View Full Version : Help with multiple infections...
bamakelly88
2008-11-24, 09:53
I have Trend Micro Internet Security, RUBotted, Ad-Aware, SpybotSD and still have managed to end up with multiple infections. I ran a SpybotSD report but have not done anything to fix these problems as I am not sure how to go about doing this. I'm afraid I will delete the wrong things.
I didn't notice any problems until about a week ago I started getting a message that from Trend Micro that a bot was detected on my computer and that someone had tried to remote in.
I need simple, clearcut instructions please as I am fairly illiterate when it comes to computer talk. TIA!!
Here is the Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:33 AM, on 11/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\MOUSES~1.2\wh_exec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\temp\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Me.dium IE Add-on - {D5E5C1E6-78DB-49F0-A137-8D594F342FD6} - "C:\Program Files\Me.dium\Me.dium IE Add-on\MediumIEAddOn.dll" (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [DACSMiniApp] C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
O4 - HKLM\..\Run: [BarbieGirlsTray] C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [WheelMouse] C:\MOUSES~1.2\wh_exec.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Me.dium - {47F8FF58-8C1E-4584-92CD-CE8B1FE1AF44} - "C:\Program Files\Me.dium\Me.dium IE Add-on\MediumIEAddOn.dll" (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206981395661
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206981435020
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jdk/6u10/jinstall-6u10-windows-i586-jc.cab?e=1225429495069&h=16e298d462c84d551b5cc192c8664ecf/&filename=jinstall-6u10-windows-i586-jc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 8668 bytes
pskelley
2008-11-25, 23:16
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
I need more information, I am seeing nothing in the HJT log? I may be that Trend Micro blocked an attempt which is what you pay it for. If you follow the directions, I will help you check things out.
1) Read the directions, the instructions for how to run Spybot and what to remove it there.
http://www.safer-networking.org/en/tutorial/index.html
2) Because the "Before you Post" instructions appear to not have been read, HijackThis is located unsafely. Follow these directions to fix that:
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log. <<< close HJT until you need it again.
3) Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
4) Scan with Trend Micro, post the scan results.
Thanks...Phil
bamakelly88
2008-11-26, 06:49
Dearest pskelley,
Thank you so much for your reply and your help. Here is an update on where I am at....
1.) I wanted you to know that after my original post I read the "Before You Post" instructions and followed the instructions for HJT. It is now on my desktop.
2.) I ran the uninstall list and will post it below.
3.) For some reason my Trend Micro will not scan properly and hasn't for a while. I have been using Housecall to scan. Also, I had Trend Micro pinned to my taskbar and it is marked to "always show"; however, for some reason it is not anymore. Also, my I had a set schedule for a daily scan which for hasn't run since 11/20/08. Once I started getting the message about the bot found. I was prompted to use Housecall to scan which I have been doing. I can update my Trend Micro but it will not scan. Would you like for me to run a Housecall scan and post those results instead?
Here is the uninstall list:
ABBYY FineReader 5.0 Sprint
ABBYY FineReader 6.0 Sprint
Acrobat.com
Acrobat.com
Ad-Aware
Adobe Acrobat 5.0
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
ATI - Software Uninstall Utility
ATI Control Panel
ATI Decoder
ATI Display Driver
ATI Multimedia Center 9.03
ATIMCEE
Barbie Girls
Broadcom 440x 10/100 Integrated Controller
CCScore
Conexant D850 56K V.9x DFVc Modem
Dell AIO Printer A920
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
FaxTools
GemMaster Mystic
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HDView for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB952287)
Java(TM) 6 Update 10
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
Lernout & Hauspie TruVoice for Microsoft Agent
Lexmark 3400 Series
Lexmark Fax Solutions
Lexmark Toolbar
Math 1-2
Me.dium IE Add-on
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer 2003
Microsoft Office PowerPoint Viewer 2003
Microsoft Silverlight
Microsoft Word 2002
Microsoft Works
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Mouse Suite v1.2
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
netbrdg
OfotoXMI
Olympus DSS Player Pro
OpenOffice.org Installer 1.0
Otto
PowerDVD
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SFR
SHASTA
Shockwave
skin0001
SKINXSDK
Sonic DLA
Sonic RecordNow!
