View Full Version : Win32.Iksmas.ai
Iamscifiman
2009-06-11, 05:18
A brief bit of background. I've never had to post one of these before because usually I can take care of it myself. I can use a computer, so please just talk straight to me. My computer was freezing on startup, even sometimes going into safe mode, though I managed to run off a few scans and deleted a number of worms, malware, trojans, etc. I believe this one may have been what started it and now I can't get rid of it (I found the instructions on manual removal and it still hasn't worked). I've got a number of different programs to scan with, and I've already gotten rid of most of everything else (don't worry, I don't have programs conflicting or anything). I can't seem to find a way to remove this, so help would be appreciated.
I have a Dell Vostro 1500 running Windows XP, just FYI. Here's the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:21 PM, on 6/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\BOINC\boincmgr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Safer Networking\RunAlyzer\RunAlyzer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: SetPoint.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {576756A1-D97C-45D0-A945-0324019A131E} (BOSIActiveFormX Control) - http://rtsv07.colgate.edu/TIWEB70/downloads/BOSIActiveXGrid.cab
O16 - DPF: {6AF2E1A7-A16E-4503-A440-07CA49122CCE} (BOSIRichEditActiveX Control) - http://rtsv07.colgate.edu/TIWEB70/downloads/BOSIActiveXMemoControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 10198 bytes
Thanks again in advance.
I know we weren't supposed to post again with a new log or anything, I thought I'd just update with this in case it helps:
When my computer was crashing at startup, there was a BSOD but that crashed too or something, I couldn't read any of it. Well, I was sitting here and it crashed again, got the main code 0x0000007A (Kernel Data Inpage Error) and I found out to run chkdsk. But now I can't, it says chkdsk was unable to set itself to run at startup (because the disk is in use now). Never had this problem before, I figure it's probably related...
pskelley
2009-06-12, 13:36
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You must have read and followed the "Before you Post" instructions.
I am not sure if I can help or not?
I managed to run off a few scans and deleted a number of worms, malware, trojans, etc.
Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806
Just like CSI, we depend on the evidence (which is destroyed by scans) if you have been hacked, this is a crime scene.
I can't seem to find a way to remove this
What exactly is this?
Here is information from the error message you did post:
http://www.smartcomputing.com/techsupport/detail.aspx?guid=&ErrorID=23365
http://www.google.com/search?hl=en&q=0x0000007A+%28Kernel+Data+Inpage+Error%29&btnG=Search&aq=f&oq=&aqi=
If you want me to help you look for possible malware, then we will start like this.
1) Read the directions, since TeaTimer is NOT disabled as instructed, I must assume you did not.
2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
3) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/
http://www.besttechie.net/mbam/mbam-setup.exe <<< download
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html
4) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5) Post any error messages you receive "word for word"
Thanks
Iamscifiman
2009-06-13, 05:47
Okay, please let me clarify.
Yes, I did read the post, because if I hadn't, I wouldn't have said stuff like
I know we weren't supposed to post again with a new log or anything
I seem to have missed turning off TeaTimer and have since done so.
However, as I also said, everything in that top paragraph was "background". I took care of all of that previously. That HijackThis log was taken after. Like I also said, I am generally good with computers, so please talk straight to me. I understand that doing scans remove things that are then not picked up by the logs. I also can identify stop codes on my own.
Lastly, what I am trying to get rid of is the title of this thread....
--------------------------------------------------
MBAM Log:
Malwarebytes' Anti-Malware 1.31
Database version: 1467
Windows 5.1.2600 Service Pack 3
6/12/2009 11:27:25 PM
mbam-log-2009-06-12 (23-27-25).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 579252
Time elapsed: 5 hour(s), 2 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
--------------------------------------------------
HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:47 PM, on 6/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: SetPoint.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {576756A1-D97C-45D0-A945-0324019A131E} (BOSIActiveFormX Control) - http://rtsv07.colgate.edu/TIWEB70/downloads/BOSIActiveXGrid.cab
O16 - DPF: {6AF2E1A7-A16E-4503-A440-07CA49122CCE} (BOSIRichEditActiveX Control) - http://rtsv07.colgate.edu/TIWEB70/downloads/BOSIActiveXMemoControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 9762 bytes
--------------------------------------------------
Uninstall List:
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
AC3Filter (remove only)
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Reader 7.0.8
Adobe Shockwave Player
Advanced Audio FX Engine
Advanced Video FX Engine
AIM 6
Apple Mobile Device Support
Apple Software Update
AstroSynthesis v2.01b TRIAL
Athens 2004 (v1.0.0)
AusLogics Registry Defrag
Azureus Vuze
Blender (remove only)
Blokus World Tour
BOINC
Bonjour
Broadcom Management Programs
Brother MFL-Pro Suite
CamStudio
CCleaner (remove only)
CDDRV_Installer
Celestia 1.4.1
Conexant HDA D330 MDC V.92 Modem
Corel Painter Essentials 3
Corel Painter Essentials 3
Cortona® VRML Client
Cosmo Player 2.1.1
Crimson Fields for Windows
CutePDF Writer 2.7
Darwinia v1.42
Dell DataSafe Online
Dell Touchpad
DELL Webcam Center
DELL Webcam Manager
Dell Wireless WLAN Card
Digital Line Detect
DivX Codec
ElectricSheep 2.6.6
ERUNT 1.1j
File Shredder 2.0
FileZilla (remove only)
FileZilla Client 3.2.4.1
Filters Unlimited 2.0 Demo
FLAC 1.2.1b (remove only)
FLV Player 1.3.3
FLV Player 2.0 (build 25)
Forester
Game of Life
GameSpy Arcade
Google Earth
Google SketchUp 6
Google SketchUp 6 Exporters
Google SketchUp LayOut 6
Google SketchUp Pro 6
Google Updater
Gravitation3D
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Homeworld Unit Viewer
Homeworld2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Ilathid 1.0
Inkscape 0.46
IntelliSonic Speech Enhancement
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 6
Java DB 10.2.2.0
Java Platform, Enterprise Edition 5 SDK
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Development Kit 6 Update 2
KhalSetup
Laptop Integrated Webcam Driver (1.02.01.0612)
LIVE gaming on Windows Runtime Version 1.0.6027
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
LiveUpdate 2.7 (Symantec Corporation)
Malwarebytes' Anti-Malware
Map Maker Pro 3.5
MATLAB R2008a
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
MediaDirect
Melodyne 3.1
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Microsoft WorldWide Telescope
mIRC
MixMeister BPM Analyzer 1.0
Modem Diagnostic Tool
MozBackup 1.4.6
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Musicnotes Player V1.23.1
Myst III: Exile
Myst IV - Revelation
Myst Uru - Complete Chronicles
Myst V End Of Ages
Nero 8
neroxml
NetWaiting
nik Color Efex Pro 2.0 GE
nLite 1.4.1
Norton Internet Security
NoteWorthy Composer 2
NoteWorthy Player
NVIDIA Drivers
NVIDIA PhysX v8.09.04
OutlookAddinSetup
PaperPort
Parmen
Pen Tablet
PLT Scheme v4.1.4
PopCap Browser Plugin
Portal
POV-Ray for Windows v3.6.1c
PowerDVD
Python 2.5 py2exe-0.6.6
Python 2.5 pygame-1.7.1release
Python 2.5.1
QuickSet
QuickTime
Rhapsody Player Engine
RunAlyzer
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SetPoint
SheepWatcher
Sibelius 5
Sibelius Scorch Plugin
Sid Meier's Civilization III
Sid Meier's Gettysburg!
