
2008-05-06 01:34 --------- d-----w C:\Users\afan_2\AppData\Roaming\Winamp
2008-05-05 07:00 --------- d-----w C:\Program Files\SysMetrix
2008-05-05 05:35 --------- d-----w C:\Users\afan\AppData\Roaming\Winamp
2008-05-05 05:34 --------- d-----w C:\Program Files\Winamp
2008-05-04 17:09 --------- d-----w C:\Program Files\Handbrake
2008-05-02 04:42 --------- d-----r C:\Program Files\Aston
2008-05-02 02:46 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-01 20:06 --------- d-----w C:\Program Files\Common Files\Stardock
2008-05-01 20:04 2,560 ----a-w C:\Windows\_MSRSTRT.EXE
2008-05-01 18:39 --------- d-----w C:\Users\afan\AppData\Roaming\Aston
2008-04-29 09:49 237,568 ----a-w C:\Windows\System32\UCI32A29.dll
2008-04-23 02:20 --------- d-----w C:\Program Files\Safari
2008-04-23 02:18 --------- d-----w C:\Program Files\Apple Software Update
2008-04-22 03:27 --------- d-----w C:\ProgramData\DVD Shrink
2008-04-19 22:06 --------- d-----w C:\Program Files\Java
2008-04-15 01:21 --------- d-----w C:\Users\afan\AppData\Roaming\goombah
2008-04-14 22:17 --------- d-----w C:\Users\afan\AppData\Roaming\Ruckus Network
2008-04-14 22:16 --------- d-----w C:\Program Files\Ruckus Player
2008-04-14 22:16 --------- d-----w C:\Program Files\Emergent Music LLC
2008-01-14 02:36 70 ----a-w C:\Users\afan_2\AppData\Roaming\wklnhst.dat
2007-10-18 22:30 92,792 ----a-w C:\Users\afan_2\AppData\Roaming\GDIPFONTCACHEV1.DAT
2007-08-12 15:37 0 ----a-w C:\Users\afan\AppData\Roaming\wklnhst.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 03:33 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
"Aim6"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
"CursorFX"="C:\Program Files\Stardock\CursorFX\CursorFX.exe" [2008-02-19 18:59 418632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 19:31 1033512]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 14:58 159744]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [ ]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 13:56 317152]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 13:32 472800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06 79224]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-09-30 20:34 181544]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-03 15:44 29744]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 03:29 102400]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-11 17:14 185896]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 14:49 36352]
"SysMetrix"="C:\Program Files\SysMetrix\SysMetrix.exe" [ ]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 20:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 20:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 20:13 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]
C:\Users\afan_2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 21:57:56 393216]
C:\Users\afan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 05:45:42 101784]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-03-20 22:26:50 542192]
HP Connections.lnk - C:\Program Files\HP Connections\6811507\Program\HP Connections.exe [2007-02-20 17:46:39 34520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office XP\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Microtek Scanner Finder.lnk - C:\Windows\twain_32\ScanWiz5\SDII.exe [2008-06-07 23:01:44 315392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"xkefqtgs"= {CD58E104-9F8F-4A20-8196-81C6851F3CA7} - C:\Windows\xkefqtgs.dll [ ]
"rnopbfgt"= {A21010EF-D894-4A03-893B-988C6367DC44} - C:\Windows\rnopbfgt.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{24124BC9-D0B4-4D16-B548-EA088837B96C}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3C1ACF76-B0EA-4817-BDF3-DFE608F32499}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B6556F04-12EF-4E6C-AF62-0759B408C0C5}"= UDP:C:\Program Files\HP\QuickPlay\QP.exe:_this_program_will_be_deleted
"{F391A3A2-62BE-45C4-A752-698CC5B88D2D}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{6082C18A-D077-421F-9B63-B246686B36CF}"= C:\Program Files\HP Connections\6811507\Program\HP Connections:HP Connections
"{F0C162CD-B8CC-4144-80FC-0ABF376D1F6D}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{EC89DA13-0EEA-44D2-8628-B42B13C74A2D}"= TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{93F204DD-D275-4C46-AC61-9C093D36F952}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{E1543A6F-9F44-4E31-9A51-9A9D252DB772}"= TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{399CE538-28AF-4D26-BCC0-19F1F6E2D3BE}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8546C508-9A45-4E16-AC25-A1FE66D9ACD9}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A799BC22-6336-40F9-B13C-20F90317095F}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6431ADE0-9A31-4B06-A2C2-2272E7EF10FC}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{BE3DE1DF-DB05-4EDE-B70A-417A88923A0D}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6ED19446-B756-49E3-BE83-A8C380458621}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{863AC9A1-5B36-4B83-80C5-AA0B549D445F}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{CFEFAD8B-E1D1-426A-8F3B-FF7A88222ABC}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7D9422F8-2712-43B7-8690-B0F9FD46CD32}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1CB3EA99-6D61-4D68-86C0-E9D275E706A5}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F624AFA8-FCBB-4D98-B711-287D3A9F407D}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:SAV
"{DEBC0016-5E1C-45EF-8891-4F89B56974DE}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:SAV
"{8C5F50C1-475D-41BB-8125-FC97BBAD9F2C}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:SAV
"{F19CE21B-1AB6-4C11-8527-225B50BB13CD}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:SAV
"TCP Query User{50565B88-EA61-4714-8C60-BE6CADC0E468}C:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"UDP Query User{08B9E37E-EA0D-4E7A-A237-A419FF20D336}C:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"{737D4A6E-1C32-4906-9581-E45AB7F7E7EC}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{06C7A5DC-DFD2-4D3D-B63B-00E36EC49A6D}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{96AAE697-1858-4317-811C-AEA1BDF200BA}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{04BA223A-FBFD-47CC-8D74-9F177ED491BC}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{D64FDADA-636D-4BD4-A598-BE8101EEB7B5}"= UDP:C:\Program Files\Ruckus Player\Ruckus.exe:Ruckus
"{FED341A9-85F6-423A-963E-28DE90CACEA3}"= TCP:C:\Program Files\Ruckus Player\Ruckus.exe:Ruckus
"{9E30B206-9C55-4DEF-AB50-DB6B1204ED6E}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{616E13E3-9C60-4A85-B111-9E68AA74CBA7}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{5EBA58FD-7F87-445B-9179-57FAE56330AA}"= UDP:C:\Program Files\Microsoft Office XP\OFFICE11\OUTLOOK.EXE:OUTLOOK
"{C7E4275D-CFD8-48FB-897C-60B2161F7A2D}"= TCP:C:\Program Files\Microsoft Office XP\OFFICE11\OUTLOOK.EXE:OUTLOOK
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2007-09-06 06:02]
R2 QPCapSvc;QuickPlay Background Capture Service (QBCS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [2007-09-30 20:34]
R2 QPSched;QuickPlay Task Scheduler (QTS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe" [2007-09-30 20:34]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2007-08-31 17:46]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-03 05:10]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 19:36]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\Windows\System32\DRIVERS\ASPI32.sys [1996-07-12 19:31]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-03 15:44]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c78e18d7-fffe-11db-9ac3-806e6f6e6963}]
\shell\AutoRun\command - E:\CDSETUP.EXE
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-14 03:49:00 C:\Windows\Tasks\User_Feed_Synchronization-{F0AE8B95-7DC2-47E3-BBB2-FD95E5061C73}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 23:50:38
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-13 23:52:17
ComboFix-quarantined-files.txt 2008-06-14 03:52:08
Pre-Run: 57,880,170,496 bytes free
Post-Run: 58,091,859,968 bytes free
237 --- E O F --- 2008-06-12 07:12:47
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:59 AM, on 6/14/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\twain_32\ScanWiz5\SDII.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\Explorer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Users\afan\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Windows\twain_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O21 - SSODL: xkefqtgs - {CD58E104-9F8F-4A20-8196-81C6851F3CA7} - C:\Windows\xkefqtgs.dll (file missing)
O21 - SSODL: rnopbfgt - {A21010EF-D894-4A03-893B-988C6367DC44} - C:\Windows\rnopbfgt.dll (file missing)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 10919 bytes
Hi
Start hjt, do a system scan, check:
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
Close browsers and other windows. Click fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Windows\eslf.exe
C:\Windows\pebgkxwq.exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"xkefqtgs"=-
"rnopbfgt"=-
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file & a fresh hjt log (without forgetting above meantioned ComboFix resultant log) in your next reply.
screweycazooey
2008-06-15, 09:01
Malwarebytes' Anti-Malware 1.17
Database version: 846
1:52:00 AM 6/15/2008
mbam-log-6-15-2008 (01-52-00).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 229560
Time elapsed: 54 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\QooBox\Quarantine\C\Windows\eslf.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
ComboFix 08-06-12.2 - afan 2008-06-14 23:41:29.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1250 [GMT -4:00]
Running from: C:\Users\afan\Desktop\ComboFix.exe
Command switches used :: C:\Users\afan\Desktop\CFScript.txt
FILE ::
C:\Windows\eslf.exe
C:\Windows\pebgkxwq.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\eslf.exe
C:\Windows\pebgkxwq.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.