SoundMAX
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
staticcr
Stedman's Electronic Medical Dictionary 6.0
The Digital Arts and Crafts Studio
tooltips
Trend Micro Internet Security
Trend Micro Internet Security
Trend Micro RUBotted
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VPRINTOL
W Photo Studio
Wal-Mart Digital Photo Manager
Windows Imaging Component
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Service Pack 3
WIRELESS
Thanks again for your help. :santa:
pskelley
2008-11-26, 13:50
Thanks for returning your information and the feedback, you said:
For some reason my Trend Micro will not scan properly
You need to contact tech support, you pay them for the program to run right and protect you, I can not help with this.
http://esupport.trendmicro.com/support/consumer/ts.do
Would you like for me to run a Housecall scan and post those results instead?
Yes...I would like to see what it is finding.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
As far as I can see (and once again I do not know all of your programs) you appear to be doing a good job:bigthumb: PSI can tell you.
Let's ask MBAM to take a look also:
Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html
Thanks...Phil
bamakelly88
2008-11-26, 19:53
PSKelley,
Thank you for the guidance and the info. I installed Secunia PSI for extra protection.
1.) I did not have to scan with Housecall, per your first reply you adviced me to stay off line except when troubleshooting. So, after I finished up I went offline. I was then able to scan with my Trend Micro. However, I am unable to post the screenshot of the results. I will tell you that it found and resolved 20 items, all of which were browsing cookies.
2.) Here is the MBAM log:
Malwarebytes' Anti-Malware 1.30
Database version: 1426
Windows 5.1.2600 Service Pack 3
11/26/2008 12:24:34 PM
mbam-log-2008-11-26 (12-24-34).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 122732
Time elapsed: 43 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 32
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 72
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\msvps.msvpsapp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qvdntlmw.bdfn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qvdntlmw.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4f9ac754-5629-414c-85fc-75e528a395ca} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{656c55cf-eb46-491c-aebe-892c716e61e8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b0b1334b-8efd-4a7a-a2e6-368cab26846c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{6885cc6d-190c-444a-a9ff-d107e6816409} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fe26ec81-f031-4a4d-8c23-3ad2ecc0cd95} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers\pcsd (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\pcsd (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\mslagent (Adware.EGDAccess) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\mslagent\2_mslagent.dll (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\mslagent.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\uninstall.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\a.bat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\base64.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FVProtect.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32akttzn.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32anticipator.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32awtoolb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32bdn.com (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32bsva-egihsg52.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32dpcproxy.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32emesx.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32h@tkeysh@@k.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32hoproxy.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32hxiwlgpm.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32hxiwlgpm.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32medup012.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32medup020.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32msgp.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32msnbho.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32mssecu.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32msvchost.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32mtr2.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32mwin32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32netode.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32newsd32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32psof1.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32psoft1.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32regc64.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32regm64.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32Rundl1.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32sncntr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32ssurf022.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32ssvchost.com (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32ssvchost.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32sysreq.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32taack.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32taack.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32temp#01.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32thun.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32thun32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32VBIEWER.OCX (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32vbsys2.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32vcatchpi.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32winlogonpc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32winsystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32WINWGPX.EXE (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\userconfig9x.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip1.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip2.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip3.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zipped.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\dwnrpofk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32ps1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Administrator\favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\documents and settings\Administrator\favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\documents and settings\Administrator\favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Application Data\Sskknwrd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Desktopblackbird.jpg (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\DesktopEditorFKWP1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\DesktopEditorFKWP2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Desktopfilemanagerclient.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Desktopfkwp1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Desktopfkwp2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Desktopfwebd.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\DesktopFWebdEditor.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\DesktopTrojan.Win32.BlackBird.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
3.) Here is the new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:43 PM, on 11/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\MOUSES~1.2\wh_exec.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Me.dium IE Add-on - {D5E5C1E6-78DB-49F0-A137-8D594F342FD6} - "C:\Program Files\Me.dium\Me.dium IE Add-on\MediumIEAddOn.dll" (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [DACSMiniApp] C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
O4 - HKLM\..\Run: [BarbieGirlsTray] C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [WheelMouse] C:\MOUSES~1.2\wh_exec.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Me.dium - {47F8FF58-8C1E-4584-92CD-CE8B1FE1AF44} - "C:\Program Files\Me.dium\Me.dium IE Add-on\MediumIEAddOn.dll" (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206981395661
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206981435020
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jdk/6u10/jinstall-6u10-windows-i586-jc.cab?e=1225429495069&h=16e298d462c84d551b5cc192c8664ecf/&filename=jinstall-6u10-windows-i586-jc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 8861 bytes
I hope I did everything just like you said. Once again, thanks for your time and your help.