Sid Meier's Gettysburg! 2000/XP Compatibility Update
SigmaTel Audio
Skype™ 3.5
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Spyware Doctor 6.0
Sqirlz Water Reflections
Star Trek Bridge Commander
Star Trek Legacy
Star Trek Pinball
Star Trek Voyager Elite Force
Star Wars Battlefront II
Starship Titanic
Starship Troopers
Starship Tycoon Full
StrataGen 2
Swiff Player 1.1
Terragen
Terragen 2 Free Edition (Beta)
TerraPainter
TextTwist
The Neverhood
Thredgeholder Plugin v 1.0
Total Video Converter 3.10
Tweak UI
UnHackMe 5.00 release
Universe
Update for Office 2007 (KB946691)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VCRedistSetup
VideoLAN VLC media player 0.8.6c
Viewpoint Media Player
WIDCOMM Bluetooth Software
WikidPad 1.8final
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Resource Kit Tools
Windows XP Service Pack 3
WinRAR archiver
Xvid 1.1.3 final uninstall
--------------------------------------------------
The help has been much appreciated. The only thing that MBAM removed was PromoReg, which has been sitting around my machine as well. Please also note that I have currently had to re-install my sound driver four times now. I believe this to be related because this has not happened previously, and I'm not sure if that helps or not, but I thought I'd mention it.
Thanks again in advance.
pskelley
2009-06-13, 12:35
Let's clear the air right away, if you missed one instruction, I have no way of knowing what else you may have missed. If you have a problem with my directions, please let me know and I will be glad to close this thread at this point.
My computer was freezing on startup, even sometimes going into safe mode
Windows usually provides a error message when this happens, post all error messages Windows provides word for word. Sounds more like a hardware issue that malware. Provide more information and I will see what I can do to help.
Lastly, what I am trying to get rid of is the title of this thread....
Win32.Iksmas.ai: http://www.google.com/search?hl=en&q=Win32.Iksmas.ai+&btnG=Google+Search&aq=f&oq=&aqi=
Please tell me what program finds this malware and where does that program say it is located?
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Flash Player 10 ActiveX <<< check this:
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html
Adobe Reader 7.0.8 <<< out of date and unsafe:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php
Azureus Vuze <<< p2p program, must be uninstalled.
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
all out of date and unsafe:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
Spybot - Search & Destroy 1.5.2.20 <<< uninstall this old program.
Spybot - Search & Destroy <<< Please be sure Spybot S&D is up to date and fully immunized.
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
http://www.safer-networking.org/en/faq/index.html
http://www.safer-networking.org/en/tutorial/index.html
Viewpoint Media Player <<< For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
http://vil.nai.com/vil/content/v_137262.htm
The only thing that MBAM removed was PromoReg, which has been sitting around my machine as well.
The current version of MBAM and database: Version 1.37 (Database 2271 Date 6/12/2009)
What you are running:
Malwarebytes' Anti-Malware v1.31
Database version: 1467
Open MBAM > Click the Update tab > click Check for Updates > allow MBAM to download and install the newest version.
click the > Perform Full Scan > follow instructions I posted earlier > Post the results.
Please also note that I have currently had to re-install my sound driver four times now.
Any error messages? in Malware Removal we generally do not deal with sound card issues. If you can provide more information I may be able to help or at least direct you to where you can get help.
Iamscifiman
2009-06-14, 19:28
Fair enough, I was simply trying to defend myself, I believe that is only fair.
I have currently lost the ability to uninstall things. I think I managed to clear Adobe Flash Player 10 ActiveX. I was also able to uninstall and update Spybot and of course MBAM. Certain programs using the windows installer service do not run and I get an error that starts: "Windows Installer Service cannot be accessed"
Adobe Flash Player 10 ActiveX - removed
Adobe Reader 7.0.8 - not removed/updated
Azureus Vuze - removed
Java updates - not removed
Spybot - removed and updated
Viewpoint Media Player - removed (again....)
MBAM - updated
I attempted to run MBAM yesterday and Windows crashed near the end with a 0x0000000A, there seems to be some driver malfunction I believe as a result of all of this. Also, I seem to be losing my wireless capabilities (neither of these happened prior to about a week ago). As to my sound driver, the error I get is: "There are no active Mixer devices available. To install..." which again, I never got before a week ago.
Also, to mention two things I haven't before, I only use firefox (I know things can still get through, but it is much safer than IE) and as for Azureus Vuze, I have only used it once to download legal torrents through Relic Entertainment (Homeworld soundtracks awhile ago). So, I at least for Vuze, I don't think it's possible I could have gotten anything from it. But not to worry, I have already removed it.
As for iksmas, I found it through spybot, and these are the results it still pulls up:
Win32.Iksmas.ai: [SBI $06907D50] Settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FWDone
Win32.Iksmas.ai: [SBI $06907D50] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\FWDone
Win32.Iksmas.ai: [SBI $426323A7] Settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\MyID
Win32.Iksmas.ai: [SBI $426323A7] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\MyID
Every time I run spybot, it only removes the 1st and 3rd entries and two remain (so they repopulate). I deleted the remaining entries (I could not see them before... and I also saved the registry entries just in case) re-ran spybot which found nothing, and after restarting, I still do not see them there. My computer has sped up a considerable amount, but my windows installer still does not seem to work however.
------------------------------------------------
MBAM Log:
Malwarebytes' Anti-Malware 1.37
Database version: 2273
Windows 5.1.2600 Service Pack 3
6/14/2009 12:07:02 PM
mbam-log-2009-06-14 (12-07-02).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 669848
Time elapsed: 5 hour(s), 15 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\MyID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RList (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Michael\local settings\temp\~TM224.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\local settings\temporary internet files\Content.IE5\XQE1BRT5\load[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP497\A0086112.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\pss\rncsys32.exeStartup (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cftmon.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
-------------------------------------------------------------
HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:49 PM, on 6/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\BOINC\boincmgr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: SetPoint.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {576756A1-D97C-45D0-A945-0324019A131E} (BOSIActiveFormX Control) - http://rtsv07.colgate.edu/TIWEB70/downloads/BOSIActiveXGrid.cab
O16 - DPF: {6AF2E1A7-A16E-4503-A440-07CA49122CCE} (BOSIRichEditActiveX Control) - http://rtsv07.colgate.edu/TIWEB70/downloads/BOSIActiveXMemoControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 10071 bytes
pskelley
2009-06-14, 20:06
I have currently lost the ability to uninstall things.
What error message do you receive (word for word) when you try to uninstall?
0x0000000A
http://support.microsoft.com/kb/314063
Also, I seem to be losing my wireless capabilities
Wireless router, see this information:
http://blog.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html
Is there any error associated with your believe or any symptoms we can search?
I only use firefox (I know things can still get through, but it is much safer than IE)
That used to be true and it is because of the numbers. Hackers always achived more financial gain with IE but it is not longer the case. As the numbers of users of Mozilla Firefox increased, so did the attacks on Firefox and other browsers. I personally use IE7 and keep Firefox (3.0.10) as a spare for emergencies.
Azureus Vuze, I have only used it once to download legal torrents
If you have not read site policy, you need to do so, more and more help forums are adopting this or similiar policies.
http://forums.spybot.info/showthread.php?t=282
but my windows installer still does not seem to work however.
Please make sure you post any error message word for word, just as Windows presents it to you, see if this information helps.
http://support.microsoft.com/kb/319624
If not post the exact error or Google it yourself.
Follow the directions carefully and in the posted order.
Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
(leave the next two if you set them that way)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
Spybot S&D: check for updates, run a scan, fix any problems then:
on the toolbar menu select mode and switch to advanced, on the left select tools, view report, make sure all the options are selected near the bottom except:
Uncheck[ ] do not report disabled or known legitimate Items,
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.
Now select near top-- view report, Press export, and save the log on your Desktop, post the saved log in your next reply.