2008-06-12 16:55 . 2008-06-12 16:55 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-06-12 03:10 . 2008-06-12 03:10 118 --a------ C:\Windows\System32\MRT.INI
2008-06-12 02:48 . 2008-04-26 04:08 1,314,816 --a------ C:\Windows\System32\quartz.dll
2008-06-12 02:48 . 2008-05-09 21:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-12 02:47 . 2008-04-24 22:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-12 02:47 . 2008-04-25 00:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-12 00:59 . 2008-06-12 00:59 <DIR> d-------- C:\Windows\Sun
2008-06-11 22:31 . 2008-06-11 23:05 135 --a------ C:\Windows\wininit.ini
2008-06-10 15:37 . 2008-06-10 15:37 <DIR> d-------- C:\Program Files\Daniusoft
2008-06-10 15:04 . 2008-06-10 15:08 <DIR> d--h----- C:\Windows\msdownld.tmp
2008-06-10 14:46 . 2008-06-10 14:46 <DIR> d-------- C:\Program Files\Free WMA to MP3 Converter
2008-06-10 13:43 . 2008-06-10 13:43 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-06-07 23:01 . 2008-06-07 23:01 <DIR> d-------- C:\Windows\System32\Color
2008-06-07 23:01 . 2008-06-07 23:01 <DIR> d-------- C:\Windows\Driver Cache
2008-06-07 23:01 . 2008-06-07 23:01 <DIR> d-------- C:\Microtek
2008-06-07 23:01 . 2008-06-07 23:01 <DIR> d-------- C:\Kpcms
2008-06-07 23:01 . 1998-01-23 12:22 304,128 --a------ C:\Windows\IsUninst.exe
2008-06-07 23:01 . 2001-06-20 15:32 15,389 --a------ C:\Windows\System32\msmusd5.dll
2008-06-07 23:01 . 2001-06-20 15:44 13,962 --a------ C:\Windows\System32\msmusd6.dll
2008-06-07 23:01 . 2001-06-20 15:30 10,909 --a------ C:\Windows\System32\msmusd7.dll
2008-06-05 22:18 . 2008-06-05 22:18 <DIR> d-------- C:\Users\Guest\AppData\Roaming\acccore
2008-06-03 15:48 . 2007-04-09 13:23 28,040 --a------ C:\Windows\System32\mdimon.dll
2008-06-03 15:46 . 2008-06-03 15:46 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-06-03 15:45 . 2008-06-03 15:45 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-06-03 15:09 . 2008-06-14 22:59 <DIR> d-------- C:\Users\All Users\Google Updater
2008-06-03 15:09 . 2008-06-14 22:59 <DIR> d-------- C:\ProgramData\Google Updater
2008-06-03 14:35 . 2008-06-03 14:37 <DIR> d-------- C:\Program Files\Microsoft Streets and Trips
2008-05-29 17:30 . 2008-03-07 22:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-29 17:30 . 2008-03-08 00:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 12:51 --------- d-----w C:\Users\afan_2\AppData\Roaming\OpenOffice.org2
2008-06-14 03:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-14 03:33 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-06-12 07:19 --------- d-----w C:\Program Files\Windows Mail
2008-06-10 18:52 --------- d-----w C:\Users\afan_2\AppData\Roaming\goombah
2008-06-10 17:07 --------- d-----w C:\Users\afan_2\AppData\Roaming\Ruckus Network
2008-06-03 20:44 --------- d-----w C:\Program Files\Google
2008-06-03 20:09 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-03 19:45 --------- d-----w C:\Program Files\Microsoft Office XP
2008-05-30 18:19 507,400 ----a-w C:\Windows\System32\XAudio2_1.dll
2008-05-30 18:18 238,088 ----a-w C:\Windows\System32\xactengine3_1.dll
2008-05-30 18:17 65,032 ----a-w C:\Windows\System32\XAPOFX1_0.dll
2008-05-30 18:17 25,608 ----a-w C:\Windows\System32\X3DAudio1_4.dll
2008-05-30 18:11 467,984 ----a-w C:\Windows\System32\d3dx10_38.dll
2008-05-30 18:11 3,850,760 ----a-w C:\Windows\System32\D3DX9_38.dll
2008-05-30 18:11 1,491,992 ----a-w C:\Windows\System32\D3DCompiler_38.dll
2008-05-15 16:56 --------- d-----w C:\Program Files\HP
2008-05-14 19:01 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-09 22:18 --------- d-----w C:\Program Files\iTunes
2008-05-09 22:18 --------- d-----w C:\Program Files\iPod
2008-05-09 22:17 --------- d-----w C:\ProgramData\Apple Computer
2008-05-09 22:15 --------- d-----w C:\Program Files\QuickTime
2008-05-09 07:11 --------- d-----w C:\Users\afan_2\AppData\Roaming\Bao_Nguyen
2008-05-09 06:48 --------- d-----w C:\Program Files\Switcher
2008-05-09 04:27 174 --sha-w C:\Program Files\desktop.ini
2008-05-09 04:16 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-09 04:16 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-05-09 04:16 --------- d-----w C:\Program Files\Windows Journal
2008-05-09 04:16 --------- d-----w C:\Program Files\Windows Defender
2008-05-09 04:16 --------- d-----w C:\Program Files\Windows Collaboration
2008-05-09 04:16 --------- d-----w C:\Program Files\Windows Calendar
2008-05-09 03:55 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-05-09 03:55 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-05-07 19:39 --------- d-----w C:\Users\afan_2\AppData\Roaming\Aston
2008-05-06 22:40 --------- d--h--w C:\ProgramData\{A850D4D9-871B-4234-908D-21C457767270}
2008-05-06 22:40 --------- d-----w C:\Program Files\Stardock
2008-05-06 01:34 --------- d-----w C:\Users\afan_2\AppData\Roaming\Winamp
2008-05-05 07:00 --------- d-----w C:\Program Files\SysMetrix
2008-05-05 05:35 --------- d-----w C:\Users\afan\AppData\Roaming\Winamp
2008-05-05 05:34 --------- d-----w C:\Program Files\Winamp
2008-05-04 17:09 --------- d-----w C:\Program Files\Handbrake
2008-05-02 04:42 --------- d-----r C:\Program Files\Aston
2008-05-02 02:46 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-01 20:06 --------- d-----w C:\Program Files\Common Files\Stardock
2008-05-01 20:04 2,560 ----a-w C:\Windows\_MSRSTRT.EXE
2008-05-01 18:39 --------- d-----w C:\Users\afan\AppData\Roaming\Aston
2008-04-29 09:49 237,568 ----a-w C:\Windows\System32\UCI32A29.dll
2008-04-23 02:20 --------- d-----w C:\Program Files\Safari
2008-04-23 02:18 --------- d-----w C:\Program Files\Apple Software Update
2008-04-22 03:27 --------- d-----w C:\ProgramData\DVD Shrink
2008-04-19 22:06 --------- d-----w C:\Program Files\Java
2008-04-15 01:21 --------- d-----w C:\Users\afan\AppData\Roaming\goombah
2008-01-14 02:36 70 ----a-w C:\Users\afan_2\AppData\Roaming\wklnhst.dat
2007-10-18 22:30 92,792 ----a-w C:\Users\afan_2\AppData\Roaming\GDIPFONTCACHEV1.DAT
2007-08-12 15:37 0 ----a-w C:\Users\afan\AppData\Roaming\wklnhst.dat
.