pskelley
2008-11-26, 22:56
Thanks for returning your information and the feedback. Here is information to help you control tracking cookies:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
Remember you need some cookies for passwords, etc. I override for those.
Whoa..MBAM found a load of junk and removed it, because of TeaTimer, let's do this.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
2) http://downloads.subratam.org/ResetTeaTimer.bat <<< right click the link and choose "Save target as...
Download ResetTeaTimer.bat to the Desktop
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(this item is damaged, if you use it, install it again)
O2 - BHO: Me.dium IE Add-on - {D5E5C1E6-78DB-49F0-A137-8D594F342FD6} - "C:\Program Files\Me.dium\Me.dium IE Add-on\MediumIEAddOn.dll" (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
6) Because MBAM found so much junk and the fact TeaTimer was running, please take the time to UPDATE MBAM and scan again (Perform full scan) and quarantine anything it finds.
I want to comment that any program can make a mistake and MBAM puts what it removes in Quarantine. You see that area, the fourth tab. After a few days and the computer is running fine, then open that Quarantine area and delete everything in there.
Once you finish the above instructions, post the MBAM log (unless it is clean) and tell me how the computer runs now.
Thanks...Phil
bamakelly88
2008-11-27, 05:07
Phil,
Great news! My MBAM scan came back totally clean! You are the bomb! Thank you so, so, so much! Do I need to post anymore logs for you to verify?
Kelly
pskelley
2008-11-27, 13:26
Hi Kelly, thanks for the feeback, if the computer is now running as it should, here is information that may help it run even better.
Let's make sure System Restore files are clean:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
May help the computer run even better:
http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://www.malwareremoval.com/tutorials/runningslowly.php
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
and safer...
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...Phil:santa:
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
bamakelly88
2008-11-27, 17:13
Phil,
I did as you advised checking the System Restore. Then I thought that I would run one more SpybotSD scan to double check everything and unfortunately it showed the following results:
eXactAdvertising.BargainsBuddy.......2 entries Spyware
Fake.SecurityAlert........1 entry malware
LSA........2 entries malware
Microsoft.Windows.Security.InternetExplorer...1 entry security
NNC.MGRS.........1 entry Trojan
Smitfraud-C............1 entry MalwareC
SurfSideKick.............2 entries Malware
Zlob.Downloader.vcd..........1 entry Trojan
This is not near as many entries as I had the first scan with SpybotSD. Should I "Fix selected problems" and then run MBAM one more time? Should I turn off the TeaTimer again. I had just turned it back on before running the scan.
Thanks!
Kelly
pskelley
2008-11-27, 17:29
1) Make sure you running the most updated version of Spybot 1.6.0.30
2) Make sure you are fully immunized
3) Make sure you have reviewed the information I posted here:
http://www.safer-networking.org/en/tutorial/index.html
4) check for updates, run a scan, fix any problems then:
on the toolbar menu select mode and switch to advanced, on the left select tools, view report, make sure all the options are selected near the bottom except:
Uncheck[ ] do not report disabled or known legitimate Items,
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.
Now select near top-- view report, Press export, and save the log somewhere so you can find it. post the saved log in your next reply.
Thanks
bamakelly88
2008-11-28, 07:38
Phil,
I did precisely as you said.