Recap: post any information I requested, any comments you think will help, the results of the Spybot S&D scan and a new HJT log.
Thanks
Iamscifiman
2009-06-14, 22:31
My uninstaller works again now (I found that same link) and I've been able to remove/update everything. I installed the java sdk rather than the jre since I use it, but it should come with both.
I've read the site policy on the p2ps, like I said, I only used it once for a legal torrent, and have already removed it from my machine.
I ran ATF cleaner and then HijackThis, removing all five of those entries.
As for Spybot, I ran it again, and it unfortunately came up with the same four entries of Win32.Iksmas.ai. I cleaned the two I could clean but this time did not bother to delete the registry entries, seeing as this did not help matters for me last time (see my previous post for the entries, they are exactly the same).
Lastly, my wireless seems to be fine again, as is my sound driver. But, I will intermittently have my taskbar convert from the regular windows XP default style to the older style (2000?) and I figure this must be related because it never happened before. Not sure if that helps though.
---------------------------------------------------------
Spybot report:
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-06-13 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi
2009-06-02 Includes\AdwareC.sbi
2009-01-22 Includes\Cookies.sbi
2009-05-19 Includes\Dialer.sbi
2009-06-02 Includes\DialerC.sbi
2009-01-22 Includes\HeavyDuty.sbi
2009-05-26 Includes\Hijackers.sbi
2009-06-09 Includes\HijackersC.sbi
2009-05-06 Includes\Keyloggers.sbi
2009-06-09 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2009-06-10 Includes\Malware.sbi
2009-06-09 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2009-06-05 Includes\PUPSC.sbi
2009-01-22 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2009-06-02 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2009-04-07 Includes\Spyware.sbi
2009-06-02 Includes\SpywareC.sbi
2009-06-08 Includes\Tracks.uti
2009-06-02 Includes\Trojans.sbi
2009-06-09 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB923723)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Player: Security Update for Windows Media Player (KB952069)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB953838)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB956390)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB958215)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB960714)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB961260)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Security Update for Windows XP (KB938464)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Update for Windows XP (KB951072-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951376)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB953839)
/ Windows XP / SP4: Security Update for Windows XP (KB954211)
/ Windows XP / SP4: Security Update for Windows XP (KB954600)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Update for Windows XP (KB955839)
/ Windows XP / SP4: Security Update for Windows XP (KB956391)
/ Windows XP / SP4: Security Update for Windows XP (KB956802)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956841)
/ Windows XP / SP4: Security Update for Windows XP (KB957095)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ Windows XP / SP4: Security Update for Windows XP (KB958687)
/ Windows XP / SP4: Security Update for Windows XP (KB958690)
/ Windows XP / SP4: Security Update for Windows XP (KB960225)
/ Windows XP / SP4: Security Update for Windows XP (KB960715)
/ Windows XP / SP4: Update for Windows XP (KB967715)
/ Windows XP OOB / SP10: High Definition Audio Driver Package - KB835221
--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
size: 35696
MD5: 452FA961163EF4AEE4815796A13AB2CF
Located: HK_LM:Run, ISTray
command: "C:\Program Files\Spyware Doctor\pctsTray.exe"
file: C:\Program Files\Spyware Doctor\pctsTray.exe
size: 1182088
MD5: E6F7FE7BFD2CD4B79142165118D896AA
Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\NvCpl.dll
size: 13594624
MD5: D0D900FE5EF245C1DAEBA4016C10B213
Located: HK_LM:Run, ShStatEXE
command: "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
file: C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
size: 112216
MD5: 86C989DFE38BC57F0BDACB018A58FDBD
Located: HK_LM:Run, SigmatelSysTrayApp
command: %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
file: C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
size: 405504
MD5: 012844A8E13BE3941C9CAF1F91F47DF2
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre6\bin\jusched.exe"
file: C:\Program Files\Java\jre6\bin\jusched.exe
size: 148888
MD5: D22D936F9AB0DA3B8EB7537284867708
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre6\bin\jusched.exe"
file: C:\Program Files\Java\jre6\bin\jusched.exe
size: 148888
MD5: D22D936F9AB0DA3B8EB7537284867708
Located: HK_LM:Run, SynTPEnh
command: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
file: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 851968
MD5: 4E4B8F8E44F786FC4126D884E6AD892C
Located: HK_LM:RunOnceEx, Title
command: UnHackMe Rootkit Check
file: UnHackMe Rootkit Check
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, DELL Webcam Manager
where: PE_C0_S-1-5-21-3055308489-52628631-2311540868-500...
command: "C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe" /s
file: C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe
size: 118784
MD5: 066302E42EA8BC9A0F2F1B666E50B9BF
Located: HK_CU:RunOnce, NeroHomeFirstStart
where: PE_C0_S-1-5-21-3055308489-52628631-2311540868-500...
command: "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe"
file: C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe
size: 19752
MD5: 7962D6FE711D3905E685225125F8EE2D
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-3055308489-52628631-2311540868-1006...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
Located: HK_CU:Run, UnHackMe Monitor
where: S-1-5-21-3055308489-52628631-2311540868-1006...
command: C:\Program Files\UnHackMe\hackmon.exe
file: C:\Program Files\UnHackMe\hackmon.exe
size: 231648
MD5: 855B0936882B0187B163C6FCFE36E968
Located: HK_CU:Run, updateMgr
where: S-1-5-21-3055308489-52628631-2311540868-1006...
command: "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-3055308489-52628631-2311540868-500...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
Located: HK_CU:Run, DELL Webcam Manager
where: S-1-5-21-3055308489-52628631-2311540868-500...
command: "C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe" /s
file: C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe
size: 118784
MD5: 066302E42EA8BC9A0F2F1B666E50B9BF
Located: HK_CU:RunOnce, NeroHomeFirstStart
where: S-1-5-21-3055308489-52628631-2311540868-500...
command: "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe"
file: C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe
size: 19752
MD5: 7962D6FE711D3905E685225125F8EE2D
Located: HK_CU:Run, DELL Webcam Manager
where: S-1-5-21-3055308489-52628631-2311540868-501...
command: "C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe" /s
file: C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe
size: 118784
MD5: 066302E42EA8BC9A0F2F1B666E50B9BF
Located: HK_CU:Run, IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
where: S-1-5-21-3055308489-52628631-2311540868-501...
command: "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
file: C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
size: 1688872
MD5: 0CE5B7372D0947889CB2FD394D869011
Located: HK_CU:Run, QuickTime Task
where: S-1-5-21-3055308489-52628631-2311540868-501...
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 6CD5C3276C83F72677D647F27EE14ABD
Located: Startup (common), Bluetooth.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
file: C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
size: 622653
MD5: 223A18AC9E6A23D6A8B84223F3794497
Located: Startup (common), SetPoint.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\SetPoint\SetPoint.exe
file: C:\Program Files\SetPoint\SetPoint.exe
size: 679936
MD5: C6AAF2C353F1F90CA05A88CD9FAC8494
Located: Startup (user), BOINC Manager.lnk
where: C:\Documents and Settings\Michael\Start Menu\Programs\Startup...