((((((((((((((((((((((((((((( snapshot@2008-06-13_23.51.42.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 03:38:11 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-15 03:06:55 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-06-14 03:38:13 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-15 02:49:47 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-06-14 03:38:13 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-06-15 02:49:47 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-06-14 03:40:01 1,572,864 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-15 02:50:53 1,572,864 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-06-14 03:39:56 1,572,864 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-15 02:50:48 1,572,864 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-06-14 03:38:13 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-15 03:10:35 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-14 03:38:13 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-15 03:10:35 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-14 03:38:13 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-15 03:10:35 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-06-12 14:25:38 6,291,456 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-06-14 12:59:04 6,291,456 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2008-06-14 03:40:07 7,596 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3653426806-1647728314-612228019-1000_UserData.bin
+ 2008-06-15 02:51:44 7,596 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3653426806-1647728314-612228019-1000_UserData.bin
- 2008-06-13 02:35:46 10,038 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3653426806-1647728314-612228019-1001_UserData.bin
+ 2008-06-14 12:52:15 10,038 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3653426806-1647728314-612228019-1001_UserData.bin
- 2008-06-14 03:40:07 72,532 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-15 02:51:44 72,658 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-14 03:40:04 54,450 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-15 02:51:43 54,466 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-06-13 04:05:23 290,376 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-06-15 03:06:57 290,698 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2008-06-12 07:03:41 124,403,294 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-06-14 12:58:35 125,317,224 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 03:33 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
"Aim6"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
"CursorFX"="C:\Program Files\Stardock\CursorFX\CursorFX.exe" [2008-02-19 18:59 418632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 19:31 1033512]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 14:58 159744]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [ ]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 13:56 317152]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 13:32 472800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06 79224]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-09-30 20:34 181544]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-03 15:44 29744]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 03:29 102400]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-11 17:14 185896]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 14:49 36352]
"SysMetrix"="C:\Program Files\SysMetrix\SysMetrix.exe" [ ]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 20:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 20:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 20:13 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]
C:\Users\afan_2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 21:57:56 393216]
C:\Users\afan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 05:45:42 101784]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-03-20 22:26:50 542192]
HP Connections.lnk - C:\Program Files\HP Connections\6811507\Program\HP Connections.exe [2007-02-20 17:46:39 34520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office XP\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Microtek Scanner Finder.lnk - C:\Windows\twain_32\ScanWiz5\SDII.exe [2008-06-07 23:01:44 315392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{24124BC9-D0B4-4D16-B548-EA088837B96C}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3C1ACF76-B0EA-4817-BDF3-DFE608F32499}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B6556F04-12EF-4E6C-AF62-0759B408C0C5}"= UDP:C:\Program Files\HP\QuickPlay\QP.exe:_this_program_will_be_deleted
"{F391A3A2-62BE-45C4-A752-698CC5B88D2D}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{6082C18A-D077-421F-9B63-B246686B36CF}"= C:\Program Files\HP Connections\6811507\Program\HP Connections:HP Connections
"{F0C162CD-B8CC-4144-80FC-0ABF376D1F6D}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{EC89DA13-0EEA-44D2-8628-B42B13C74A2D}"= TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{93F204DD-D275-4C46-AC61-9C093D36F952}"= UDP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{E1543A6F-9F44-4E31-9A51-9A9D252DB772}"= TCP:C:\Program Files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{399CE538-28AF-4D26-BCC0-19F1F6E2D3BE}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8546C508-9A45-4E16-AC25-A1FE66D9ACD9}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A799BC22-6336-40F9-B13C-20F90317095F}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6431ADE0-9A31-4B06-A2C2-2272E7EF10FC}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{BE3DE1DF-DB05-4EDE-B70A-417A88923A0D}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6ED19446-B756-49E3-BE83-A8C380458621}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{863AC9A1-5B36-4B83-80C5-AA0B549D445F}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{CFEFAD8B-E1D1-426A-8F3B-FF7A88222ABC}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7D9422F8-2712-43B7-8690-B0F9FD46CD32}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1CB3EA99-6D61-4D68-86C0-E9D275E706A5}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F624AFA8-FCBB-4D98-B711-287D3A9F407D}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:SAV
"{DEBC0016-5E1C-45EF-8891-4F89B56974DE}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:SAV
"{8C5F50C1-475D-41BB-8125-FC97BBAD9F2C}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:SAV
"{F19CE21B-1AB6-4C11-8527-225B50BB13CD}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:SAV
"TCP Query User{50565B88-EA61-4714-8C60-BE6CADC0E468}C:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"UDP Query User{08B9E37E-EA0D-4E7A-A237-A419FF20D336}C:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"{737D4A6E-1C32-4906-9581-E45AB7F7E7EC}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{06C7A5DC-DFD2-4D3D-B63B-00E36EC49A6D}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{96AAE697-1858-4317-811C-AEA1BDF200BA}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{04BA223A-FBFD-47CC-8D74-9F177ED491BC}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{D64FDADA-636D-4BD4-A598-BE8101EEB7B5}"= UDP:C:\Program Files\Ruckus Player\Ruckus.exe:Ruckus
"{FED341A9-85F6-423A-963E-28DE90CACEA3}"= TCP:C:\Program Files\Ruckus Player\Ruckus.exe:Ruckus
"{9E30B206-9C55-4DEF-AB50-DB6B1204ED6E}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{616E13E3-9C60-4A85-B111-9E68AA74CBA7}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{5EBA58FD-7F87-445B-9179-57FAE56330AA}"= UDP:C:\Program Files\Microsoft Office XP\OFFICE11\OUTLOOK.EXE:OUTLOOK
"{C7E4275D-CFD8-48FB-897C-60B2161F7A2D}"= TCP:C:\Program Files\Microsoft Office XP\OFFICE11\OUTLOOK.EXE:OUTLOOK
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2007-09-06 06:02]
R2 QPCapSvc;QuickPlay Background Capture Service (QBCS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [2007-09-30 20:34]
R2 QPSched;QuickPlay Task Scheduler (QTS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe" [2007-09-30 20:34]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2007-08-31 17:46]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-03 05:10]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 19:36]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\Windows\System32\DRIVERS\ASPI32.sys [1996-07-12 19:31]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-03 15:44]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c78e18d7-fffe-11db-9ac3-806e6f6e6963}]
\shell\AutoRun\command - E:\CDSETUP.EXE
.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 03:45:00 C:\Windows\Tasks\User_Feed_Synchronization-{F0AE8B95-7DC2-47E3-BBB2-FD95E5061C73}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 23:44:24
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-14 23:45:59
ComboFix-quarantined-files.txt 2008-06-15 03:45:53
ComboFix2.txt 2008-06-14 03:52:17
Pre-Run: 58,165,440,512 bytes free
Post-Run: 58,132,959,232 bytes free
267 --- E O F --- 2008-06-12 07:12:47
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:07 AM, on 6/15/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\twain_32\ScanWiz5\SDII.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Users\afan\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Windows\twain_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 10501 bytes
You may reinstall Spybot now :)
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
A To disable the System Restore feature:
1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Uncheck any checkboxes listed for your hard drives.
7. Press OK.
B. Reboot.
C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 6. check any checkboxes listed for your hard drives.
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 6 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the
bad
webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
screweycazooey
2008-06-16, 09:46
I just reinstalled Spybot and ran it. It says I still have virtumonde as well as AdRevolver :sad: Also, Avast! apparently caught another trojan. It infected cbXQiGyV.dll. I moved this to the virus chest, but now every time I boot up my computer, I get an error that this file could not be found. Is this a problem? Do you need another HJT log? I have not yet done anything else mentioned in your previous post. Thanks.
Yes, I need to see a fresh hjt log. Post it, please.
screweycazooey
2008-06-16, 18:48
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:33 AM, on 6/16/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\twain_32\ScanWiz5\SDII.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Users\afan\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Windows\twain_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 10804 bytes
Hi
That looks like a clean log to me :) If Spybot still detects something post the findings here, please.
screweycazooey
2008-06-17, 20:57
Virtumonde still turns up in Spybot. Every time I reboot it comes back.
Hi
Please post Spybot report that contains those findings.
screweycazooey
2008-06-17, 23:31
--- Search result list ---
Virtumonde: [SBI $42352499] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3653426806-1647728314-612228019-1001\Software\Microsoft\rdfa
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2007-07-08 ImmunizeUIv2.exe (2.0.2.3)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-06-16 unins001.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-06-03 Includes\Adware.sbi (*)
2008-06-10 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-06-10 Includes\DialerC.sbi (*)
2008-06-03 Includes\HeavyDuty.sbi (*)
2008-06-04 Includes\Hijackers.sbi (*)
2008-06-03 Includes\HijackersC.sbi (*)
2008-06-03 Includes\Keyloggers.sbi (*)
2008-06-10 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-06-03 Includes\Malware.sbi (*)
2008-06-11 Includes\MalwareC.sbi (*)
2008-06-03 Includes\PUPS.sbi (*)
2008-06-10 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-10 Includes\Security.sbi (*)
2008-06-10 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-06-03 Includes\Spyware.sbi (*)
2008-06-03 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-06-11 Includes\Trojans.sbi (*)
2008-06-11 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows Vista (Build: 6001) Service Pack 1 (6.0.6001)
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB941833)
--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: 8B9145D229D4E89D15ACB820D4A3A90F
Located: HK_LM:Run, avast!
