domino66
2009-04-12, 01:22
Hi, I originally piggy-backed / bumped someone else's post (http://forums.spybot.info/showthread.php?p=304338#post304338) b/c a google search led me here and I seemed to have a similar problem to him, but was told that the appropriate process here was to follow the "before you post" instructions and start my own thread. I'm new here, so plz feel free to tell me if I'm doing something else wrong.
The problem: 2 days ago, all of a sudden the S&D Resident started going haywire, alerting me of a registry change denied (b/c I selected "remember this action the first time I denied it) roughly every 1 second. Here's what the bottom-right portion of me screen looks like:
http://img11.imageshack.us/img11/8199/regerror.jpg
The only difference between the post I bumped and my problem is that when I right-click the Resident icon and select Show Log, the text I see does NOT reference a oembio.exe process, but rather in its place a bootwindows.exe process. But I'm aware that this could be the same problem with simply a different malware filename. So the Resident.log file (for me) looks like:
9/27/2008 2:23:55 AM Allowed (based on user decision) value "DellSupport" (new data: "") deleted in System Startup user entry!
9/29/2008 9:00:20 AM Allowed (based on user decision) value "wextract_cleanup0" (new data: "rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Dan\LOCALS~1\Temp\IXP000.TMP\"") added in System Startup global entry!
9/29/2008 9:00:25 AM Allowed (based on user decision) value "wextract_cleanup0" (new data: "") deleted in System Startup global entry!
10/21/2008 9:03:11 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -k") added in System Startup global entry!
10/21/2008 9:04:51 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
10/24/2008 9:03:42 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
11/7/2008 4:57:57 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
11/7/2008 4:58:14 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -k") added in System Startup global entry!
11/10/2008 9:20:36 AM Allowed (based on user decision) value "KernelFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -k") added in System Startup global entry!
11/11/2008 6:12:48 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
11/23/2008 11:16:10 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
12/11/2008 9:41:19 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
12/11/2008 9:41:22 AM Allowed (based on user decision) value "WinampAgent" (new data: ""C:\Program Files\Winamp\winampa.exe"") changed in System Startup global entry!
1/24/2009 6:14:26 PM Allowed (based on user decision) value "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (new data: "") deleted in Global browser toolbar!
1/24/2009 6:15:12 PM Denied (based on user decision) value "{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}" (new data: "") added in Browser Helper Object!
1/24/2009 6:15:16 PM Denied (based on user decision) value "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (new data: "hex:00") added in Global browser toolbar!
3/24/2009 7:10:36 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
4/2/2009 7:33:56 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
4/4/2009 2:43:48 PM Allowed (based on user decision) value "Gnewuh" (new data: "rundll32.exe "C:\WINDOWS\iqoguvimupagidi.dll",e") added in System Startup global entry!
4/10/2009 9:24:55 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:24:58 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:04 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:08 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:10 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:58 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:59 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:26:00 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:26:01 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:26:02 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
(there are literally thousands of clone entries of the above...like I said, this S&D error msg is popping up every 1 second).
Some pertinent info:
- I use XP and run my school's corporate edition of Symantec Antivirus, and a complete scan comes up clean (also use S&D and AdAware)
- One other thing I noticed: Firefox has been REAAAALLY slow for me...like slowed to an absolute crawl, but IE, and all my other internet-based app's run just fine
What I've tried so far
- On the suggestion of a dif forum, I downloaded SUPERAntiSpyware and ran it, and it found something it labeled a Trojan.backdoor or something (sounds bad, obv) so I used the program to remove that file, but even after a reboot, S&D is still going haywire.
- I also ran Malwareybtes' Anti-Malware, and the results looked like this:
http://img220.imageshack.us/img220/6240/malw.jpg
I had Anti-Malware clean/delete the nasty looking things, rebooted, but the S&D teatimer was still going haywire. It's not right now, but that's only because I followed the instructions in the "before you post" thread and disabled it.
Here is my HJT log. I highlighted one line in bold below b/c in eyeballing the log (i don't really know what any of it means), i saw that line, which seems similar to the error that S&D was flashing at me.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:13 PM, on 4/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
C:\Program Files\PostgreSQL\8.0\bin\postmaster.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\PostgreSQL\8.0\bin\postgres.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\PostgreSQL\8.0\bin\postgres.exe
C:\Program Files\PostgreSQL\8.0\bin\postgres.exe
C:\Program Files\PostgreSQL\8.0\bin\postgres.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=0061215
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=0061215
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=0061215
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-3969601634-894110467-613912118-1008\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'postgres')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Dan\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Dan\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Dan\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Dan\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: handgrabberlsp.dll
O10 - Unknown file in Winsock LSP: handgrabberlsp.dll
O10 - Unknown file in Winsock LSP: handgrabberlsp.dll
O10 - Unknown file in Winsock LSP: handgrabberlsp.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: setaffinity - Unknown owner - C:\Documents and Settings\Dan\Desktop\SetAffinity\\setaffinity_service.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 13251 bytes
The problem: 2 days ago, all of a sudden the S&D Resident started going haywire, alerting me of a registry change denied (b/c I selected "remember this action the first time I denied it) roughly every 1 second. Here's what the bottom-right portion of me screen looks like:
http://img11.imageshack.us/img11/8199/regerror.jpg
The only difference between the post I bumped and my problem is that when I right-click the Resident icon and select Show Log, the text I see does NOT reference a oembio.exe process, but rather in its place a bootwindows.exe process. But I'm aware that this could be the same problem with simply a different malware filename. So the Resident.log file (for me) looks like:
9/27/2008 2:23:55 AM Allowed (based on user decision) value "DellSupport" (new data: "") deleted in System Startup user entry!
9/29/2008 9:00:20 AM Allowed (based on user decision) value "wextract_cleanup0" (new data: "rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Dan\LOCALS~1\Temp\IXP000.TMP\"") added in System Startup global entry!
9/29/2008 9:00:25 AM Allowed (based on user decision) value "wextract_cleanup0" (new data: "") deleted in System Startup global entry!
10/21/2008 9:03:11 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -k") added in System Startup global entry!
10/21/2008 9:04:51 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
10/24/2008 9:03:42 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
11/7/2008 4:57:57 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
11/7/2008 4:58:14 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -k") added in System Startup global entry!
11/10/2008 9:20:36 AM Allowed (based on user decision) value "KernelFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -k") added in System Startup global entry!
11/11/2008 6:12:48 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
11/23/2008 11:16:10 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
12/11/2008 9:41:19 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
12/11/2008 9:41:22 AM Allowed (based on user decision) value "WinampAgent" (new data: ""C:\Program Files\Winamp\winampa.exe"") changed in System Startup global entry!
1/24/2009 6:14:26 PM Allowed (based on user decision) value "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (new data: "") deleted in Global browser toolbar!
1/24/2009 6:15:12 PM Denied (based on user decision) value "{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}" (new data: "") added in Browser Helper Object!
1/24/2009 6:15:16 PM Denied (based on user decision) value "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (new data: "hex:00") added in Global browser toolbar!
3/24/2009 7:10:36 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
4/2/2009 7:33:56 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
4/4/2009 2:43:48 PM Allowed (based on user decision) value "Gnewuh" (new data: "rundll32.exe "C:\WINDOWS\iqoguvimupagidi.dll",e") added in System Startup global entry!
4/10/2009 9:24:55 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:24:58 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:04 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:08 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:10 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:58 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:59 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:26:00 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:26:01 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:26:02 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
(there are literally thousands of clone entries of the above...like I said, this S&D error msg is popping up every 1 second).
Some pertinent info:
- I use XP and run my school's corporate edition of Symantec Antivirus, and a complete scan comes up clean (also use S&D and AdAware)
- One other thing I noticed: Firefox has been REAAAALLY slow for me...like slowed to an absolute crawl, but IE, and all my other internet-based app's run just fine
What I've tried so far
- On the suggestion of a dif forum, I downloaded SUPERAntiSpyware and ran it, and it found something it labeled a Trojan.backdoor or something (sounds bad, obv) so I used the program to remove that file, but even after a reboot, S&D is still going haywire.
- I also ran Malwareybtes' Anti-Malware, and the results looked like this:
http://img220.imageshack.us/img220/6240/malw.jpg
I had Anti-Malware clean/delete the nasty looking things, rebooted, but the S&D teatimer was still going haywire. It's not right now, but that's only because I followed the instructions in the "before you post" thread and disabled it.
Here is my HJT log. I highlighted one line in bold below b/c in eyeballing the log (i don't really know what any of it means), i saw that line, which seems similar to the error that S&D was flashing at me.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:13 PM, on 4/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
C:\Program Files\PostgreSQL\8.0\bin\postmaster.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\PostgreSQL\8.0\bin\postgres.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\PostgreSQL\8.0\bin\postgres.exe
C:\Program Files\PostgreSQL\8.0\bin\postgres.exe
C:\Program Files\PostgreSQL\8.0\bin\postgres.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\Program Files\PostgreSQL\8.2\bin\postgres.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=0061215
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=0061215
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=0061215
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-3969601634-894110467-613912118-1008\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'postgres')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Dan\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Dan\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Dan\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Dan\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: handgrabberlsp.dll
O10 - Unknown file in Winsock LSP: handgrabberlsp.dll
O10 - Unknown file in Winsock LSP: handgrabberlsp.dll
O10 - Unknown file in Winsock LSP: handgrabberlsp.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: setaffinity - Unknown owner - C:\Documents and Settings\Dan\Desktop\SetAffinity\\setaffinity_service.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 13251 bytes