command: C:\Program Files\BOINC\boincmgr.exe
file: C:\Program Files\BOINC\boincmgr.exe
size: 4145920
MD5: 33B09052704045EE80A76E7DC307CF35
Located: Startup (disabled), rncsys32 (DISABLED)
command: C:\Documents and Settings\Michael\Start Menu\Programs\Startup\rncsys32.exe
file: C:\Documents and Settings\Michael\Start Menu\Programs\Startup\rncsys32.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (AcroIEHelperStub)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: AcroIEHelperStub
CLSID name: Adobe PDF Link Helper
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelperShim.dll
Short name: ACROIE~2.DLL
Date (created): 2/27/2009 12:07:26 PM
Date (last access): 6/14/2009 3:53:00 PM
Date (last write): 2/27/2009 12:07:26 PM
Filesize: 75128
Attributes: archive
MD5: 5CF6190CD875DA6B35256FEE573E7908
CRC32: 764BA81B
Version: 9.1.0.163
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 6/13/2009 3:59:22 PM
Date (last access): 6/14/2009 4:13:20 PM
Date (last write): 1/26/2009 3:31:02 PM
Filesize: 1879896
Attributes: archive
MD5: 022C2F6DCCDFA0AD73024D254E62AFAC
CRC32: 5BA24007
Version: 1.6.2.14
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: scriptproxy
CLSID name: scriptproxy
Path: C:\Program Files\McAfee\VirusScan Enterprise\
Long name: ScriptCl.dll
Short name:
Date (created): 11/30/2006 8:50:00 AM
Date (last access): 6/14/2009 4:21:58 PM
Date (last write): 11/30/2006 8:50:00 AM
Filesize: 67136
Attributes: archive
MD5: 100ADCB3C368F15B83DA81278101D53B
CRC32: 70466014
Version: 13.3.1.100
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\
Long name: swg.dll
Short name:
Date (created): 3/25/2009 1:34:08 AM
Date (last access): 6/14/2009 3:21:56 PM
Date (last write): 3/25/2009 1:34:08 AM
Filesize: 668656
Attributes: archive
MD5: D1585B06DED161E13B905DC4FFBF7F12
CRC32: 88D5BAA5
Version: 5.1.1309.3572
{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 6/14/2009 4:08:50 PM
Date (last access): 6/14/2009 4:08:50 PM
Date (last write): 6/14/2009 4:08:50 PM
Filesize: 41368
Attributes: archive
MD5: 192E39C717013A0BD532B33AC29D6E7D
CRC32: 6D4D2A2E
Version: 6.0.140.8
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (JQSIEStartDetectorImpl)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: JQSIEStartDetectorImpl
CLSID name: JQSIEStartDetectorImpl Class
Path: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\
Long name: jqs_plugin.dll
Short name: JQS_PL~1.DLL
Date (created): 6/14/2009 4:08:56 PM
Date (last access): 6/14/2009 4:08:56 PM
Date (last write): 6/14/2009 4:08:56 PM
Filesize: 73728
Attributes: archive
MD5: 9A0CA264EC3210E77764C45AD7C5F339
CRC32: A8965ADA
Version: 6.0.140.8
--- ActiveX list ---
{193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control)
DPF name:
CLSID name: ewidoOnlineScan Control
Installer:
Codebase: http://downloads.ewido.net/ewidoOnlineScan.cab
description:
classification: Legitimate
known filename: EWIDOO~1.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: ewidoOnlineScan.dll
Short name: EWIDOO~1.DLL
Date (created): 7/11/2006 10:41:36 AM
Date (last access): 6/14/2009 5:23:58 AM
Date (last write): 7/11/2006 10:41:36 AM
Filesize: 345656
Attributes: archive
MD5: B284992540E0FA2B76DEA56F93D49A16
CRC32: FD2E709C
Version: 1.0.0.4
{576756A1-D97C-45D0-A945-0324019A131E} (BOSIActiveFormX Control)
DPF name:
CLSID name: BOSIActiveFormX Control
Installer: C:\WINDOWS\Downloaded Program Files\BOSIActiveXGrid.inf
Codebase: http://rtsv07.colgate.edu/TIWEB70/downloads/BOSIActiveXGrid.cab
Path: C:\WINDOWS\DOWNLO~1\
Long name: BOSIActiveXGrid70.ocx
Short name: BOSIAC~2.OCX
Date (created): 1/31/2007 11:56:50 AM
Date (last access): 6/14/2009 5:23:56 AM
Date (last write): 1/31/2007 11:56:50 AM
Filesize: 1594880
Attributes: archive
MD5: 2683D33A08996BFE4BA358553DA3E66B
CRC32: 808DAF07
Version: 7.0.20.5
{6AF2E1A7-A16E-4503-A440-07CA49122CCE} (BOSIRichEditActiveX Control)
DPF name:
CLSID name: BOSIRichEditActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\BOSIActiveXMemoControl.inf
Codebase: http://rtsv07.colgate.edu/TIWEB70/downloads/BOSIActiveXMemoControl.cab
Path: C:\WINDOWS\DOWNLO~1\
Long name: BOSIActiveXMemoControl70.ocx
Short name: BOSIAC~1.OCX
Date (created): 1/31/2007 11:56:56 AM
Date (last access): 6/14/2009 5:23:58 AM
Date (last write): 1/31/2007 11:56:56 AM
Filesize: 685056
Attributes: archive
MD5: 5680B0EB91E54A467117EFDE8AF0478B
CRC32: 1A640EDE
Version: 7.0.20.5
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_14
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_14.dll
Short name: NPJPI1~1.DLL
Date (created): 6/14/2009 4:08:52 PM
Date (last access): 6/14/2009 4:08:52 PM
Date (last write): 6/14/2009 4:08:52 PM
Filesize: 136600
Attributes: archive
MD5: 104191689E114BEF5C92A6BD626FA4F3
CRC32: 9D46C674
Version: 6.0.140.8
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 3/2/2006 2:52:58 PM
Date (last access): 6/14/2009 3:31:20 PM
Date (last write): 11/10/2005 2:22:12 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_14
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_14.dll
Short name: NPJPI1~1.DLL
Date (created): 6/14/2009 4:08:52 PM
Date (last access): 6/14/2009 4:08:52 PM
Date (last write): 6/14/2009 4:08:52 PM
Filesize: 136600
Attributes: archive
MD5: 104191689E114BEF5C92A6BD626FA4F3
CRC32: 9D46C674
Version: 6.0.140.8
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_14
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_14.dll
Short name: NPJPI1~1.DLL
Date (created): 6/14/2009 4:08:52 PM
Date (last access): 6/14/2009 4:08:52 PM
Date (last write): 6/14/2009 4:08:52 PM
Filesize: 136600
Attributes: archive
MD5: 104191689E114BEF5C92A6BD626FA4F3
CRC32: 9D46C674
Version: 6.0.140.8
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\swflash.inf
Codebase: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash10a.ocx
Short name:
Date (created): 10/4/2008 11:16:26 PM
Date (last access): 6/14/2009 3:06:26 PM
Date (last write): 10/4/2008 11:16:26 PM
Filesize: 3789728
Attributes: readonly archive
MD5: 466C1355934925768822E380DA6E6E4A
CRC32: 48EC1E52
Version: 10.0.12.36
--- Process list ---
PID: 0 ( 0) [System]
PID: 896 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 964 ( 896) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 996 ( 896) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 1040 ( 996) C:\WINDOWS\system32\services.exe
size: 108544
MD5: 0E776ED5F7CC9F94299E70461B7B8185
PID: 1052 ( 996) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 1216 (1040) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1264 (1040) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1448 (1040) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1472 (1040) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1640 (1040) C:\WINDOWS\System32\WLTRYSVC.EXE
size: 20480
MD5: 60714B1C15F815F55798C0B3D4819BEB
PID: 1704 (1640) C:\WINDOWS\System32\bcmwltry.exe
size: 1253376
MD5: 7C19764A2EC7AC4AE8DB4BBF0B7F20C5
PID: 1712 (1040) C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
size: 611664
MD5: 17067069B9A7865028C1F2E6971D0CCC
PID: 2024 (1040) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 228 (1040) C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
size: 108712
MD5: 63AB43534CBF5D7F3EB81DFDC8161490
PID: 260 (1040) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
size: 116040
MD5: F293992F9CEEF6EA00CE52C3094E59E9
PID: 280 (1040) C:\Program Files\Bonjour\mDNSResponder.exe
size: 238888
MD5: 9EFE4236F8670846B6E7C5B0EFF6E715
PID: 344 (1040) C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
size: 266295
MD5: 3A462EBA453D84D036046772104CFBCB
PID: 528 (1040) C:\Program Files\McAfee\Common Framework\FrameworkService.exe
size: 104000
MD5: 7CAAA23590379F0EE9179B6EBC4CA42F
PID: 572 (1040) C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