command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 79224
MD5: 8CF58586AE4577ED71FFE8883A6D4B3B
Located: HK_LM:Run, Google Desktop Search
command: "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
file: C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
size: 29744
MD5: B39662E4C237AA25A2CD2379FF508099
Located: HK_LM:Run, HotKeysCmds
command: C:\Windows\system32\hkcmd.exe
file: C:\Windows\system32\hkcmd.exe
size: 166424
MD5: 5F529FBB095CBC9F14BB1E97A7A6B547
Located: HK_LM:Run, HP Health Check Scheduler
command: [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, HP Software Update
command: C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
file: C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
size: 54840
MD5: 21293443961A4E2597453EE7A9347F22
Located: HK_LM:Run, hpWirelessAssistant
command: %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
file: C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
size: 472800
MD5: F3C9ADCBF74090552EDC76F81A553D81
Located: HK_LM:Run, IgfxTray
command: C:\Windows\system32\igfxtray.exe
file: C:\Windows\system32\igfxtray.exe
size: 141848
MD5: 7F7B42B1BA42242116F5B277A063FE2E
Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 267048
MD5: 04A9F0C58B170F30445BCC0683EF9FFC
Located: HK_LM:Run, Persistence
command: C:\Windows\system32\igfxpers.exe
file: C:\Windows\system32\igfxpers.exe
size: 133656
MD5: D8A33AF26E4143F7A892009890BB6F64
Located: HK_LM:Run, QlbCtrl
command: %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
file: C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
size: 159744
MD5: 20321CA0F49D143FDB4CEF926A05E10A
Located: HK_LM:Run, QPService
command: "C:\Program Files\HP\QuickPlay\QPService.exe"
file: C:\Program Files\HP\QuickPlay\QPService.exe
size: 181544
MD5: CF41C54529021D0E393BD149FEE4F03E
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 6DF76965A0FB8237E9C3B3CAB9815EC2
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
size: 144784
MD5: 836DC47E6CAD975304D1D3EB2F516A1C
Located: HK_LM:Run, SynTPEnh
command: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
file: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 1033512
MD5: 19D93154C82FE39A99B269CED1056A92
Located: HK_LM:Run, SynTPStart
command: C:\Program Files\Synaptics\SynTP\SynTPStart.exe
file: C:\Program Files\Synaptics\SynTP\SynTPStart.exe
size: 102400
MD5: A3418E4D4A5EE636D44922DC2567FA18
Located: HK_LM:Run, SysMetrix
command: C:\Program Files\SysMetrix\SysMetrix.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 185896
MD5: 89D583FC41D48328128A974C25AFAEB7
Located: HK_LM:Run, WAWifiMessage
command: %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
file: C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
size: 317152
MD5: 6006C370B18A345203D26038518F5F86
Located: HK_LM:Run, WinampAgent
command: "C:\Program Files\Winamp\winampa.exe"
file: C:\Program Files\Winamp\winampa.exe
size: 36352
MD5: 93146CD558AE246116BA3315E15505B7
Located: HK_LM:RunOnce, Launcher
command: %WINDIR%\SMINST\launcher.exe
file: C:\Windows\SMINST\launcher.exe
size: 44128
MD5: 50ECAA360582260ACC5E1495CC34A22E
Located: HK_CU:Run, Aim6
where: PE_C_GUEST...
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ehTray.exe
where: PE_C_GUEST...
command: C:\Windows\ehome\ehTray.exe
file: C:\Windows\ehome\ehTray.exe
size: 125952
MD5: BF08674925F151BD4537B89A493E3E0C
Located: HK_CU:Run, Sidebar
where: PE_C_GUEST...
command: C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
file: C:\Program Files\Windows Sidebar\sidebar.exe
size: 1233920
MD5: FD278E51A7D6F52D22FCE6C67E037AD6
Located: HK_CU:Run, Sidebar
where: S-1-5-19...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
file: C:\Program Files\Windows Sidebar\Sidebar.exe
size: 1233920
MD5: FD278E51A7D6F52D22FCE6C67E037AD6
Located: HK_CU:Run, WindowsWelcomeCenter
where: S-1-5-19...
command: rundll32.exe oobefldr.dll,ShowWelcomeCenter
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, Sidebar
where: S-1-5-20...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
file: C:\Program Files\Windows Sidebar\Sidebar.exe
size: 1233920
MD5: FD278E51A7D6F52D22FCE6C67E037AD6
Located: HK_CU:Run, WindowsWelcomeCenter
where: S-1-5-20...
command: rundll32.exe oobefldr.dll,ShowWelcomeCenter
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, Aim6
where: S-1-5-21-3653426806-1647728314-612228019-1000...
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, CursorFX
where: S-1-5-21-3653426806-1647728314-612228019-1000...
command: "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
file: C:\Program Files\Stardock\CursorFX\CursorFX.exe
size: 418632
MD5: 26BBC495E1C678C8BA47BDF865225551
Located: HK_CU:Run, ehTray.exe
where: S-1-5-21-3653426806-1647728314-612228019-1000...
command: C:\Windows\ehome\ehTray.exe
file: C:\Windows\ehome\ehTray.exe
size: 125952
MD5: BF08674925F151BD4537B89A493E3E0C
Located: HK_CU:Run, Sidebar
where: S-1-5-21-3653426806-1647728314-612228019-1000...
command: C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
file: C:\Program Files\Windows Sidebar\sidebar.exe
size: 1233920
MD5: FD278E51A7D6F52D22FCE6C67E037AD6
Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-3653426806-1647728314-612228019-1000...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2097488
MD5: A9A5DB6AC3721BE698B996913693D73F
Located: HK_CU:Run, 1d304d6b
where: S-1-5-21-3653426806-1647728314-612228019-1001...
command: rundll32.exe "C:\Users\afan_2\AppData\Local\Temp\umdyvmxu.dll",b
file: C:\Users\afan_2\AppData\Local\Temp\umdyvmxu.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, Aim6
where: S-1-5-21-3653426806-1647728314-612228019-1001...
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, AnyDVD
where: S-1-5-21-3653426806-1647728314-612228019-1001...
command: C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ehTray.exe
where: S-1-5-21-3653426806-1647728314-612228019-1001...
command: C:\Windows\ehome\ehTray.exe
file: C:\Windows\ehome\ehTray.exe
size: 125952
MD5: BF08674925F151BD4537B89A493E3E0C
Located: HK_CU:Run, ISUSPM Startup
where: S-1-5-21-3653426806-1647728314-612228019-1001...
command: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
file: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
size: 221184
MD5: A379B75A6FFE4DFD3184F35F0141CE91
Located: HK_CU:Run, QuickTime Task
where: S-1-5-21-3653426806-1647728314-612228019-1001...
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 6DF76965A0FB8237E9C3B3CAB9815EC2
Located: HK_CU:Run, swg
where: S-1-5-21-3653426806-1647728314-612228019-1001...
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
Located: HK_CU:Run, Switcher
where: S-1-5-21-3653426806-1647728314-612228019-1001...
command: "C:\Program Files\Switcher\Switcher.exe" /quiet
file: C:\Program Files\Switcher\Switcher.exe
size: 425984
MD5: 78C0E1B755AD36AE45C1DCBE39944093
Located: Startup (common), Google Calendar Sync.lnk
where: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
file: C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
size: 542192
MD5: 29834B14BEC6F5F1216F827FE48C0AB7
Located: Startup (common), HP Connections.lnk
where: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
file: C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
size: 34520
MD5: 3754F4C688BFD04BC886112BD6566A9B
Located: Startup (common), Microsoft Office.lnk
where: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
size: 83360
MD5: 5BC65464354A9FD3BEAA28E18839734A
Located: Startup (common), Microtek Scanner Finder.lnk
where: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Windows\twain_32\ScanWiz5\SDII.exe
file: C:\Windows\twain_32\ScanWiz5\SDII.exe
size: 315392
MD5: 447DE0D24F9EB3349DA9C7D3C4CB76FA
Located: Startup (user), OneNote 2007 Screen Clipper and Launcher.lnk
where: C:\Users\afan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
file: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
size: 101784
MD5: 24F5015DEB7C744DDF34CD786B6FA03F
Located: Startup (user), OpenOffice.org 2.3.lnk
where: C:\Users\afan_2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
file: C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
size: 393216
MD5: 01F7BA16BC60D65149FA36F355319171
Located: WinLogon, igfxcui
command: igfxdev.dll
file: igfxdev.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Yahoo! Toolbar Helper
description: Yahoo Companion!