Here is the log report:
--- Search result list ---
Hint of the Day: Click the bar at the right of this to see more information! ()
Fake.SecurityAlert: [SBI $1CEE4DC2] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\zip.plugin
LSA: [SBI $4503EB16] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx
LSA: [SBI $0855D166] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx
SurfSideKick: [SBI $99E6C90B] Library (File, fixed)
C:\Documents and Settings\Kelly\Application Data\Sskcwrd.dll
SurfSideKick: [SBI $E65AA505] Library (File, fixed)
C:\Documents and Settings\Kelly\Application Data\Sskuknwrd.dll
Smitfraud-C.: [SBI $14838A4C] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1644491937-1957994488-725345543-1003\SYSTEM\ControlSet001\Services\Installer
Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-1644491937-1957994488-725345543-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe
eXact Advertising.BargainsBuddy: [SBI $05C13A2A] Executable (File, fixed)
C:\WINDOWS\system32\bbchk.exe
eXact Advertising.BargainsBuddy: [SBI $85869758] Executable (File, fixed)
C:\WINDOWS\system32\instsrv.exe
NNC.MGRS: [SBI $D7CE2F4E] IE start page (Registry change, fixed)
HKEY_USERSPE_C_ADMINISTRATOR\Software\Microsoft\Internet Explorer\Main\Start Page=about:blank
Zlob.Downloader.vcd: [SBI $D8DF6192] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-11-24 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2008-11-04 Includes\Adware.sbi (*)
2008-11-25 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2008-11-18 Includes\HijackersC.sbi (*)
2008-09-09 Includes\Keyloggers.sbi (*)
2008-11-18 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2008-11-25 Includes\MalwareC.sbi (*)
2008-11-03 Includes\PUPS.sbi (*)
2008-11-25 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-11-25 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-11-04 Includes\Spyware.sbi (*)
2008-11-11 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-11-04 Includes\Trojans.sbi (*)
2008-11-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB887998)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB930494)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Service Pack 3
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB918439
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB918899
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB925486
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ Outlook Express 6 / SP1: Windows XP Hotfix - KB911567
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB898458)
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB923723)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Player: Windows Media Update 819756
/ Windows Media Player: Windows Media Update 823738
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB917734)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB936782)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows Presentation Foundation: This Hotfix is for Microsoft .NET Framework 3.0. \n
If you later install a more recent service pack, this Hotfix will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/932471
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB939653)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB953838)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB956390)
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Security Update for Windows XP (KB938464)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Update for Windows XP (KB951072-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951376)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Update for Windows XP (KB951978)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB953839)
/ Windows XP / SP4: Security Update for Windows XP (KB954211)
/ Windows XP / SP4: Security Update for Windows XP (KB954459)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Security Update for Windows XP (KB956391)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956841)
/ Windows XP / SP4: Security Update for Windows XP (KB957095)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0
--- Startup entries list ---
Located: HK_LM:Run,
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
size: 34672
MD5: 69B16C7B7746BA5C642FC05B3561FC73
Located: HK_LM:Run, BarbieGirlsTray
command: C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
file: C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
size: 24576
MD5: 624A55D6733687EC399D45C3F3069E0F
Located: HK_LM:Run, DACSMiniApp
command: C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
file: C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
size: 197888
MD5: D4751564AEC60F4570BCE8613373358A
Located: HK_LM:Run, ISUSPM Startup
command: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
file: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe
size: 221184
MD5: B4B4EB2F8849E93FE5FECE11E52C5930
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 6CD5C3276C83F72677D647F27EE14ABD
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre6\bin\jusched.exe"
file: C:\Program Files\Java\jre6\bin\jusched.exe
size: 136600
MD5: AB68B7C232293F6B09E5C29CB31AE76D
Located: HK_LM:Run, TMRUBottedTray
command: "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
file: C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
size: 288088
MD5: 872E4C29A4FDA128EFBA49EA26C4FCA7
Located: HK_LM:Run, WheelMouse
command: C:\MOUSES~1.2\wh_exec.exe
file: C:\MOUSES~1.2\wh_exec.exe
size: 86016
MD5: C007B64166F3589DFEC5CA1809505941
Located: HK_CU:Run, ctfmon.exe
where: PE_C_ADMINISTRATOR...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, swg
where: PE_C_ADMINISTRATOR...
command: C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ATI DeviceDetect
where: S-1-5-21-1644491937-1957994488-725345543-1003...
command: C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
file: C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
size: 69707
MD5: 44BCDB924060B562043D099049FDCFD1
Located: HK_CU:Run, ATI Launchpad
where: S-1-5-21-1644491937-1957994488-725345543-1003...