size: 144960
MD5: B74CEBEF7F2126F68CDC060C855E5AAB
PID: 616 (1040) C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
size: 54872
MD5: E35755388F0DF63458356ADE438BA475
PID: 660 (1040) C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
size: 869672
MD5: C5052FB77AA42ED440F9F6B4E37145A9
PID: 704 (1216) C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
size: 136768
MD5: 634772024DAAD6300548B6D96117A9CF
PID: 732 (1040) C:\WINDOWS\system32\nvsvc32.exe
size: 168004
MD5: 4CB5D519AF776BDDAEB47081F887DF1E
PID: 768 (1040) C:\Program Files\CyberLink\Shared Files\RichVideo.exe
size: 171040
MD5: 2AF094B1CE4725E4551F38FDA2348637
PID: 804 (1040) C:\Program Files\Spyware Doctor\pctsAuxs.exe
size: 348752
MD5: 2881D5C135D076BCF52B0F5AD3D8DC0B
PID: 832 (1040) C:\Program Files\Spyware Doctor\pctsSvc.exe
size: 1096584
MD5: BE137673E328E004C2A4BC21EA717E2C
PID: 1420 (1040) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1496 (1040) C:\WINDOWS\system32\Pen_Tablet.exe
size: 3032360
MD5: 5781D4C12D0D204447F9936D421C1B80
PID: 3056 (1040) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 3776 (1496) C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
size: 136488
MD5: EB936E91C3DB3859830BFFAB4FD8E5A3
PID: 3792 (1496) C:\WINDOWS\system32\Pen_Tablet.exe
size: 3032360
MD5: 5781D4C12D0D204447F9936D421C1B80
PID: 3912 (3896) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 1248 (3912) C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
size: 112216
MD5: 86C989DFE38BC57F0BDACB018A58FDBD
PID: 1328 (3912) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 851968
MD5: 4E4B8F8E44F786FC4126D884E6AD892C
PID: 1536 (3912) C:\Program Files\Spyware Doctor\pctsTray.exe
size: 1182088
MD5: E6F7FE7BFD2CD4B79142165118D896AA
PID: 1576 (3912) C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
size: 405504
MD5: 012844A8E13BE3941C9CAF1F91F47DF2
PID: 1964 (3912) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 2384 (3912) C:\Program Files\UnHackMe\hackmon.exe
size: 231648
MD5: 855B0936882B0187B163C6FCFE36E968
PID: 2440 (3912) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
size: 622653
MD5: 223A18AC9E6A23D6A8B84223F3794497
PID: 2536 (3912) C:\Program Files\SetPoint\SetPoint.exe
size: 679936
MD5: C6AAF2C353F1F90CA05A88CD9FAC8494
PID: 2604 (3912) C:\Program Files\BOINC\boincmgr.exe
size: 4145920
MD5: 33B09052704045EE80A76E7DC307CF35
PID: 2344 (1216) C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
size: 1372244
MD5: FEAF804695D8F8A8A8621E8D82725D8D
PID: 2584 (2604) C:\Program Files\BOINC\boinc.exe
size: 709376
MD5: BAD51C04190664FA42F922B9B2A7034C
PID: 3072 (2536) C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
size: 101136
MD5: F543AE2667843495CC8F8C9711541850
PID: 3724 ( 528) C:\Program Files\McAfee\Common Framework\UdaterUI.exe
size: 136768
MD5: 1B34E87D53C79B3768BED1CD627516FB
PID: 3732 (3724) C:\Program Files\McAfee\Common Framework\McTray.exe
size: 86016
MD5: F01DE4E2D6DF141628BAB697B7B43057
PID: 872 (2584) C:\Program Files\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
size: 471040
MD5: 0637B112D6AF998611655EF8AC32659C
PID: 2920 (1216) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 3984 (1040) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 3532 (3912) C:\Program Files\Mozilla Firefox\firefox.exe
size: 307704
MD5: 26C3F01DF1B1AA6CFEC22D75F1E072F9
PID: 2528 (1040) C:\WINDOWS\system32\msiexec.exe
size: 78848
MD5: F5F0146580E7023ADB963879840777F8
PID: 928 (1040) C:\Program Files\Java\jre6\bin\jqs.exe
size: 152984
MD5: 44FFBA62F0F426B581759C49AAFEC2E2
PID: 976 (3912) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 6/14/2009 4:24:46 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.msn.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: PCTOOLS over [MSAFD Tcpip [TCP/IP]]
GUID: {1783D7F8-9B80-410C-947D-F60FC3BF9BFE}
Filename: C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll
Protocol 1: PCTOOLS over [MSAFD Tcpip [UDP/IP]]
GUID: {1783D7F8-9B80-410C-947D-F60FC3BF9BFE}
Filename: C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll
Protocol 2: PCTOOLS over [MSAFD Tcpip [RAW/IP]]
GUID: {1783D7F8-9B80-410C-947D-F60FC3BF9BFE}
Filename: C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll
Protocol 3: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 4: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 5: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 6: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 7: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D6BE0CB7-FB58-40A9-9020-99195393329E}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D6BE0CB7-FB58-40A9-9020-99195393329E}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BF3B93EE-4D9C-4C62-BBA0-122CCFF89DE7}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BF3B93EE-4D9C-4C62-BBA0-122CCFF89DE7}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9807F541-14E6-4D0A-83DC-D935CB6E9AB3}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9807F541-14E6-4D0A-83DC-D935CB6E9AB3}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5546A35A-D46E-451D-94B0-F386EEF419F7}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5546A35A-D46E-451D-94B0-F386EEF419F7}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{284B22DC-1925-4531-804E-EA3D4645712E}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{284B22DC-1925-4531-804E-EA3D4645712E}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2810EB22-763D-4D0C-9450-64BBD1758685}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2810EB22-763D-4D0C-9450-64BBD1758685}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{531D3D38-B38F-4A40-9052-52EFBA55506B}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{531D3D38-B38F-4A40-9052-52EFBA55506B}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A6C54EDE-3ADE-497B-900A-7744F8077EF4}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A6C54EDE-3ADE-497B-900A-7744F8077EF4}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D1ED9A55-B612-4320-8A05-C3B68E893B9B}] SEQPACKET 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D1ED9A55-B612-4320-8A05-C3B68E893B9B}] DATAGRAM 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 26: PCTOOLS CONTENT FILTER PROVIDER
GUID: {7F9EB0B5-7444-4497-AEEF-D0E2C76F9FAD}
Filename: C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Namespace Provider 3: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP
---------------------------------------------------------------
HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:18 PM, on 6/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\BOINC\boincmgr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program
Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {576756A1-D97C-45D0-A945-0324019A131E} (BOSIActiveFormX Control) -
http://rtsv07.colgate.edu/TIWEB70/downloads/BOSIActiveXGrid.cab
O16 - DPF: {6AF2E1A7-A16E-4503-A440-07CA49122CCE} (BOSIRichEditActiveX Control) -
http://rtsv07.colgate.edu/TIWEB70/downloads/BOSIActiveXMemoControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements
5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common
Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 9900 bytes
Thanks, this is becoming extremely annoying....:sad:
Iamscifiman
2009-06-14, 22:54
Sorry for the double post, but this just happened after restarting my computer from the spybot scan:
http://img.photobucket.com/albums/v374/MystRivenExile/Computer/unhackme.jpg
This was cleaned, but I figured I might as well post just in case, thanks.
pskelley
2009-06-14, 23:22
1) http://forums.spybot.info/showthread.php?t=288 <<< directions
Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
single-spaced - (of type or print) not having a blank space between lines. Otherwise the log is hard to read.