classification: Legitimate
known filename: Ycomp*_*_*_*.dll
info link: http://companion.yahoo.com/
info source: TonyKlein
Path: C:\Program Files\Yahoo!\Companion\Installs\cpn\
Long name: yt.dll
Short name:
Date (created): 2/20/2007 5:48:54 PM
Date (last access): 2/20/2007 5:48:54 PM
Date (last write): 9/27/2006 6:42:50 PM
Filesize: 441408
Attributes: archive
MD5: 2F56D8F57D4CCCD8970F59A40989545F
CRC32: 74FB5695
Version: 2006.9.27.1
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 10/23/2006 12:08:42 AM
Date (last access): 2/10/2008 10:42:32 PM
Date (last write): 10/23/2006 12:08:42 AM
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 6/16/2008 1:24:34 AM
Date (last access): 6/16/2008 1:24:34 AM
Date (last write): 1/28/2008 11:43:28 AM
Filesize: 1554256
Attributes: archive
MD5: 5248E02EFBCB64D328647CD00E384B85
CRC32: C1B426A9
Version: 1.5.0.11
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: ssv.dll
Short name:
Date (created): 4/19/2008 6:05:44 PM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 509328
Attributes: archive
MD5: 5B42CB6A121256465B251840FDB1B2FE
CRC32: 6EF0BCE9
Version: 6.0.50.13
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\
Long name: swg.dll
Short name:
Date (created): 6/3/2008 3:10:02 PM
Date (last access): 6/3/2008 3:10:02 PM
Date (last write): 6/3/2008 3:10:02 PM
Filesize: 654320
Attributes: archive
MD5: 72D6804DC43CC0CF4F10E699D7738138
CRC32: ABF4BA3E
Version: 2.1.1119.1736
--- ActiveX list ---
{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi160.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: ssv.dll
Short name:
Date (created): 4/19/2008 6:05:44 PM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 509328
Attributes: archive
MD5: 5B42CB6A121256465B251840FDB1B2FE
CRC32: 6EF0BCE9
Version: 6.0.50.13
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: ssv.dll
Short name:
Date (created): 4/19/2008 6:05:44 PM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 509328
Attributes: archive
MD5: 5B42CB6A121256465B251840FDB1B2FE
CRC32: 6EF0BCE9
Version: 6.0.50.13
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: ssv.dll
Short name:
Date (created): 4/19/2008 6:05:44 PM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 509328
Attributes: archive
MD5: 5B42CB6A121256465B251840FDB1B2FE
CRC32: 6EF0BCE9
Version: 6.0.50.13
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: npjpi160_05.dll
Short name: NPJPI1~1.DLL
Date (created): 2/22/2008 2:33:32 AM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 132496
Attributes: archive
MD5: 4FDFB86D78994BD71CBB779A7809E9CD
CRC32: 5A0EB880
Version: 6.0.50.13
--- Process list ---
PID: 2716 (1080) C:\Windows\system32\taskeng.exe
size: 169472
MD5: 5F109032CE46B7184ED9E50F9FE8489E
PID: 3268 (1060) C:\Windows\system32\Dwm.exe
size: 81920
MD5: 59903071D7ACE6A02093C47E9E38AF97
PID: 3312 (3256) C:\Windows\Explorer.EXE
size: 2927104
MD5: FFA764631CB70A30065C12EF8E174F9F
PID: 3420 (3312) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 1033512
MD5: 19D93154C82FE39A99B269CED1056A92
PID: 3440 (3312) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
size: 159744
MD5: 20321CA0F49D143FDB4CEF926A05E10A
PID: 3460 (3312) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
size: 317152
MD5: 6006C370B18A345203D26038518F5F86
PID: 3472 (3312) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
size: 472800
MD5: F3C9ADCBF74090552EDC76F81A553D81
PID: 3488 (3312) C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
size: 144784
MD5: 836DC47E6CAD975304D1D3EB2F516A1C
PID: 3500 (3312) C:\Program Files\Alwil Software\Avast4\ashDisp.exe
size: 79224
MD5: 8CF58586AE4577ED71FFE8883A6D4B3B
PID: 3508 (3312) C:\Program Files\HP\QuickPlay\QPService.exe
size: 181544
MD5: CF41C54529021D0E393BD149FEE4F03E
PID: 3520 (3312) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
size: 29744
MD5: B39662E4C237AA25A2CD2379FF508099
PID: 3528 (3312) C:\Program Files\Synaptics\SynTP\SynTPStart.exe
size: 102400
MD5: A3418E4D4A5EE636D44922DC2567FA18
PID: 3544 (3312) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 185896
MD5: 89D583FC41D48328128A974C25AFAEB7
PID: 3552 (3312) C:\Program Files\Winamp\winampa.exe
size: 36352
MD5: 93146CD558AE246116BA3315E15505B7
PID: 3568 (3312) C:\Windows\System32\hkcmd.exe
size: 166424
MD5: 5F529FBB095CBC9F14BB1E97A7A6B547
PID: 3580 (3312) C:\Windows\System32\igfxpers.exe
size: 133656
MD5: D8A33AF26E4143F7A892009890BB6F64
PID: 3628 (3312) C:\Program Files\iTunes\iTunesHelper.exe
size: 267048
MD5: 04A9F0C58B170F30445BCC0683EF9FFC
PID: 3636 (3312) C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
size: 54840
MD5: 21293443961A4E2597453EE7A9347F22
PID: 3660 (3312) C:\Windows\ehome\ehtray.exe
size: 125952
MD5: BF08674925F151BD4537B89A493E3E0C
PID: 3668 (3312) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
PID: 3684 (3312) C:\Program Files\Switcher\Switcher.exe
size: 425984
MD5: 78C0E1B755AD36AE45C1DCBE39944093
PID: 3696 (3312) C:\Windows\System32\rundll32.exe
size: 44544
MD5: 4B555106290BD117334E9A08761C035A
PID: 3716 (3312) C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
size: 542192
MD5: 29834B14BEC6F5F1216F827FE48C0AB7
PID: 3756 (3312) C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
size: 34520
MD5: 3754F4C688BFD04BC886112BD6566A9B
PID: 3788 (3312) C:\Windows\twain_32\ScanWiz5\SDII.exe
size: 315392
MD5: 447DE0D24F9EB3349DA9C7D3C4CB76FA
PID: 3876 (3520) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
size: 29744
MD5: B39662E4C237AA25A2CD2379FF508099
PID: 2568 (3832) C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
size: 2359296
MD5: 9A00D0292845C4138B88E32111E1487B
PID: 3028 (3520) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
size: 29744
MD5: B39662E4C237AA25A2CD2379FF508099
PID: 1580 (2568) C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
size: 2510848
MD5: F1C3220C70D01BFBE076280DC64EADAE
PID: 3376 (3420) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
size: 95528
MD5: 892699A6AEB910C58B726BD70BEA4F4B
PID: 3692 (3312) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 0 ( 0) [System Process]
PID: 4 ( 0) System
PID: 408 ( 4) smss.exe
size: 64000
PID: 476 ( 464) csrss.exe
size: 6144
PID: 520 ( 464) wininit.exe
size: 96768
PID: 528 ( 512) csrss.exe
size: 6144
PID: 564 ( 520) services.exe
size: 279040
PID: 576 ( 520) lsass.exe
size: 9728
PID: 584 ( 520) lsm.exe
size: 229888
PID: 660 ( 512) winlogon.exe
size: 314880
PID: 792 ( 564) svchost.exe
size: 21504
PID: 860 ( 564) svchost.exe
size: 21504
PID: 904 ( 564) svchost.exe
size: 21504
PID: 1000 ( 564) svchost.exe
size: 21504
PID: 1060 ( 564) svchost.exe
size: 21504
PID: 1080 ( 564) svchost.exe
size: 21504
PID: 1156 (1000) audiodg.exe
size: 88064
PID: 1184 ( 564) SLsvc.exe
size: 2623488
PID: 1224 ( 564) svchost.exe
size: 21504
PID: 1344 ( 564) svchost.exe
size: 21504
PID: 1460 ( 564) aswUpdSv.exe
PID: 1472 ( 564) ashServ.exe
PID: 1668 ( 564) spoolsv.exe
size: 125952
PID: 1708 ( 564) svchost.exe
size: 21504
PID: 1900 ( 564) AppleMobileDeviceService.exe
PID: 1936 ( 564) mDNSResponder.exe
PID: 1972 ( 564) GoogleUpdaterService.exe
PID: 1996 ( 564) LSSrvc.exe
PID: 2012 ( 564) MDM.EXE
PID: 344 ( 564) svchost.exe
size: 21504
PID: 452 ( 564) QPCapSvc.exe
PID: 1968 ( 564) svchost.exe
size: 21504
PID: 732 ( 564) svchost.exe
size: 21504
PID: 2060 ( 564) SearchIndexer.exe
size: 302080
PID: 2104 ( 564) XAudio.exe
PID: 2116 ( 564) hpqwmiex.exe
PID: 2224 ( 564) SDWinSec.exe
PID: 2528 (1080) taskeng.exe
size: 169472
PID: 2968 ( 564) QPSched.exe
PID: 3000 ( 564) ashMaiSv.exe
PID: 3020 ( 564) ashWebSv.exe
PID: 3732 ( 792) WmiPrvSE.exe
PID: 3808 ( 792) igfxsrvc.exe
size: 256536
PID: 4072 ( 792) ehmsas.exe
PID: 3708 ( 564) iPodService.exe
PID: 4080 ( 792) HPQTOA~1.EXE
PID: 4388 ( 564) HPHC_Service.exe
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 6/17/2008 4:28:14 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: Parental Controls LSP over [MSAFD Tcpip [TCP/IP]]
GUID: {F17E8374-1EAF-4401-B5A9-8F0EFF3C005D}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 1: Parental Controls LSP over [MSAFD Tcpip [UDP/IP]]
GUID: {DCADC2A6-D429-43DA-B4EF-13920EA5FF41}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 2: Parental Controls LSP over [MSAFD Tcpip [TCP/IPv6]]
GUID: {B3F4F2FE-F74E-4B22-AA10-BD068B7F382F}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 3: Parental Controls LSP over [MSAFD Tcpip [UDP/IPv6]]
GUID: {A753D188-C4EC-48A3-8C0A-11E092DF3327}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 4: Parental Controls LSP over [RSVP TCPv6 Service Provider]
GUID: {61E89043-E12B-4914-8AAC-FB08DB5A1A58}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 5: Parental Controls LSP over [RSVP TCP Service Provider]
GUID: {41FB3B52-E1C9-4E6C-A21E-733503AE3659}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 6: Parental Controls LSP over [RSVP UDPv6 Service Provider]
GUID: {BD7073E1-6C2F-4622-AFD2-93870BFCE7FD}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 7: Parental Controls LSP over [RSVP UDP Service Provider]