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1644491937-1957994488-725345543-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, MoneyAgent
where: S-1-5-21-1644491937-1957994488-725345543-1003...
command: "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
file: C:\Program Files\Microsoft Money\System\mnyexpr.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, OE
where: S-1-5-21-1644491937-1957994488-725345543-1003...
command: "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
file: C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
size: 492808
MD5: 21A1159468BC5F596F24B0EF63010827
Located: HK_CU:Run, swg
where: S-1-5-21-1644491937-1957994488-725345543-1003...
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
Located: Startup (common), Device Detector 3.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
file: C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
size: 114688
MD5: BACC4A728B73773CDA08D8DD69A785F1
Located: Startup (common), Kodak EasyShare software.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
file: C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
size: 282624
MD5: AD0BA83DFFCC8AF2838B043B58680A1D
Located: Startup (user), Secunia PSI.lnk
where: C:\Documents and Settings\Kelly\Start Menu\Programs\Startup...
command: C:\Program Files\Secunia\PSI\psi.exe
file: C:\Program Files\Secunia\PSI\psi.exe
size: 728408
MD5: 462934BD78B8411F9DE6E2DA8E3D0D3B
Located: Startup (disabled), CallWave (DISABLED)
command: C:\PROGRA~1\CallWave\IAM.exe -start
file: C:\PROGRA~1\CallWave\IAM.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: Startup (disabled), Kodak EasyShare software (DISABLED)
command: C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE -hx
file: C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE
size: 282624
MD5: AD0BA83DFFCC8AF2838B043B58680A1D
Located: Startup (disabled), KODAK Software Updater (DISABLED)
command: C:\PROGRA~1\Kodak\KODAKS~1\7288971\Program\KODAKS~1.EXE
file: C:\PROGRA~1\Kodak\KODAKS~1\7288971\Program\KODAKS~1.EXE
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: Startup (disabled), Microsoft Office (DISABLED)
command: C:\PROGRA~1\MICROS~4\Office10\OSA.EXE -b -l
file: C:\PROGRA~1\MICROS~4\Office10\OSA.EXE
size: 86016
MD5: 00BBE4C0CABE9C6588C62A591F54AEE1
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 6/11/2008 9:33:22 PM
Date (last access): 11/27/2008 11:11:16 PM
Date (last write): 6/11/2008 9:33:22 PM
Filesize: 61816
Attributes: archive
MD5: 648AB52693D42C015D6062583B48D786
CRC32: B0DF946D
Version: 9.0.0.332
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (AcroIEHelperStub)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: AcroIEHelperStub
CLSID name: Adobe PDF Link Helper
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelperShim.dll
Short name: ACROIE~2.DLL
Date (created): 6/11/2008 9:33:16 PM
Date (last access): 11/27/2008 11:11:16 PM
Date (last write): 6/11/2008 9:33:16 PM
Filesize: 75128
Attributes: archive
MD5: E96C752BBA0E22330A43258FC800200E
CRC32: E5D72083
Version: 9.0.0.332
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 11/24/2008 1:46:38 AM
Date (last access): 11/28/2008 12:32:56 AM
Date (last write): 9/15/2008 2:25:44 PM
Filesize: 1562960
Attributes: readonly hidden sysfile archive
MD5: 35F73F1936BDE91F1B6995510A61E7A8
CRC32: BE6A5D15
Version: 1.6.2.14
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (Java(tm) Plug-In SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: ssv.dll
Short name:
Date (created): 10/30/2008 11:06:38 PM
Date (last access): 11/27/2008 11:11:16 PM
Date (last write): 10/30/2008 11:06:38 PM
Filesize: 320920
Attributes: archive
MD5: DC090E320775F1B1FE896F6E1D393D7F
CRC32: 068B5AFC
Version: 6.0.100.33
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\
Long name: swg.dll
Short name:
Date (created): 9/12/2008 2:44:28 PM