Please post a new HJT log with "Word Wrap" disabled.
Please don't post a gif/jpeg picture to show the problem, they are not needed and also hard on anyone who uses dialup. The logs will suffice and are best read in default black font, thank you.
2) I missed this obsolete program, please have HJT remove it:
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
3) Please check something for me like this:
Start > Run > type "services.msc" without the quotes and click OK.
Highlite Automatic Updates and then right click and choose Properties.
On the General Tab, please post (copy/paste) the information in "Path to executable" and also tell me what the Startup type is.
4) Please review this information:
http://forums.spybot.info/showthread.php?t=29959
then post your questions about those SBI items here:
http://forums.spybot.info/forumdisplay.php?f=4
See what the Spybot S&D experts have to say about those.
Here is more information about Spybot S&D that might be helpful.
http://www.safer-networking.org/en/faq/index.html
http://www.safer-networking.org/en/tutorial/index.html
5) "I will intermittently have my taskbar convert from the regular windows XP default style to the older style (2000?)"
Check first > right click the Taskbar and make sure "Lock the Taskbar" has a check in front of it.
You might also look here for help: http://www.kellys-korner-xp.com/xp_abc.htm
Look under "T" for Taskbar.
Iamscifiman
2009-06-15, 00:07
Hmm, word wrap was disabled before, I'm sorry, not really sure what happened. The HJT log is at the bottom with the ewido entry removed.
And sorry about the picture, it was taken of UnHackMe and I didn't see a place to save a log, that's why I posted the picture.
Automatic Updates:
Path to executable: %fystemroot%\system32\svchost.exe -k netsvcs
Startup Type: Automatic.
I assume that should be systemroot and not fystemroot...?
I have gone over those links briefly but am not sure what you want me to do with them, unless you want me to use the custom databases next.
The taskbar is locked, and trying out the program that website suggested did not help. It would make sense to change it from "classic" mode but while the bar and the tray are in classic mode, the programs list (i.e., each individual program) and start menu are in xp mode.
--------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:58 PM, on 6/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {576756A1-D97C-45D0-A945-0324019A131E} (BOSIActiveFormX Control) - http://rtsv07.colgate.edu/TIWEB70/downloads/BOSIActiveXGrid.cab
O16 - DPF: {6AF2E1A7-A16E-4503-A440-07CA49122CCE} (BOSIRichEditActiveX Control) - http://rtsv07.colgate.edu/TIWEB70/downloads/BOSIActiveXMemoControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 9804 bytes
pskelley
2009-06-15, 00:27
I assume that should be systemroot and not fystemroot...?My Windows XP Pro shows: C:\WINDOWS\system32\svchost.exe -k netsvcs
the folder and file are ok on your computer and I am not sure why the difference. You can ask about that here:
http://support.microsoft.com/
email requests for help are free, the technicians are knowledgeable and they will resolve your issues or answer your questions if you are patient.
I have gone over those links briefly but am not sure what you want me to do with them, unless you want me to use the custom databases next.
If you talk about the links to Spybot S&D information, they are just that. If you do not need them, don't open them.
Ask about the Taskbar issue at tech support also.
Here are good free forums to ask about Windows XP issues:
http://www.techsupportforum.com/microsoft-support/windows-xp-support/
http://www.geekstogo.com/forum/Windows-XP-2000-2003-NT-f5.html
Because of that rootkit, I would like to see if combofix picks up anything on the computer, follow the directions carefully.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from here:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Iamscifiman
2009-06-15, 04:52
Thanks, I will try sending links out soon.
As for ComboFix, it does two strange things. One, it detects Norton Internet Security 2006, which I don't have on my computer, nor can I find in Services or in my Processes in the Windows Task Manager. I've disabled everything else and decided to go ahead anyway. It installed Microsoft Windows Recovery Console and then goes ahead with the procedure. Unfortunately, upon restart, I lost most control of everything and could not log into my account (touchpad and keyboard were out, shutdown was not an option other than pressing the switch, only my USB mouse worked and nothing would log on). Only thing I could really do was a system restore. The point it restored to got me back, it put me right where UnHackMe says it's thing (the picture I posted a few posts back).
The only ComboFix.txt (I've used ComboFix once before and everything had turned out okay) is here: C:\ComboFix(2)\ComboFix.txt I don't think this is what is needed but I'll post it anyway.
ComboFix 09-06-14.02 - Michael 06/14/2009 22:06:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.487 [GMT -4:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe
AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Norton Internet Security 2006 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
Sorry, I know this wasn't very helpful this time, everything sort of caved in on me.
As a worst-case scenario I will get a CD of Windows XP from my office and backup my computer (last backup was two weeks ago or so) and do a fresh re-install. I'd rather not to that, because it still doesn't solve how to get rid of this stuff, but it's my last option.
pskelley
2009-06-15, 12:29
As a worst-case scenario I will get a CD of Windows XP from my office and backup my computer (last backup was two weeks ago or so) and do a fresh re-install.
Please understand, if your problem is being caused by a corruption of the Operating System, reinstalling it will likely fix the problem BUT if your problem is being caused by hidden malware (rootkit infection) nothing less that a complete reformat of the computer will assure you it is clean.
Please make sure you have read and are following the combofix directions exactly. Once you have combofix installed on the Desktop, before you run it restart the computer in Safe Mode:
http://spyware-free.us/tutorials/safemode/
Run combofix in Safe Mode and post the log.
Iamscifiman
2009-06-16, 05:10
Hmm, well, yes, that was my backup intention. But, in the meantime, it took a bit, but I got ComboFix running and working. Though it says that a number of scanners were active, I was in safe mode and did not see the processes anywhere. I also don't own a number of them too..... so, I simply ran it as I could.
ComboFix 09-06-15.04 - Michael 06/15/2009 21:48.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.772 [GMT -4:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Norton Internet Security 2006 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\drivers\mmsc30c.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\_003341_.tmp.dll
c:\windows\system32\_003342_.tmp.dll
c:\windows\system32\_003343_.tmp.dll
c:\windows\system32\_003344_.tmp.dll
c:\windows\system32\_003351_.tmp.dll
c:\windows\system32\_003352_.tmp.dll
c:\windows\system32\_003353_.tmp.dll
c:\windows\system32\_003354_.tmp.dll
c:\windows\system32\_003356_.tmp.dll
c:\windows\system32\_003357_.tmp.dll
c:\windows\system32\_003360_.tmp.dll
c:\windows\system32\_003361_.tmp.dll
c:\windows\system32\_003363_.tmp.dll
c:\windows\system32\_003364_.tmp.dll
c:\windows\system32\_003365_.tmp.dll
c:\windows\system32\_003366_.tmp.dll
c:\windows\system32\_003367_.tmp.dll
c:\windows\system32\_003370_.tmp.dll
c:\windows\system32\_003371_.tmp.dll
c:\windows\system32\_003375_.tmp.dll
c:\windows\system32\_003376_.tmp.dll
c:\windows\system32\_003378_.tmp.dll
c:\windows\system32\_003381_.tmp.dll
c:\windows\system32\_003383_.tmp.dll
c:\windows\system32\_003384_.tmp.dll
c:\windows\system32\_003385_.tmp.dll
c:\windows\system32\_003386_.tmp.dll
c:\windows\system32\_003387_.tmp.dll
c:\windows\system32\_003390_.tmp.dll
c:\windows\system32\_003391_.tmp.dll
c:\windows\system32\_003392_.tmp.dll
c:\windows\system32\_003393_.tmp.dll
c:\windows\system32\_003394_.tmp.dll
c:\windows\system32\_003399_.tmp.dll
c:\windows\system32\_003401_.tmp.dll
.
---- Previous Run -------
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Service_npf
-------\Service_mmsc30c
-------\Legacy_NPF
-------\Service_npf
-------\Service_mmsc30c
((((((((((((((((((((((((( Files Created from 2009-05-16 to 2009-06-16 )))))))))))))))))))))))))))))))
.
2009-06-16 01:16 . 2009-06-16 01:16 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-15 01:22 . 2009-06-15 02:24 -------- d-----w- C:\cmdcons(2)
2009-06-15 01:21 . 2009-06-15 02:24 -------- d-s---w- C:\ComboFix(2)
2009-06-14 20:13 . 2009-06-14 20:13 -------- d-----w- c:\program files\Sun
2009-06-13 19:47 . 2009-06-13 19:47 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-13 02:08 . 2007-05-10 14:22 405504 ----a-w- c:\windows\stsystra.exe
2009-06-13 02:08 . 2007-04-10 21:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2009-06-13 02:06 . 2007-05-10 14:23 270336 ----a-w- c:\windows\system32\stacapi.dll
2009-06-12 03:44 . 2009-03-31 15:23 39200 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-06-12 03:44 . 2009-03-31 15:23 33056 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-06-12 03:44 . 2009-03-31 15:23 51488 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-06-12 03:01 . 2007-08-21 13:58 146944 ----a-w- c:\windows\system32\st325602.dll
2009-06-11 03:07 . 2009-06-11 03:07 -------- d-----w- c:\program files\Safer Networking
2009-06-11 00:07 . 2009-06-11 00:10 -------- d-----w- C:\RootkitNO
2009-06-11 00:06 . 2009-06-11 00:06 2 --shatr- c:\windows\winstart.bat
2009-06-11 00:05 . 2008-12-22 19:56 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-06-11 00:05 . 2009-06-11 00:07 -------- d-----w- c:\program files\UnHackMe
2009-06-11 00:05 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-11 00:05 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-11 00:05 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-11 00:04 . 2009-06-11 00:09 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-11 00:04 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-11 00:04 . 2009-06-16 01:15 -------- d-----w- c:\program files\Spyware Doctor
2009-06-11 00:04 . 2009-06-14 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-11 00:04 . 2009-06-11 00:04 -------- d-----w- c:\documents and settings\Michael\Application Data\PC Tools
2009-06-09 21:31 . 2009-06-09 21:31 -------- d-----w- c:\documents and settings\Administrator.MACGYVER\Local Settings\Application Data\Mozilla
2009-06-09 21:31 . 2009-06-09 21:31 -------- d-----w- c:\documents and settings\Administrator.MACGYVER\Application Data\Malwarebytes
2009-06-09 21:30 . 2007-08-03 15:57 10134 ----a-r- c:\documents and settings\Administrator.MACGYVER\Application Data\Microsoft\Installer\{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}\ARPPRODUCTICON.exe
2009-06-09 21:30 . 2007-08-03 15:57 10134 ----a-r- c:\documents and settings\Administrator.MACGYVER\Application Data\Microsoft\Installer\{9060B698-2B29-4A1F-B876-BEAC4C0A25D5}\ARPPRODUCTICON.exe
2009-05-26 05:06 . 2009-05-26 05:06 -------- d-----w- c:\documents and settings\Michael\Application Data\funkitron
2009-05-26 05:06 . 2009-05-26 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-05-26 05:05 . 2009-05-26 05:05 -------- d-----w- c:\program files\Blokus World Tour
2009-05-26 05:05 . 2009-05-26 05:05 -------- d-----w- c:\windows\Blokus World Tour
2009-05-17 20:13 . 2009-05-17 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\espionServerData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
3427-09-26 02:40 . 2008-06-10 05:21 100000 ----a-w- c:\windows\SHELL32.DLL
2009-06-16 02:35 . 2007-11-12 23:41 -------- d-----w- c:\program files\BOINC
2009-06-16 02:33 . 2007-09-04 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-16 02:28 . 2007-08-03 16:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-16 02:25 . 2008-06-22 01:07 -------- d-----w- c:\documents and settings\Michael\Application Data\WTablet
2009-06-16 01:20 . 2008-06-23 16:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-06-15 02:27 . 2008-07-02 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-14 20:08 . 2009-01-27 03:28 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-14 20:00 . 2007-08-03 15:53 -------- d-----w- c:\program files\Java
2009-06-14 19:54 . 2007-08-03 16:08 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-14 19:05 . 2007-08-03 15:39 167561 ----a-w- c:\windows\system32\nvModes.dat
2009-06-14 16:23 . 2007-08-10 13:07 -------- d-----w- c:\program files\Azureus
2009-06-13 20:01 . 2007-09-18 22:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-13 20:01 . 2007-09-18 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-13 19:47 . 2008-12-06 20:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-13 18:42 . 2007-08-09 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-12 03:01 . 2007-08-03 15:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-10 03:18 . 2007-10-06 20:16 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-04 04:13 . 2008-06-10 01:38 -------- d-----w- c:\documents and settings\Michael\Application Data\mIRC
2009-06-04 01:01 . 2008-06-14 06:28 -------- d-----w- c:\program files\mIRC
2009-05-26 17:20 . 2008-12-06 20:31 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2008-12-06 20:31 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-17 17:31 . 2007-12-13 04:39 -------- d-----w- c:\documents and settings\Michael\Application Data\dvdcss
2009-05-17 00:14 . 2008-07-05 21:07 886 ----a-w- c:\windows\EntPack.dat
2009-05-15 03:04 . 2009-05-15 02:28 -------- d-----w- c:\documents and settings\Michael\Application Data\FileZilla
2009-05-15 02:28 . 2009-05-15 02:28 -------- d-----w- c:\program files\FileZilla FTP Client
2009-05-13 04:51 . 2009-05-13 04:41 -------- d-----w- c:\program files\WikidPad
2009-05-13 04:43 . 2009-05-13 04:43 -------- d-----w- c:\documents and settings\Michael\Application Data\WikidPad
2009-05-13 03:30 . 2009-05-13 03:29 -------- d-----w- c:\documents and settings\Michael\Application Data\SmartDraw
2009-05-03 17:44 . 2007-08-29 17:15 63752 -c--a-w- c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-03 06:53 . 2008-06-10 02:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-03 06:11 . 2009-05-03 06:11 -------- d-----w- c:\documents and settings\Michael\Application Data\Blender Foundation
2009-05-03 06:04 . 2009-05-03 06:04 -------- d-----w- c:\program files\CosmoSoftware
2009-05-03 05:57 . 2009-05-03 05:57 -------- d-----w- c:\program files\ParallelGraphics
2009-05-03 05:57 . 2009-05-03 05:57 -------- d-----w- c:\program files\Common Files\ParallelGraphics
2009-05-03 05:45 . 2009-05-03 05:45 -------- d-----w- c:\program files\Homeworld Unit Viewer
2009-04-30 05:17 . 2008-01-14 05:07 -------- d-----w- c:\documents and settings\Michael\Application Data\PLT Scheme
2009-04-21 02:13 . 2007-09-07 03:44 -------- d-----w- c:\documents and settings\Michael\Application Data\AdobeUM
2007-08-29 17:14 . 2007-08-29 17:14 604 -c-ha-w- c:\program files\STLL Notifier
2007-08-03 15:56 . 2007-08-03 15:56 76 -csh--r- c:\windows\CT4CET.bin
.
------- Sigcheck -------
[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\system32\user32.dll
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 10:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 112216]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-06-04 1182088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13594624]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-14 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
c:\documents and settings\Michael\Start Menu\Programs\Startup\
BOINC Manager.lnk - c:\program files\BOINC\boincmgr.exe [2007-10-29 4145920]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2007-8-9 679936]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^rncsys32.exe]
path=c:\documents and settings\Michael\Start Menu\Programs\Startup\rncsys32.exe
backup=c:\windows\pss\rncsys32.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Michael\\Computer Stuff\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/10/2009 8:05 PM 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [6/11/2009 11:44 PM 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [6/11/2009 11:44 PM 39200]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2/9/2008 12:02 AM 8576]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/10/2009 8:04 PM 348752]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [6/21/2008 9:19 PM 3032360]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [8/3/2007 11:32 AM 235584]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [8/3/2007 11:32 AM 7424]
R4 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [6/10/2009 8:05 PM 159600]
S2 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [6/7/2008 4:31 AM 68096]
S3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe [6/7/2008 4:31 AM 68096]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [6/11/2009 11:44 PM 33056]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [6/21/2008 9:19 PM 15144]
S4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [6/10/2009 8:04 PM 64392]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
2009-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2009-06-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-02 05:33]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {576756A1-D97C-45D0-A945-0324019A131E} - hxxp://rtsv07.colgate.edu/TIWEB70/downloads/BOSIActiveXGrid.cab
DPF: {6AF2E1A7-A16E-4503-A440-07CA49122CCE} - hxxp://rtsv07.colgate.edu/TIWEB70/downloads/BOSIActiveXMemoControl.cab
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\6oqgjmpm.default\
FF - plugin: c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\6oqgjmpm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npcosmop211.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-15 22:28
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1052)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
- - - - - - - > 'explorer.exe'(3436)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\UnHackMe\Unhackme.exe
c:\program files\UnHackMe\Unhackme.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\BOINC\boinc.exe
c:\program files\Common Files\Logitech\khalshared\KHALMNPR.exe
c:\program files\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
c:\program files\McAfee\Common Framework\UdaterUI.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
.
**************************************************************************
.
Completion time: 2009-06-16 22:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-16 02:56
ComboFix2.txt 2009-03-11 00:28
Pre-Run: 5,415,940,096 bytes free
Post-Run: 4,125,863,936 bytes free
311 --- E O F --- 2009-06-16 02:36
pskelley
2009-06-16, 13:09
Any particular reason you did not allow Recovery Console to install?
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
Recovery Console is a tool that will allow you to recover from a catastrophic system failure, so let's hope you never need it. Many experts believe Microsoft should have installed it by default. If you own a Windows Operating System CD with Recovery Console on it, it can be run from the CD if needed if you wish.
c:\program files\Azureus <<< P2P program, delete that folder.
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
Please update MBAM (Database 2286 Date 6/16/2009) perform a full scan and post the results.
How is the computer running now.
Thanks
Iamscifiman
2009-06-17, 05:58
Yes, because I was running in safe mode and my computer was not connecting to the internet even with networking. As I said earlier, no, I don't own a CD (my machine came pre-loaded with XP) so I'll just have to live with it.
The folder only contained empty folders, but I deleted it anyway.
I ran MBAM and then spybot just to be sure (since spybot was detecting Win32.Iksmas.ai). No issues in either. My computer is much faster now, though a bit slow at times, I think just because of clearing my prefetch stuff perhaps?
If it is okay, I would like to run a few more scans just to be sure. Thank you very much for your assistance.:thanks:
--------------------------------
Malwarebytes' Anti-Malware 1.37
Database version: 2290
Windows 5.1.2600 Service Pack 3
6/16/2009 11:31:26 PM
mbam-log-2009-06-16 (23-31-25).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 674889
Time elapsed: 4 hour(s), 50 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
pskelley
2009-06-17, 13:13
I want to point out here that combofix is showing these as antivirus programs:
AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: (McAfee) VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
and you said this:
One, it detects Norton Internet Security 2006,
NIS is showing in Add Remove programs: Norton Internet Security
See this information:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp
It is always best to use the program uninstaller but if it does not remove all of NIS, this tool from Symantec will do it.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=&docid=2001092114452606&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=
Thanks for the feedback, I do suggest you install Recovery Console before you remove combofix for ease of installation. Here are the manual instructions.
Your operating system is: Microsoft Windows XP Home Edition SP3
Download RC from here: http://www.microsoft.com/downloads/details.aspx?FamilyId=15491F07-99F7-4A2D-983D-81C2137FF464&displaylang=en
(Please note that the SP#2 download works for your system)
Download: WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
Download to the Desktop and then drag and drop onto combofix like this:
http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif
Since we do not need to scan with combofix, click NO
Once that is complete, move on with these closing instructions.
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
(optional since the last scan was clean)
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, keep it updated and run it once a month or so)
Update McAfee and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.mcafee.com/us/support/
If all is well at this point, let me know and I will close the topic.
This information may help the computer run better:
http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.malwareremoval.com/tutorials/runningslowly.php
http://www.bleepingcomputer.com/forums/index.php?showtopic=87058&st=0&p=487112&#entry487112
http://www.microsoft.com/atwork/getstarted/speed.mspx
Some good information for you:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
How hard are your passwords to crack?
http://www.microsoft.com/protect/yourself/password/checker.mspx
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx
Iamscifiman
2009-06-18, 14:10
Hmm, NIS did not show up in Add/Remove but the tool worked to remove something, so thank you.
Everything else has been completed. MBAM found nothing and McAfee found tow Vundo Trojans which it got rid of. As long as they are unrelated, which I think is likely, then I should be okay. Again, thank you for the assistance, I should be good now.
pskelley
2009-06-18, 14:23
Thanks for the feedback, I would like to know where the "trojans" McAfee found were located if you know. Possible they were in System Restore which should have been purged before McAfee was run? I'll leave your topic open for a couple of days to be sure nothing else occurs.
Iamscifiman
2009-06-19, 00:18
Unfortunately not, I checked the results of the scan this morning and was in a hurry out the door. I completed everything in order on that post, McAfee was last, so I'm not really sure. I'll keep scanning and let you know if anything comes up.
I will also re-start TeaTimer if that is okay.
Iamscifiman
2009-06-19, 07:46
Again, sorry to double post, I had to fix Ad-aware, which worked, based on the error code I looked up, but what I discovered was this folder lurking on my computer:
C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
There seems to be a "driver" in it, from a google search it seems to be bad. Should I simply delete this folder or does some other precaution need to be taken?
Ad-aware turned up nothing as well. I am fairly confident in a clean computer minus these incidents. It's working much better now in any case.
pskelley
2009-06-19, 13:56
3276BE95_AF08_429F_A64F_CA64CB79BCF6 <<< Google is showing nothing but negative:
http://www.google.com/search?hl=en&q=3276BE95_AF08_429F_A64F_CA64CB79BCF6&btnG=Search&aq=f&oq=&aqi=
You can scan any files in the folder to see what they are if you wish:
Free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
I suggest you right click that folder and delete it. That will move it to your Recycle Bin, let it stay there for a few days to see how the computer runs without it, then empty the Recycle Bin.
Thanks
Iamscifiman
2009-06-23, 04:12
No problems associated with its deletion (though the scans didn't find anything). I keep running scans, Spyware Doctor comes up with minor things but everything else is clean. I think I'm good to go and this is good to close, again, thanks for everything!
pskelley
2009-06-23, 11:30
Thanks for taking the time to let me know:bigthumb: safe surfing.