GUID: {213049DB-E91E-400E-A660-A914B22DAE23}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 8: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 9: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 10: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 11: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 12: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 13: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 14: RSVP TCPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 15: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 16: RSVP UDPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 17: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 18: Parental Controls LSP
GUID: {572F18CF-62F6-4456-BE0E-AF2D8FDBCE0B}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5FF3BAC1-FD64-4427-9784-E21F9EFF8B04}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5FF3BAC1-FD64-4427-9784-E21F9EFF8B04}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A710A106-2B64-434F-9524-EA66A4A65C37}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A710A106-2B64-434F-9524-EA66A4A65C37}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{2FBD2158-ADBC-47D8-BB1C-7A2F76BEEEA2}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{2FBD2158-ADBC-47D8-BB1C-7A2F76BEEEA2}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{E5A40783-E3D5-4876-B48F-EA29C6569F8C}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 26: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{E5A40783-E3D5-4876-B48F-EA29C6569F8C}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 27: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{CF381BA8-4C6D-44D9-BC55-88E9A10DDC81}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 28: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{CF381BA8-4C6D-44D9-BC55-88E9A10DDC81}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 29: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{36CA7738-497F-4122-8BF0-9835D4A15938}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 30: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{36CA7738-497F-4122-8BF0-9835D4A15938}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 31: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{5FF3BAC1-FD64-4427-9784-E21F9EFF8B04}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 32: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{5FF3BAC1-FD64-4427-9784-E21F9EFF8B04}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 33: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{A710A106-2B64-434F-9524-EA66A4A65C37}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 34: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{A710A106-2B64-434F-9524-EA66A4A65C37}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Network Location Awareness Legacy (NLAv1) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename:
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Namespace Provider 1: E-mail Naming Shim Provider
GUID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}
Filename:
Namespace Provider 2: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename:
Namespace Provider 3: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename:
Namespace Provider 4: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP
Namespace Provider 5: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename:
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 6: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Looks like Spybot fixed the finding. Please post a fresh hjt log. Do you have more than one user account there?
screweycazooey
2008-06-18, 00:37
Yes, I have two accounts, one with admin rights and the other as standard user.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:23 PM, on 6/17/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Switcher\Switcher.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Windows\twain_32\ScanWiz5\SDII.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\twain_32\ScanWiz5\SDII.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\afan_2\Downloads\Temp Folder\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3653426806-1647728314-612228019-1001\..\Run: [Aim6] (User 'afan_2')
O4 - HKUS\S-1-5-21-3653426806-1647728314-612228019-1001\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'afan_2')
O4 - HKUS\S-1-5-21-3653426806-1647728314-612228019-1001\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup (User 'afan_2')
O4 - HKUS\S-1-5-21-3653426806-1647728314-612228019-1001\..\Run: [Switcher] "C:\Program Files\Switcher\Switcher.exe" /quiet (User 'afan_2')
O4 - HKUS\S-1-5-21-3653426806-1647728314-612228019-1001\..\Run: [1d304d6b] rundll32.exe "C:\Users\afan_2\AppData\Local\Temp\umdyvmxu.dll",b (User 'afan_2')
O4 - S-1-5-21-3653426806-1647728314-612228019-1001 Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe (User 'afan_2')
O4 - S-1-5-21-3653426806-1647728314-612228019-1001 User Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe (User 'afan_2')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Windows\twain_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 13350 bytes
Hi
Start hjt, do a system scan, check:
O4 - HKUS\S-1-5-21-3653426806-1647728314-612228019-1001\..\Run: [1d304d6b] rundll32.exe "C:\Users\afan_2\AppData\Local\Temp\umdyvmxu.dll",b (User 'afan_2')
Close browsers and fix checked.
Show hidden files (Vista)
-----------------
1. Open Folder Options by clicking the Start button, clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
2. Click the View tab.
3. Under Advanced settings, click Show hidden files and folders, and then click OK.
Delete C:\Users\afan_2\AppData\Local\Temp\umdyvmxu.dll file if found.
If you still have ATF Cleaner I asked to download earlier then please run it as instructed with both accounts on your system. If you had removed ATF Cleaner already then download & run it again.
Reboot and post a fresh hjt log. Still problems?
screweycazooey
2008-06-18, 17:55
Virtumonde still turns up in Spybot, but my machine seems to be running just fine. Would you like another Spybot report?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:29 AM, on 6/18/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Switcher\Switcher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\twain_32\ScanWiz5\SDII.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Users\afan_2\Desktop\HiJackThis.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3653426806-1647728314-612228019-1001\..\Run: [Aim6] (User 'afan_2')
O4 - HKUS\S-1-5-21-3653426806-1647728314-612228019-1001\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'afan_2')
O4 - HKUS\S-1-5-21-3653426806-1647728314-612228019-1001\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup (User 'afan_2')
O4 - HKUS\S-1-5-21-3653426806-1647728314-612228019-1001\..\Run: [Switcher] "C:\Program Files\Switcher\Switcher.exe" /quiet (User 'afan_2')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Windows\twain_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 11287 bytes
Would you like another Spybot report?
Yes, please. Then do a scan with GMER following these instructions:
Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
screweycazooey
2008-06-18, 23:15
I scanned again with Spybot, and this time it didn't find anything :) I scanned with GMER anyway.
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-06-18 16:09:28
Windows 6.0.6001 Service Pack 1
---- User code sections - GMER 1.0.14 ----
.text C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe[1308] kernel32.dll!CreateThread + 1A 768246E2 4 Bytes [ 52, 62, 44, 8E ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2896] kernel32.dll!ExitProcess 76803B54 5 Bytes JMP 050520B4 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2896] USER32.dll!MessageBoxA 766DD619 5 Bytes JMP 0505205E C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2896] USER32.dll!MessageBoxW 766DD667 5 Bytes JMP 05052089 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
---- Devices - GMER 1.0.14 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.14 ----
--- Search result list ---
Congratulations!: No immediate threats were found. ()
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2007-07-08 ImmunizeUIv2.exe (2.0.2.3)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-06-16 unins001.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-06-17 Includes\Adware.sbi (*)
2008-06-18 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-06-10 Includes\DialerC.sbi (*)
2008-06-03 Includes\HeavyDuty.sbi (*)
2008-06-16 Includes\Hijackers.sbi (*)
2008-06-17 Includes\HijackersC.sbi (*)
2008-06-03 Includes\Keyloggers.sbi (*)
2008-06-17 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-06-18 Includes\Malware.sbi (*)
2008-06-17 Includes\MalwareC.sbi (*)
2008-06-17 Includes\PUPS.sbi (*)
2008-06-17 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-10 Includes\Security.sbi (*)
2008-06-18 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-06-17 Includes\Spyware.sbi (*)
2008-06-17 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-06-11 Includes\Trojans.sbi (*)
2008-06-18 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows Vista (Build: 6001) Service Pack 1 (6.0.6001)
--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: 8B9145D229D4E89D15ACB820D4A3A90F
Located: HK_LM:Run, avast!