Date (last access): 11/27/2008 11:11:16 PM
Date (last write): 9/12/2008 2:44:28 PM
Filesize: 737776
Attributes: archive
MD5: AB32387A8F8C696A0739768B6B913714
CRC32: F4E76414
Version: 3.1.807.1746
{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 10/30/2008 11:06:38 PM
Date (last access): 11/27/2008 11:11:18 PM
Date (last write): 10/30/2008 11:06:38 PM
Filesize: 34816
Attributes: archive
MD5: 27771CDC5D464818C8F92356AE840A6F
CRC32: B0BC1BD4
Version: 6.0.100.33
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (JQSIEStartDetectorImpl)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: JQSIEStartDetectorImpl
CLSID name: JQSIEStartDetectorImpl Class
Path: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\
Long name: jqs_plugin.dll
Short name: JQS_PL~1.DLL
Date (created): 10/30/2008 11:06:38 PM
Date (last access): 11/27/2008 11:11:18 PM
Date (last write): 10/30/2008 11:06:38 PM
Filesize: 73728
Attributes: archive
MD5: 8F206275452A3668097A7A26F62A7127
CRC32: 44B85557
Version: 6.0.100.33
--- ActiveX list ---
{02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control)
DPF name:
CLSID name: Microsoft Office Template and Media Control
Installer: C:\WINDOWS\Downloaded Program Files\ieawsdc.inf
Codebase: http://office.microsoft.com/templates/ieawsdc.cab
description:
classification: Legitimate
known filename: IEAWSDC.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: IEAWSDC.DLL
Short name:
Date (created): 6/30/2007 7:09:06 PM
Date (last access): 11/27/2008 10:49:44 PM
Date (last write): 6/30/2007 7:09:06 PM
Filesize: 175968
Attributes: archive
MD5: BCD0A5C3C1715C363CB3F321ABE31514
CRC32: DB757059
Version: 12.0.6028.0
{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool)
DPF name:
CLSID name: Office Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\OGAControl.inf
Codebase: http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
Path: C:\WINDOWS\system32\
Long name: OGACheckControl.DLL
Short name: OGACHE~1.DLL
Date (created): 2/4/2008 5:23:10 PM
Date (last access): 11/27/2008 10:49:32 PM
Date (last write): 2/4/2008 5:23:10 PM
Filesize: 693792
Attributes: archive
MD5: D1346A4683E98836E2FE003859E5DC0D
CRC32: DF1DBA7A
Version: 1.6.28.0
{215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6)
DPF name:
CLSID name: Trend Micro ActiveX Scan Agent 6.6
Installer: C:\WINDOWS\Downloaded Program Files\hcImpl.inf
Codebase: http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
description:
classification: Legitimate
known filename: Housecall_ActiveX.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: Housecall_ActiveX.dll
Short name: HOUSEC~1.DLL
Date (created): 9/21/2007 2:53:44 PM
Date (last access): 11/27/2008 10:49:44 PM
Date (last write): 9/21/2007 2:53:44 PM
Filesize: 385536
Attributes: archive
MD5: 10A86AB325CA1E17ADD3F0C39A081C9E
CRC32: E6322AD1
Version: 6.51.0.1025
{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206981395661
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 7/30/2007 6:19:46 PM
Date (last access): 11/27/2008 10:49:44 PM
Date (last write): 7/18/2008 9:09:44 PM
Filesize: 205000
Attributes: archive
MD5: 4889720E56E85E1FE4659039BB5F6E3F
CRC32: EE278BD5
Version: 7.2.6001.784
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\muweb.inf
Codebase: http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206981435020
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: muweb.dll
Short name:
Date (created): 7/30/2007 6:18:34 PM
Date (last access): 11/27/2008 10:49:44 PM
Date (last write): 7/18/2008 9:07:32 PM
Filesize: 210976
Attributes: archive
MD5: C5F2BE2C84D119CCE6DB901EA49D1528
CRC32: D65E48EB
Version: 7.2.6001.784
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_10
Installer: C:\WINDOWS\Downloaded Program Files\jinstall-6u10.inf