command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 79224
MD5: 8CF58586AE4577ED71FFE8883A6D4B3B
Located: HK_LM:Run, Google Desktop Search
command: "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
file: C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
size: 29744
MD5: B39662E4C237AA25A2CD2379FF508099
Located: HK_LM:Run, HotKeysCmds
command: C:\Windows\system32\hkcmd.exe
file: C:\Windows\system32\hkcmd.exe
size: 166424
MD5: 5F529FBB095CBC9F14BB1E97A7A6B547
Located: HK_LM:Run, HP Health Check Scheduler
command: [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, HP Software Update
command: C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
file: C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
size: 54840
MD5: 21293443961A4E2597453EE7A9347F22
Located: HK_LM:Run, hpWirelessAssistant
command: %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
file: C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
size: 472800
MD5: F3C9ADCBF74090552EDC76F81A553D81
Located: HK_LM:Run, IgfxTray
command: C:\Windows\system32\igfxtray.exe
file: C:\Windows\system32\igfxtray.exe
size: 141848
MD5: 7F7B42B1BA42242116F5B277A063FE2E
Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 267048
MD5: 04A9F0C58B170F30445BCC0683EF9FFC
Located: HK_LM:Run, Persistence
command: C:\Windows\system32\igfxpers.exe
file: C:\Windows\system32\igfxpers.exe
size: 133656
MD5: D8A33AF26E4143F7A892009890BB6F64
Located: HK_LM:Run, QlbCtrl
command: %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
file: C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
size: 159744
MD5: 20321CA0F49D143FDB4CEF926A05E10A
Located: HK_LM:Run, QPService
command: "C:\Program Files\HP\QuickPlay\QPService.exe"
file: C:\Program Files\HP\QuickPlay\QPService.exe
size: 181544
MD5: CF41C54529021D0E393BD149FEE4F03E
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 6DF76965A0FB8237E9C3B3CAB9815EC2
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
size: 144784
MD5: 836DC47E6CAD975304D1D3EB2F516A1C
Located: HK_LM:Run, SynTPEnh
command: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
file: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 1033512
MD5: 19D93154C82FE39A99B269CED1056A92
Located: HK_LM:Run, SynTPStart
command: C:\Program Files\Synaptics\SynTP\SynTPStart.exe
file: C:\Program Files\Synaptics\SynTP\SynTPStart.exe
size: 102400
MD5: A3418E4D4A5EE636D44922DC2567FA18
Located: HK_LM:Run, SysMetrix
command: C:\Program Files\SysMetrix\SysMetrix.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 185896
MD5: 89D583FC41D48328128A974C25AFAEB7
Located: HK_LM:Run, WAWifiMessage
command: %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
file: C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
size: 317152
MD5: 6006C370B18A345203D26038518F5F86
Located: HK_LM:Run, WinampAgent
command: "C:\Program Files\Winamp\winampa.exe"
file: C:\Program Files\Winamp\winampa.exe
size: 36352
MD5: 93146CD558AE246116BA3315E15505B7
Located: HK_LM:RunOnce, Launcher
command: %WINDIR%\SMINST\launcher.exe
file: C:\Windows\SMINST\launcher.exe
size: 44128
MD5: 50ECAA360582260ACC5E1495CC34A22E
Located: HK_CU:Run, Aim6
where: S-1-5-21-3653426806-1647728314-612228019-1001...
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, AnyDVD
where: S-1-5-21-3653426806-1647728314-612228019-1001...
command: C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ehTray.exe
where: S-1-5-21-3653426806-1647728314-612228019-1001...
command: C:\Windows\ehome\ehTray.exe
file: C:\Windows\ehome\ehTray.exe
size: 125952
MD5: BF08674925F151BD4537B89A493E3E0C
Located: HK_CU:Run, ISUSPM Startup
where: S-1-5-21-3653426806-1647728314-612228019-1001...
command: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
file: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
size: 221184
MD5: A379B75A6FFE4DFD3184F35F0141CE91
Located: HK_CU:Run, QuickTime Task
where: S-1-5-21-3653426806-1647728314-612228019-1001...
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 6DF76965A0FB8237E9C3B3CAB9815EC2
Located: HK_CU:Run, swg
where: S-1-5-21-3653426806-1647728314-612228019-1001...
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
Located: HK_CU:Run, Switcher
where: S-1-5-21-3653426806-1647728314-612228019-1001...
command: "C:\Program Files\Switcher\Switcher.exe" /quiet
file: C:\Program Files\Switcher\Switcher.exe
size: 425984
MD5: 78C0E1B755AD36AE45C1DCBE39944093
Located: Startup (common), Google Calendar Sync.lnk
where: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
file: C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
size: 542192
MD5: 29834B14BEC6F5F1216F827FE48C0AB7
Located: Startup (common), HP Connections.lnk
where: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
file: C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
size: 34520
MD5: 3754F4C688BFD04BC886112BD6566A9B
Located: Startup (common), Microsoft Office.lnk
where: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
size: 83360
MD5: 5BC65464354A9FD3BEAA28E18839734A
Located: Startup (common), Microtek Scanner Finder.lnk
where: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Windows\twain_32\ScanWiz5\SDII.exe
file: C:\Windows\twain_32\ScanWiz5\SDII.exe
size: 315392
MD5: 447DE0D24F9EB3349DA9C7D3C4CB76FA
Located: WinLogon, igfxcui
command: igfxdev.dll
file: igfxdev.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Yahoo! Toolbar Helper
description: Yahoo Companion!
classification: Legitimate
known filename: Ycomp*_*_*_*.dll
info link: http://companion.yahoo.com/
info source: TonyKlein
Path: C:\Program Files\Yahoo!\Companion\Installs\cpn\
Long name: yt.dll
Short name:
Date (created): 2/20/2007 5:48:54 PM
Date (last access): 2/20/2007 5:48:54 PM
Date (last write): 9/27/2006 6:42:50 PM
Filesize: 441408
Attributes: archive
MD5: 2F56D8F57D4CCCD8970F59A40989545F
CRC32: 74FB5695
Version: 2006.9.27.1
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 10/23/2006 12:08:42 AM
Date (last access): 2/10/2008 10:42:32 PM
Date (last write): 10/23/2006 12:08:42 AM
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 6/16/2008 1:24:34 AM
Date (last access): 6/16/2008 1:24:34 AM
Date (last write): 1/28/2008 11:43:28 AM
Filesize: 1554256
Attributes: archive
MD5: 5248E02EFBCB64D328647CD00E384B85
CRC32: C1B426A9
Version: 1.5.0.11
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: ssv.dll
Short name:
Date (created): 4/19/2008 6:05:44 PM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 509328
Attributes: archive
MD5: 5B42CB6A121256465B251840FDB1B2FE
CRC32: 6EF0BCE9
Version: 6.0.50.13
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\
Long name: swg.dll
Short name:
Date (created): 6/3/2008 3:10:02 PM
Date (last access): 6/3/2008 3:10:02 PM
Date (last write): 6/3/2008 3:10:02 PM
Filesize: 654320
Attributes: archive
MD5: 72D6804DC43CC0CF4F10E699D7738138
CRC32: ABF4BA3E
Version: 2.1.1119.1736
--- ActiveX list ---
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: ssv.dll
Short name:
Date (created): 4/19/2008 6:05:44 PM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 509328
Attributes: archive
MD5: 5B42CB6A121256465B251840FDB1B2FE
CRC32: 6EF0BCE9
Version: 6.0.50.13
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: ssv.dll
Short name:
Date (created): 4/19/2008 6:05:44 PM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 509328
Attributes: archive
MD5: 5B42CB6A121256465B251840FDB1B2FE
CRC32: 6EF0BCE9
Version: 6.0.50.13
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: npjpi160_05.dll
Short name: NPJPI1~1.DLL
Date (created): 2/22/2008 2:33:32 AM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 132496
Attributes: archive
MD5: 4FDFB86D78994BD71CBB779A7809E9CD
CRC32: 5A0EB880
Version: 6.0.50.13
--- Process list ---
PID: 1376 (1064) C:\Windows\system32\taskeng.exe
size: 169472
MD5: 5F109032CE46B7184ED9E50F9FE8489E
PID: 2856 (1044) C:\Windows\system32\Dwm.exe
size: 81920
MD5: 59903071D7ACE6A02093C47E9E38AF97
PID: 2944 (2824) C:\Windows\Explorer.EXE
size: 2927104
MD5: FFA764631CB70A30065C12EF8E174F9F
PID: 3356 (2944) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 1033512
MD5: 19D93154C82FE39A99B269CED1056A92
PID: 3380 (2944) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
size: 159744
MD5: 20321CA0F49D143FDB4CEF926A05E10A
PID: 3396 (2944) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
size: 317152
MD5: 6006C370B18A345203D26038518F5F86
PID: 3408 (2944) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
size: 472800
MD5: F3C9ADCBF74090552EDC76F81A553D81
PID: 3428 (2944) C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
size: 144784
MD5: 836DC47E6CAD975304D1D3EB2F516A1C
PID: 3452 (2944) C:\Program Files\Alwil Software\Avast4\ashDisp.exe
size: 79224
MD5: 8CF58586AE4577ED71FFE8883A6D4B3B
PID: 3472 (2944) C:\Program Files\HP\QuickPlay\QPService.exe
size: 181544
MD5: CF41C54529021D0E393BD149FEE4F03E
PID: 3512 (2944) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
size: 29744
MD5: B39662E4C237AA25A2CD2379FF508099
PID: 3556 (2944) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 185896
MD5: 89D583FC41D48328128A974C25AFAEB7
PID: 3568 (2944) C:\Program Files\Winamp\winampa.exe
size: 36352
MD5: 93146CD558AE246116BA3315E15505B7
PID: 3632 (2944) C:\Windows\System32\hkcmd.exe
size: 166424
MD5: 5F529FBB095CBC9F14BB1E97A7A6B547
PID: 3648 (2944) C:\Windows\System32\igfxpers.exe
size: 133656
MD5: D8A33AF26E4143F7A892009890BB6F64
PID: 3740 (3512) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
size: 29744
MD5: B39662E4C237AA25A2CD2379FF508099
PID: 3804 (2944) C:\Program Files\iTunes\iTunesHelper.exe
size: 267048
MD5: 04A9F0C58B170F30445BCC0683EF9FFC
PID: 3824 (2944) C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
size: 54840
MD5: 21293443961A4E2597453EE7A9347F22
PID: 3840 ( 780) C:\Windows\system32\igfxsrvc.exe
size: 256536
MD5: 734006A2DB2404138F2C1A2CB86D32EF
PID: 3876 (2944) C:\Windows\ehome\ehtray.exe
size: 125952
MD5: BF08674925F151BD4537B89A493E3E0C
PID: 3912 (2944) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
PID: 3956 (2944) C:\Program Files\Switcher\Switcher.exe
size: 425984
MD5: 78C0E1B755AD36AE45C1DCBE39944093
PID: 3976 (2944) C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
size: 542192
MD5: 29834B14BEC6F5F1216F827FE48C0AB7
PID: 3992 (2944) C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
size: 34520
MD5: 3754F4C688BFD04BC886112BD6566A9B
PID: 4032 (2944) C:\Windows\twain_32\ScanWiz5\SDII.exe
size: 315392
MD5: 447DE0D24F9EB3349DA9C7D3C4CB76FA
PID: 4056 ( 780) C:\Windows\ehome\ehmsas.exe
size: 37376
MD5: 0F4195B9B348DE5CF9B822F81704B20E
PID: 2896 (3512) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
size: 29744
MD5: B39662E4C237AA25A2CD2379FF508099
PID: 2924 ( 780) C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
size: 491606
MD5: 9876623329C382AFBAB5B9D8099BD203
PID: 1308 (2944) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 0 ( 0) [System Process]
PID: 4 ( 0) System
PID: 416 ( 4) smss.exe
size: 64000
PID: 484 ( 472) csrss.exe
size: 6144
PID: 528 ( 472) wininit.exe
size: 96768
PID: 540 ( 520) csrss.exe
size: 6144
PID: 572 ( 528) services.exe
size: 279040
PID: 584 ( 528) lsass.exe
size: 9728
PID: 596 ( 528) lsm.exe
size: 229888
PID: 664 ( 520) winlogon.exe
size: 314880
PID: 780 ( 572) svchost.exe
size: 21504
PID: 848 ( 572) svchost.exe
size: 21504
PID: 888 ( 572) svchost.exe
size: 21504
PID: 980 ( 572) svchost.exe
size: 21504
PID: 1044 ( 572) svchost.exe
size: 21504
PID: 1064 ( 572) svchost.exe
size: 21504
PID: 1144 ( 980) audiodg.exe
size: 88064
PID: 1172 ( 572) SLsvc.exe
size: 2623488
PID: 1204 ( 572) svchost.exe
size: 21504
PID: 1348 ( 572) svchost.exe
size: 21504
PID: 1468 ( 572) aswUpdSv.exe
PID: 1480 ( 572) ashServ.exe
PID: 1676 ( 572) spoolsv.exe
size: 125952
PID: 1708 ( 572) svchost.exe
size: 21504
PID: 1944 ( 572) AppleMobileDeviceService.exe
PID: 1976 ( 572) mDNSResponder.exe
PID: 2004 ( 572) GoogleUpdaterService.exe
PID: 2040 ( 572) LSSrvc.exe
PID: 436 ( 572) MDM.EXE
PID: 448 ( 572) svchost.exe
size: 21504
PID: 564 ( 572) QPCapSvc.exe
PID: 2236 ( 572) svchost.exe
size: 21504
PID: 2272 ( 572) svchost.exe
size: 21504
PID: 2348 ( 572) SearchIndexer.exe
size: 302080
PID: 2400 ( 572) XAudio.exe
PID: 2420 ( 572) hpqwmiex.exe
PID: 2456 ( 572) SDWinSec.exe
size: 810320
MD5: A0C00A6265949AC72AB51B711743CA6D
PID: 2624 (1044) WUDFHost.exe
size: 142336
PID: 2980 ( 572) QPSched.exe
PID: 3008 ( 572) ashMaiSv.exe
PID: 3040 ( 572) ashWebSv.exe
PID: 3684 ( 780) WmiPrvSE.exe
PID: 996 ( 572) iPodService.exe
PID: 2712 (1064) taskeng.exe
size: 169472
PID: 3308 (3356) SynTPHelper.exe
PID: 3208 ( 572) HPHC_Service.exe
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 6/18/2008 3:32:57 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.netflix.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/keyword/%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: Parental Controls LSP over [MSAFD Tcpip [TCP/IP]]
GUID: {F17E8374-1EAF-4401-B5A9-8F0EFF3C005D}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 1: Parental Controls LSP over [MSAFD Tcpip [UDP/IP]]
GUID: {DCADC2A6-D429-43DA-B4EF-13920EA5FF41}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 2: Parental Controls LSP over [MSAFD Tcpip [TCP/IPv6]]
GUID: {B3F4F2FE-F74E-4B22-AA10-BD068B7F382F}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 3: Parental Controls LSP over [MSAFD Tcpip [UDP/IPv6]]
GUID: {A753D188-C4EC-48A3-8C0A-11E092DF3327}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 4: Parental Controls LSP over [RSVP TCPv6 Service Provider]
GUID: {61E89043-E12B-4914-8AAC-FB08DB5A1A58}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 5: Parental Controls LSP over [RSVP TCP Service Provider]
GUID: {41FB3B52-E1C9-4E6C-A21E-733503AE3659}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 6: Parental Controls LSP over [RSVP UDPv6 Service Provider]
GUID: {BD7073E1-6C2F-4622-AFD2-93870BFCE7FD}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 7: Parental Controls LSP over [RSVP UDP Service Provider]
GUID: {213049DB-E91E-400E-A660-A914B22DAE23}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 8: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 9: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 10: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 11: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 12: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 13: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 14: RSVP TCPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 15: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 16: RSVP UDPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 17: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 18: Parental Controls LSP
GUID: {572F18CF-62F6-4456-BE0E-AF2D8FDBCE0B}
Filename: C:\Windows\system32\wpclsp.dll
Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5FF3BAC1-FD64-4427-9784-E21F9EFF8B04}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5FF3BAC1-FD64-4427-9784-E21F9EFF8B04}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A710A106-2B64-434F-9524-EA66A4A65C37}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A710A106-2B64-434F-9524-EA66A4A65C37}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{88EA285E-7DA3-4BD1-8A9C-A451A93740C8}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{88EA285E-7DA3-4BD1-8A9C-A451A93740C8}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{E5A40783-E3D5-4876-B48F-EA29C6569F8C}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 26: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{E5A40783-E3D5-4876-B48F-EA29C6569F8C}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 27: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{CF381BA8-4C6D-44D9-BC55-88E9A10DDC81}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 28: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{CF381BA8-4C6D-44D9-BC55-88E9A10DDC81}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 29: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{36CA7738-497F-4122-8BF0-9835D4A15938}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 30: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{36CA7738-497F-4122-8BF0-9835D4A15938}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 31: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{5FF3BAC1-FD64-4427-9784-E21F9EFF8B04}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 32: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{5FF3BAC1-FD64-4427-9784-E21F9EFF8B04}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 33: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{A710A106-2B64-434F-9524-EA66A4A65C37}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 34: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{A710A106-2B64-434F-9524-EA66A4A65C37}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Network Location Awareness Legacy (NLAv1) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename:
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Namespace Provider 1: E-mail Naming Shim Provider
GUID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}
Filename:
Namespace Provider 2: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename:
Namespace Provider 3: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename:
Namespace Provider 4: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP
Namespace Provider 5: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename:
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 6: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Great :) Gmer log looks fine too.
I'll keep the topic open for some days so you can post back if that problem returns.
screweycazooey
2008-06-18, 23:20
THANKS! I greatly appreciate your help. I'll keep you posted.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.