Codebase: http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jdk/6u10/jinstall-6u10-windows-i586-jc.cab?e=1225429495069&h=16e298d462c84d551b5cc192c8664ecf/&filename=jinstall-6u10-windows-i586-jc.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_10.dll
Short name: NPJPI1~1.DLL
Date (created): 10/30/2008 11:06:38 PM
Date (last access): 11/26/2008 7:22:32 PM
Date (last write): 10/30/2008 11:06:38 PM
Filesize: 132504
Attributes: archive
MD5: 3CEF7A7DE0D5141E016A862B1D86B1CD
CRC32: CC232AC8
Version: 6.0.100.33
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_10
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_10.dll
Short name: NPJPI1~1.DLL
Date (created): 10/30/2008 11:06:38 PM
Date (last access): 11/28/2008 12:33:52 AM
Date (last write): 10/30/2008 11:06:38 PM
Filesize: 132504
Attributes: archive
MD5: 3CEF7A7DE0D5141E016A862B1D86B1CD
CRC32: CC232AC8
Version: 6.0.100.33
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_10
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_10.dll
Short name: NPJPI1~1.DLL
Date (created): 10/30/2008 11:06:38 PM
Date (last access): 11/28/2008 12:33:52 AM
Date (last write): 10/30/2008 11:06:38 PM
Filesize: 132504
Attributes: archive
MD5: 3CEF7A7DE0D5141E016A862B1D86B1CD
CRC32: CC232AC8
Version: 6.0.100.33
{FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control)
DPF name:
CLSID name: Performance Viewer Activex Control
Installer: C:\WINDOWS\Downloaded Program Files\RACtrl.inf
Codebase: https://secure.logmein.com/activex/ractrl.cab?lmi=100
description:
classification: Legitimate
known filename: RACtrl.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: RACtrl.dll
Short name:
Date (created): 1/17/2008 12:18:26 PM
Date (last access): 11/27/2008 10:49:44 PM
Date (last write): 1/17/2008 12:18:26 PM
Filesize: 2745672
Attributes: archive
MD5: 7E66721241EE1A09D03D49CBA349050A
CRC32: 5CF92D5A
Version: 1.0.0.356
--- Process list ---
PID: 0 ( 0) [System]
PID: 820 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 876 ( 820) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 900 ( 820) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 944 ( 900) C:\WINDOWS\system32\services.exe
size: 108544
MD5: 0E776ED5F7CC9F94299E70461B7B8185
PID: 956 ( 900) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 1172 ( 944) C:\WINDOWS\System32\Ati2evxx.exe
size: 303104
MD5: 0715FD85C9DBBC18346A7DA07873D298
PID: 1188 ( 944) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1272 ( 944) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1396 ( 944) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1460 ( 944) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1552 ( 944) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1760 ( 944) C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
size: 611664
MD5: 17067069B9A7865028C1F2E6971D0CCC
PID: 1932 ( 944) C:\WINDOWS\system32\LEXBCES.EXE
size: 303104
MD5: D83658E21A184515CCAD79EEC6EEB05B
PID: 1960 ( 944) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
PID: 1972 (1932) C:\WINDOWS\system32\LEXPPS.EXE
size: 174592
MD5: FB6E8BED981B3D2307A874D7001E9FA9
PID: 296 ( 944) C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
size: 65536
MD5: 727B25BE2277079C97F6F2E2F6D493F5
PID: 316 ( 944) C:\WINDOWS\ehome\ehSched.exe
size: 84992
MD5: F6D494D609D52A0E9596756C5540A978
PID: 344 ( 944) C:\Program Files\Java\jre6\bin\jqs.exe
size: 152984
MD5: 5FD5865DC1A2100F8D4CF000EE5409A3
PID: 416 ( 944) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
size: 122880
MD5: F9102685F97F9BA85F4A70AFCF722CFE
PID: 684 ( 944) C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
size: 517456
MD5: 072D10D9A8D23963DA486132ECE510F5
PID: 784 ( 944) C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
size: 698888
MD5: 7B3BFFBC1B85FD6ED0B41E98AED5A26E
PID: 868 ( 944) C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
size: 61440
MD5: DC7F26E519331D074E6D3D8A90595364
PID: 1084 ( 944) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1364 ( 944) C:\WINDOWS\system32\wdfmgr.exe
size: 38912
MD5: AB0A7CA90D9E3D6A193905DC1715DED0
PID: 1512 ( 944) C:\Program Files\Trend Micro\BM\TMBMSRV.exe
size: 333064
MD5: 86F5745E7BB6BB34E597B4428066956D
PID: 1808 ( 784) C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
size: 1398024
MD5: 666603F41BE18EB6AB12418E7EAC7F35
PID: 2380 ( 944) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 8C515081584A38AA007909CD02020B3D
PID: 2624 ( 944) C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
size: 648456
MD5: 2EB707EFF38045789E4A7A16C09BC36A
PID: 3048 (2944) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 3260 (3048) C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
size: 197888
MD5: D4751564AEC60F4570BCE8613373358A
PID: 3268 (3048) C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
size: 24576
MD5: 624A55D6733687EC399D45C3F3069E0F
PID: 3304 (3048) C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
size: 288088
MD5: 872E4C29A4FDA128EFBA49EA26C4FCA7
PID: 3408 (3048) C:\MOUSES~1.2\wh_exec.exe
size: 86016
MD5: C007B64166F3589DFEC5CA1809505941
PID: 3576 (3048) C:\Program Files\Java\jre6\bin\jusched.exe
size: 136600
MD5: AB68B7C232293F6B09E5C29CB31AE76D
PID: 3592 (3048) C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 6CD5C3276C83F72677D647F27EE14ABD
PID: 3672 (3048) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 3692 (3048) C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
size: 69707
MD5: 44BCDB924060B562043D099049FDCFD1
PID: 3736 (3048) C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
size: 492808
MD5: 21A1159468BC5F596F24B0EF63010827
PID: 3748 (3048) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
PID: 3904 (3048) C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
size: 114688
MD5: BACC4A728B73773CDA08D8DD69A785F1
PID: 3956 (3048) C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
size: 282624
MD5: AD0BA83DFFCC8AF2838B043B58680A1D
PID: 4032 (3048) C:\Program Files\Secunia\PSI\psi.exe
size: 728408
MD5: 462934BD78B8411F9DE6E2DA8E3D0D3B
PID: 3700 ( 944) C:\WINDOWS\system32\lxcycoms.exe
size: 537264
MD5: A4B2C07BC4060811EFEE33784BDE8B8F
PID: 4068 (3048) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 11/28/2008 12:33:53 AM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.msn.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{130EF4A1-67C9-458C-B792-F9816D41760A}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{130EF4A1-67C9-458C-B792-F9816D41760A}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8F8CC794-99B3-4E7A-88B6-A7501D39F970}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8F8CC794-99B3-4E7A-88B6-A7501D39F970}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7CCFF01F-0FF2-4908-9F60-1106B7E94187}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7CCFF01F-0FF2-4908-9F60-1106B7E94187}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B1907C3C-AE28-41BC-8871-FBBDA57FF735}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B1907C3C-AE28-41BC-8871-FBBDA57FF735}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{08539D3A-A581-4A35-BB94-AC7FE2D963B1}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{08539D3A-A581-4A35-BB94-AC7FE2D963B1}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5068ECFB-5ED8-4236-8B25-9752C4A89FB2}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5068ECFB-5ED8-4236-8B25-9752C4A89FB2}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Thanks again! You're the best!
Kelly :red:
pskelley
2008-11-28, 12:46
Looks like you fixed all of the issues Spybot S&D found, if you have additional questions, experts who deal with Spybot S&D would be better able to help you here.
http://forums.spybot.info/forumdisplay.php?f=4 <<< Spybot forum
http://forums.spybot.info/forumdisplay.php?f=16 <<< false positives
:santa: