View Full Version : Trojan-Clicker.win32.delf.cbe
racedriver1972
2009-09-19, 19:26
this virus continually re-installs. Help would be greatly appreciated.
HJT log below.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:30 AM, on 9/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\PROGRA~1\UPDATE~1\9972322\Program\UPDATE~1.EXE
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\HP\HP Software Update\hpwucli.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Becki\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.truckworksinc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwLe98kRA1QsB0Q6JZuqeC1m9AuZJIf9jwxxXUZYLHAobF5lBXuCddJoNTRd0U+MpURAB0yyBff9Prxrh14N1ePrybh6ZvH9Vj
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3F691B5E-00E4-4E32-8E85-016DAB380CCA} - c:\windows\system32\mhjuncd.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {d5f35314-e80d-4615-b655-4f899437dd00} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\RunOnce: [HPSoftwareUpdate] C:\Program Files\HP\HP Software Update\HPWUCli.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://factfinder.census.gov
O15 - Trusted Zone: http://www.ford.com
O15 - Trusted Zone: http://www55.forddirect.fordvehicles.com
O15 - Trusted Zone: http://www81.forddirect.fordvehicles.com
O15 - Trusted Zone: http://www.goodsamclub.com
O15 - Trusted Zone: *.hp.com
O15 - Trusted Zone: http://downloadcenter.intel.com
O15 - Trusted Zone: downloadmirror.intel.com
O15 - Trusted Zone: *.intel.com
O15 - Trusted Zone: http://turbotax.intuit.com
O15 - Trusted Zone: *.intuit.com
O15 - Trusted Zone: http://www.lowes.com
O15 - Trusted Zone: http://www.movietickets.com
O15 - Trusted Zone: http://www.trailerlifedirectory.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {240EEE8D-91DB-4D74-A87E-671026601333} (EOLUP.Version) - http://accounting1.coaxis-asp.net/eolupcli.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {596AF4AC-40A0-474A-9F86-33F0A90F0FD6} (PictureItLauncher Class) - http://photos.msn.com/resources/neutral/controls/DigWebX2.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://accounting1.coaxis-asp.net/msrdp.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://www.gamehouse.com/realarcade-webgames/mysterysolitairesecretisland/SpinTopGamesLauncher.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://sorrowandhope.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - http://www.gamehouse.com/realarcade-webgames/mysterysolitairesecretisland/SpinTopGamesLauncher.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab43895.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: wxgqrjmr - C:\WINDOWS\SYSTEM32\mhjuncd.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 12835 bytes
Hi racedriver1972
Please post next spybot report :)
racedriver1972
2009-09-22, 16:12
I am running now and leaving for work. will post report tonight.
Thanks, Rob.
Thanks for update, take your time :)
racedriver1972
2009-09-23, 03:19
Here is the spybot log. It asked to restart, and run again upon restart after it finished, so i will do that also, and post log after that too unless you tell me not to.
Thanks, Rob.
Part 1
--- Search result list ---
Zango: [SBI $FD0351D8] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{56F1D444-11BF-4879-A12B-79CF0177F038}
Win32.Agent.pz: [SBI $7EC6899E] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
FunWebProducts: [SBI $561F0D2E] User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1009\Software\Microsoft\Internet Explorer\MenuExt\&Search\=...http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml...
FunWebProducts: [SBI $561F0D2E] User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1011\Software\Microsoft\Internet Explorer\MenuExt\&Search\=...http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml...
FunWebProducts: [SBI $8CC75C5A] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1009\Software\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D}
FunWebProducts: [SBI $8CC75C5A] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1011\Software\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D}
FunWebProducts: [SBI $E2D974B3] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1011\Software\Fun Web Products
MyWay.MyWebSearch: [SBI $6404C538] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
MyWay.MyWebSearch: [SBI $6404C538] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
MyWay.MyWebSearch: [SBI $B1C70274] Browser helper object (Registry key, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1009\Software\MyWebSearch
MyWay.MyWebSearch: [SBI $B1C70274] Browser helper object (Registry key, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1011\Software\MyWebSearch
MyWay.MyWebSearch: [SBI $BF485355] IE toolbar (Registry value, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1009\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
NewDotNet: [SBI $FDD2BA3A] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
NewDotNet: [SBI $FDD2BA3A] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
MyWay.MyWebSearch: [SBI $205CC8F2] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1009\Software\FunWebProducts
MyWay.MyWebSearch: [SBI $205CC8F2] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1010\Software\FunWebProducts
MyWay.MyWebSearch: [SBI $205CC8F2] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1011\Software\FunWebProducts
Microsoft.WindowsSecurityCenter.FirewallBypass: [SBI $D80580B5] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe
Microsoft.WindowsSecurityCenter.FirewallBypass: [SBI $B067B5B7] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe
StarWare: [SBI $95CA14DA] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA356D79-679B-4B4C-8E49-5AF97014F4C1}
StarWare: [SBI $C1439312] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D49E9D35-254C-4C6A-9D17-95018D228FF5}
Virtumonde: [SBI $D510A69C] Configuration file (File, fixed)
C:\WINDOWS\system32\ahowayas.ini
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Virtumonde: [SBI $D510A69C] Configuration file (File, fixed)
C:\WINDOWS\system32\atuzodef.ini
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Virtumonde: [SBI $D510A69C] Configuration file (File, fixed)
C:\WINDOWS\system32\ayefabid.ini
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Virtumonde: [SBI $D510A69C] Configuration file (File, fixed)
C:\WINDOWS\system32\uturepad.ini
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Virtumonde: [SBI $D510A69C] Configuration file (File, fixed)
C:\WINDOWS\system32\evihomah.ini
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Virtumonde: [SBI $D510A69C] Configuration file (File, fixed)
C:\WINDOWS\system32\eyekejas.ini
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Virtumonde: [SBI $D510A69C] Configuration file (File, fixed)
C:\WINDOWS\system32\oyeloyid.ini
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Virtumonde: [SBI $D510A69C] Configuration file (File, fixed)
C:\WINDOWS\system32\iveheseb.ini
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Virtumonde: [SBI $D510A69C] Configuration file (File, fixed)
C:\WINDOWS\system32\ojujepod.ini
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Virtumonde.Dll: [SBI $5DC45B99] Library (File, fixed)
C:\WINDOWS\system32\kyprxahb.dll
Properties.size=143872
Properties.md5=C708046C1DB5CC1FAAF251D6C2A8FF92
Properties.filedate=1091595600
Properties.filedatetext=2004-08-03 22:00:00
Virtumonde.sdn: [SBI $70056CE6] Data (File, fixed)
C:\WINDOWS\system32\yimuvuwo
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
DoubleClick: Tracking cookie (Internet Explorer: Becki) (Cookie, fixed)
AdRevolver: Tracking cookie (Internet Explorer: Becki) (Cookie, fixed)
BurstMedia: Tracking cookie (Internet Explorer: Becki) (Cookie, fixed)
AdRevolver: Tracking cookie (Internet Explorer: Becki) (Cookie, fixed)
HitBox: Tracking cookie (Internet Explorer: Becki) (Cookie, fixed)
FastClick: Tracking cookie (Internet Explorer: Becki) (Cookie, fixed)
AdRevolver: Tracking cookie (Internet Explorer: Becki) (Cookie, fixed)
MediaPlex: Tracking cookie (Internet Explorer: Becki) (Cookie, fixed)
BurstMedia: Tracking cookie (Internet Explorer: Becki) (Cookie, fixed)
HitBox: Tracking cookie (Internet Explorer: Becki) (Cookie, fixed)
WebTrends live: Tracking cookie (Internet Explorer: Becki) (Cookie, fixed)
DoubleClick: Tracking cookie (Internet Explorer: Becki) (Cookie, fixed)
DoubleClick: Tracking cookie (Firefox: kids_2 (default)) (Cookie, fixed)
MediaPlex: Tracking cookie (Firefox: kids_2 (default)) (Cookie, fixed)
FastClick: Tracking cookie (Firefox: kids_2 (default)) (Cookie, fixed)
FastClick: Tracking cookie (Firefox: kids_2 (default)) (Cookie, fixed)
FastClick: Tracking cookie (Firefox: kids_2 (default)) (Cookie, fixed)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2009-09-22 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-09-07 advcheck.dll (1.6.4.18)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-09-15 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-08-10 Includes\Dialer.sbi (*)
2009-09-15 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-09-15 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-09-15 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-08-19 Includes\Malware.sbi (*)
2009-09-15 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-09-15 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-09-15 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-09-15 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-09-15 Includes\Trojans.sbi (*)
2009-09-16 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB898458)
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB923723)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player: Security Update for Windows Media Player (KB952069)
/ Windows Media Player: Security Update for Windows Media Player (KB968816)
/ Windows Media Player: Security Update for Windows Media Player (KB973540)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB911565)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB917734)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB954154)
/ Windows Media Player 11: Critical Update for Windows Media Player 11 (KB959772)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB928090)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB929969)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB931768)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127-v2)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB961260)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB963027)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB969897)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB969897)
/ Windows XP / SP0: Update for Windows Internet Explorer 8 (KB971930)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB971961)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB972260)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Security Update for Windows XP (KB923561)
/ Windows XP / SP4: Security Update for Windows XP (KB938464-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Update for Windows XP (KB951978)
/ Windows XP / SP4: Security Update for Windows XP (KB952004)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Update for Windows XP (KB953356)
/ Windows XP / SP4: Security Update for Windows XP (KB954459)
/ Windows XP / SP4: Hotfix for Windows XP (KB954550-v5)
/ Windows XP / SP4: Security Update for Windows XP (KB954600)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Update for Windows XP (KB955839)
/ Windows XP / SP4: Security Update for Windows XP (KB956572)
/ Windows XP / SP4: Security Update for Windows XP (KB956744)
/ Windows XP / SP4: Security Update for Windows XP (KB956802)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956841)
/ Windows XP / SP4: Security Update for Windows XP (KB956844)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ Windows XP / SP4: Security Update for Windows XP (KB958687)
/ Windows XP / SP4: Security Update for Windows XP (KB958690)
/ Windows XP / SP4: Security Update for Windows XP (KB959426)
/ Windows XP / SP4: Security Update for Windows XP (KB960225)
/ Windows XP / SP4: Security Update for Windows XP (KB960715)
/ Windows XP / SP4: Security Update for Windows XP (KB960803)
/ Windows XP / SP4: Security Update for Windows XP (KB960859)
/ Windows XP / SP4: Hotfix for Windows XP (KB961118)
/ Windows XP / SP4: Security Update for Windows XP (KB961371)
/ Windows XP / SP4: Security Update for Windows XP (KB961373)
/ Windows XP / SP4: Security Update for Windows XP (KB961501)
/ Windows XP / SP4: Update for Windows XP (KB967715)
/ Windows XP / SP4: Update for Windows XP (KB968389)
/ Windows XP / SP4: Security Update for Windows XP (KB968537)
/ Windows XP / SP4: Security Update for Windows XP (KB969898)
/ Windows XP / SP4: Security Update for Windows XP (KB970238)
/ Windows XP / SP4: Hotfix for Windows XP (KB970653-v3)
/ Windows XP / SP4: Security Update for Windows XP (KB971557)
/ Windows XP / SP4: Security Update for Windows XP (KB971633)
/ Windows XP / SP4: Security Update for Windows XP (KB971657)
/ Windows XP / SP4: Security Update for Windows XP (KB973346)
/ Windows XP / SP4: Security Update for Windows XP (KB973354)
/ Windows XP / SP4: Security Update for Windows XP (KB973507)
/ Windows XP / SP4: Update for Windows XP (KB973815)
/ Windows XP / SP4: Security Update for Windows XP (KB973869)
--- Startup entries list ---
Located: HK_LM:Run,
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, HP Software Update
command: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
file: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
size: 54576
MD5: 5516C26A6AF8EB4E2CAB48EC98A74398
Located: HK_LM:Run, ISUSPM Startup
command: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
file: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
size: 221184
MD5: FB9E5C251CF6C37749F296BACB34A69B
Located: HK_LM:Run, ISUSScheduler
command: "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
file: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
size: 81920
MD5: 763DAB43BDAB27316DBF3373192823D7
Located: HK_LM:Run, Malwarebytes Anti-Malware (reboot)
command: "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
file: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
size: 1312080
MD5: C5FCC0B761069FABD59E41B7C3280DDF
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 413696
MD5: 9C9B6807425CEF840C117654D8B033D1
Located: HK_LM:RunOnce, Spybot - Search & Destroy
command: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
file: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
Located: HK_LM:RunOnce, SpybotDeletingA6625
command: command.com /c del "C:\WINDOWS\system32\kyprxahb.dll"
file: command.com /c del "C:\WINDOWS\system32\kyprxahb.dll"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:RunOnce, SpybotDeletingC9111
command: cmd.exe /c del "C:\WINDOWS\system32\kyprxahb.dll"
file: C:\WINDOWS\system32\cmd.exe
size: 389120
MD5: 6D778E0F95447E6546553EEEA709D03C
Located: HK_LM:Run, HP Software Update (DISABLED)
command: "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
file: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
size: 54576
MD5: 5516C26A6AF8EB4E2CAB48EC98A74398
Located: HK_LM:Run, iTunesHelper (DISABLED)
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 290088
MD5: E6A4E341E4304B34AA280D3E73818C90
Located: HK_LM:Run, KernelFaultCheck (DISABLED)
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep 0 -k
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, LSBWatcher (DISABLED)
command: c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
file: c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
size: 253952
MD5: 5FD441FA69B135B8891EBF8F2F8631B7
Located: HK_LM:Run, Microsoft Works Update Detection (DISABLED)
command: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
file: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
size: 50688
MD5: 9B7137623E5DD682D5E4A5F9BC326584
Located: HK_LM:Run, PS2 (DISABLED)
command: C:\WINDOWS\system32\ps2.exe
file: C:\WINDOWS\system32\ps2.exe
size: 90112
MD5: FF8CCC86C4E42F59B189BD28D362B599
Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 9C9B6807425CEF840C117654D8B033D1
Located: HK_LM:Run, StartCCC (DISABLED)
command: "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
file: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
size: 90112
MD5: 033FF248550305ED52ED2D2844A8A11B
Located: HK_LM:Run, tgcmd (DISABLED)
command: "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
file: C:\Program Files\Support.com\bin\tgcmd.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, TkBellExe (DISABLED)
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: D09A5F5C4DBD5D4DFF09AB1A69812062
Located: HK_CU:RunOnce, FlashPlayerUpdate
where: .DEFAULT...
command: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
file: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
size: 235936
MD5: 0AE72A6CF7DA6440320BCF7241CE9ED4
Located: HK_CU:RunOnce, RunNarrator
where: .DEFAULT...
command: Narrator.exe
file: C:\WINDOWS\system32\Narrator.exe
size: 53760
MD5: 21F839F2281473642AC2060F30E19DC7
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1294802479-783438776-1001296409-1009...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, ctfmon.exe (DISABLED)
where: S-1-5-21-1294802479-783438776-1001296409-1009...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, msnmsgr (DISABLED)
where: S-1-5-21-1294802479-783438776-1001296409-1009...
command: "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
file: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, QuickTime Task (DISABLED)
where: S-1-5-21-1294802479-783438776-1001296409-1009...
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 9C9B6807425CEF840C117654D8B033D1
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1294802479-783438776-1001296409-1010...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, Walgreens PhotoShow Media Manager
where: S-1-5-21-1294802479-783438776-1001296409-1010...
command: C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
file: C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
size: 237568
MD5: 9FD48B9EC796B5F67E873685DCC6F640
Located: HK_CU:RunOnce, SpybotDeletingB2248
where: S-1-5-21-1294802479-783438776-1001296409-1010...
command: command.com /c del "C:\WINDOWS\system32\kyprxahb.dll"
file: command.com /c del "C:\WINDOWS\system32\kyprxahb.dll"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:RunOnce, SpybotDeletingD5071
where: S-1-5-21-1294802479-783438776-1001296409-1010...
command: cmd.exe /c del "C:\WINDOWS\system32\kyprxahb.dll"
file: C:\WINDOWS\system32\cmd.exe
size: 389120
MD5: 6D778E0F95447E6546553EEEA709D03C
Located: HK_CU:Run, ctfmon.exe (DISABLED)
where: S-1-5-21-1294802479-783438776-1001296409-1010...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, Registry Cleaner (DISABLED)
where: S-1-5-21-1294802479-783438776-1001296409-1010...
command: "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize
file: C:\Program Files\Registry Cleaner Trial\Regclean.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1294802479-783438776-1001296409-1011...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, QuickTime Task
where: S-1-5-21-1294802479-783438776-1001296409-1011...
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 9C9B6807425CEF840C117654D8B033D1
Located: HK_CU:Run, swg
where: S-1-5-21-1294802479-783438776-1001296409-1011...
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, Aim6 (DISABLED)
where: S-1-5-21-1294802479-783438776-1001296409-1011...
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, MySpaceIM (DISABLED)
where: S-1-5-21-1294802479-783438776-1001296409-1011...
command: C:\Program Files\MySpace\IM\MySpaceIM.exe
file: C:\Program Files\MySpace\IM\MySpaceIM.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1294802479-783438776-1001296409-1013...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, Aim6 (DISABLED)
where: S-1-5-21-1294802479-783438776-1001296409-1013...
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ctfmon.exe (DISABLED)
where: S-1-5-21-1294802479-783438776-1001296409-1013...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, MSMSGS (DISABLED)
where: S-1-5-21-1294802479-783438776-1001296409-1013...
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1695232
MD5: 3E930C641079443D4DE036167A69CAA2
Located: HK_CU:Run, msnmsgr (DISABLED)
where: S-1-5-21-1294802479-783438776-1001296409-1013...
command: "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
file: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, MySpaceIM (DISABLED)
where: S-1-5-21-1294802479-783438776-1001296409-1013...
command: C:\Program Files\MySpace\IM\MySpaceIM.exe
file: C:\Program Files\MySpace\IM\MySpaceIM.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, QuickTime Task (DISABLED)
where: S-1-5-21-1294802479-783438776-1001296409-1013...
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 9C9B6807425CEF840C117654D8B033D1
Located: HK_CU:Run, SpybotSD TeaTimer (DISABLED)
where: S-1-5-21-1294802479-783438776-1001296409-1013...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2144088
MD5: 896A1DB9A972AD2339C2E8569EC926D1
Located: HK_CU:RunOnce, FlashPlayerUpdate
where: S-1-5-18...
command: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
file: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
size: 235936
MD5: 0AE72A6CF7DA6440320BCF7241CE9ED4
Located: HK_CU:RunOnce, RunNarrator
where: S-1-5-18...
command: Narrator.exe
file: C:\WINDOWS\system32\Narrator.exe
size: 53760
MD5: 21F839F2281473642AC2060F30E19DC7
Located: Startup (common), HP Digital Imaging Monitor.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
file: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
size: 258048
MD5: C519CEC624CF9BCBA3059F32266C8FFF
Located: Startup (common), HP Image Zone Fast Start.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
file: C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
size: 53248
MD5: 8C53463A3E28454D74F48BF87A9CF7BA
Located: Startup (common), Microsoft Office.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5BC65464354A9FD3BEAA28E18839734A
Located: Startup (common), Updates from HP.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
file: C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
size: 36903
MD5: 84A6C6456F86ED03B79DB55BCBCDB2BD
Located: Startup (user), Adobe Gamma.lnk
where: C:\Documents and Settings\Becki\Start Menu\Programs\Startup...
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: C2FF17734176CD15221C10044EF0BA1A
Located: Startup (user), STK02N 2.0 PNP Monitor.lnk
where: C:\Documents and Settings\kids_2\Start Menu\Programs\Startup...
command: C:\WINDOWS\STK02N\STK02NM.exe
file: C:\WINDOWS\STK02N\STK02NM.exe
size: 163840
MD5: 9E30189C814095FE0293E39AD08EF943
Located: Startup (disabled), HP Digital Imaging Monitor (DISABLED)
command: C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
file: C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
size: 258048
MD5: C519CEC624CF9BCBA3059F32266C8FFF
Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wxgqrjmr
command: mhjuncd.dll
file: mhjuncd.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 9/23/2005 9:12:08 PM
Date (last access): 9/22/2009 5:45:48 PM
Date (last write): 9/23/2005 9:12:08 PM
Filesize: 63136
Attributes: archive
MD5: B61D5D651ECC6055C29BF826CA7B1141
CRC32: FEF15799
Version: 7.0.5.172
{3F691B5E-00E4-4E32-8E85-016DAB380CCA} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: c:\windows\system32\
Long name: mhjuncd.dll
Short name:
Date (created): 8/3/2004 10:00:00 PM
Date (last access): 9/19/2009 4:47:04 PM
Date (last write): 8/3/2004 10:00:00 PM
Filesize: 101376
Attributes: archive
MD5: 7817503E905514A4B4798B6F4AD94211
CRC32: F38D89D3
{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live Sign-in Helper
Path: C:\Program Files\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 2/17/2009 4:11:04 PM
Date (last access): 9/22/2009 5:45:26 PM
Date (last write): 2/17/2009 4:11:04 PM
Filesize: 408440
Attributes: archive
MD5: 1A82C1B9BB43385695EFC3A84F6756A2
CRC32: 75E558CA
Version: 5.0.818.6
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live Toolbar Helper
Path: C:\Program Files\Windows Live Toolbar\
Long name: msntb.dll
Short name:
Date (created): 10/19/2007 11:20:48 AM
Date (last access): 9/22/2009 5:45:26 PM
Date (last write): 10/19/2007 11:20:48 AM
Filesize: 546320
Attributes: archive
MD5: CEE1BE1DA21300208D07FBEAE9EA2B51
CRC32: 12446524
Version: 3.1.0.146
{d5f35314-e80d-4615-b655-4f899437dd00} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
--- ActiveX list ---
{00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class)
DPF name:
CLSID name: Checkers Class
Installer:
Codebase: http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
description:
classification: Legitimate
known filename: msgrchkr.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: msgrchkr.dll
Short name:
Date (created): 5/29/2003 3:00:18 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 5/29/2003 3:00:18 PM
Filesize: 77408
Attributes: archive
MD5: 42D567DF86B9B7AC4A89664C9651B68B
CRC32: 47FF3D19
Version: 7.1.9502.1
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
Installer: C:\WINDOWS\Downloaded Program Files\QTPlugin.inf
Codebase: http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 11/4/2008 10:31:14 AM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 11/4/2008 10:31:14 AM
Filesize: 779568
Attributes: archive
MD5: 7977EEA67691BA941CED002B13633ECE
CRC32: 3C521BFC
Version: 7.55.90.70
{05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object)
DPF name:
CLSID name: StagingUI Object
Installer:
Codebase: http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
description:
classification: Legitimate
known filename: StagingUI.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: StagingUI.ocx
Short name: STAGIN~1.OCX
Date (created): 11/8/2005 5:09:44 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 11/8/2005 5:09:44 PM
Filesize: 339496
Attributes: archive
MD5: C7D6E76D281DE255EF4CD2BEF90FABBD
CRC32: 1EE6AB44
Version: 9.4.641.1
racedriver1972
2009-09-23, 03:21
{14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class)
DPF name:
CLSID name: MessengerStatsClient Class
Installer:
Codebase: http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
description:
classification: Legitimate
known filename: MessengerStatsPAClient.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MessengerStatsPAClient.dll
Short name: MESSEN~2.DLL
Date (created): 4/6/2004 7:03:54 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 4/6/2004 7:03:54 PM
Filesize: 172072
Attributes: archive
MD5: 94D1773AEAA2197AFEE3A6F8404FE4E9
CRC32: 76C3823D
Version: 9.2.7513.1
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer:
Codebase: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Adobe\Director\
Long name: swdir.dll
Short name:
Date (created): 6/16/2008 12:01:40 AM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 3/19/2008 7:36:22 PM
Filesize: 202168
Attributes: archive
MD5: 284259B6EB9901B8978B78AFC5514627
CRC32: 6C37B749
Version: 11.0.0.429
{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 7/12/2005 6:04:22 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 2/6/2009 12:35:56 PM
Filesize: 1486208
Attributes: archive
MD5: 937A55210D8B8B75F017C79958ECE7D3
CRC32: CA9CD645
Version: 1.9.9.1
{233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\swdir.inf
Codebase: http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
description:
classification: Legitimate
known filename: SwDir.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\Adobe\Director\
Long name: swdir.dll
Short name:
Date (created): 6/16/2008 12:01:40 AM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 3/19/2008 7:36:22 PM
Filesize: 202168
Attributes: archive
MD5: 284259B6EB9901B8978B78AFC5514627
CRC32: 6C37B749
Version: 11.0.0.429
{240EEE8D-91DB-4D74-A87E-671026601333} (EOLUP.Version)
DPF name:
CLSID name: EOLUP.Version
Installer: C:\WINDOWS\Downloaded Program Files\eolupcli.inf
Codebase: http://accounting1.coaxis-asp.net/eolupcli.cab
Path: C:\WINDOWS\system32\
Long name: eolupver.dll
Short name:
Date (created): 3/6/2006 11:33:14 AM
Date (last access): 9/22/2009 5:45:04 PM
Date (last write): 8/25/2005 12:57:38 PM
Filesize: 151552
Attributes: archive
MD5: 264CCFF94434B0CF7152B9F6C3C5FE50
CRC32: 086E8A9F
Version: 4.0.27.0
{3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class)
DPF name:
CLSID name: ZoneBuddy Class
Installer:
Codebase: http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
description:
classification: Legitimate
known filename: ZBuddy.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ZBuddy.ocx
Short name:
Date (created): 11/17/2004 10:46:28 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 11/17/2004 10:46:28 PM
Filesize: 194600
Attributes: archive
MD5: EB58AA7BB0CD28E129380C4C29A17BB2
CRC32: 4F7494D7
Version: 9.3.2846.1
{4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control)
DPF name:
CLSID name: FixController Control
Installer: C:\WINDOWS\Downloaded Program Files\HPInstallMgr_v01_5.inf
Codebase: http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
Path: C:\Program Files\Hp\Common\
Long name: FixEngine.dll
Short name: FIXENG~1.DLL
Date (created): 2/28/2007 7:21:26 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 2/28/2007 7:21:26 PM
Filesize: 448136
Attributes: archive
MD5: E2EF06D47244332D37B7B779231A7F5B
CRC32: 13B09225
Version: 1.0.2.13
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
DPF name:
CLSID name: MSN Photo Upload Tool
Installer: C:\WINDOWS\Downloaded Program Files\MSNPupld.inf
Codebase: http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
description:
classification: Legitimate
known filename: MsnPUpld.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MsnPUpld.dll
Short name:
Date (created): 10/14/2005 11:02:36 AM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 10/14/2005 11:02:36 AM
Filesize: 372736
Attributes: archive
MD5: C673BDB4BE7D28D36D39181F6183DFA2
CRC32: 18D2F4B2
Version: 10.0.911.0
{5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object)
DPF name:
CLSID name: ZonePAChat Object
Installer:
Codebase: http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
description:
classification: Legitimate
known filename: ZPAChat.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ZPAChat.ocx
Short name:
Date (created): 11/17/2004 10:47:08 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 11/17/2004 10:47:08 PM
Filesize: 456744
Attributes: archive
MD5: 948E7F8C31AEAD9EA7F196833F91E8C5
CRC32: F3A349C2
Version: 9.3.2846.1
{596AF4AC-40A0-474A-9F86-33F0A90F0FD6} (PictureItLauncher Class)
DPF name:
CLSID name: PictureItLauncher Class
Installer: C:\WINDOWS\Downloaded Program Files\DigWebX2.inf
Codebase: http://photos.msn.com/resources/neutral/controls/DigWebX2.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: DigWebX2.dll
Short name:
Date (created): 10/26/2004 4:23:18 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 10/26/2004 4:23:18 PM
Filesize: 191488
Attributes: archive
MD5: 10C2882D1BFA2A2B92B691DCD39E96DA
CRC32: 8715855C
Version: 10.0.910.0
{62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control)
DPF name:
CLSID name: Autodesk MapGuide ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\MgAxCtrl.inf
Codebase: http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
description:
classification: Legitimate
known filename: MGAXCTRL.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MgAxCtrl.dll
Short name:
Date (created): 4/7/2004 1:01:36 AM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 4/7/2004 1:01:36 AM
Filesize: 3384512
Attributes: archive
MD5: 3C2860E997F9AFC4E5CACB7151959290
CRC32: 30FF59E5
Version: 6.5.5.7
{6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class)
DPF name:
CLSID name: HpProductDetection Class
Installer: C:\WINDOWS\Downloaded Program Files\setup.inf
Codebase: http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
description:
classification: Legitimate
known filename: HPDeviceDetection.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\HP\Common\
Long name: HPDeviceDetection.dll
Short name: HPDEVI~1.DLL
Date (created): 5/7/2007 11:53:44 AM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 5/7/2007 11:53:44 AM
Filesize: 516664
Attributes: archive
MD5: 312C2C77595B224249D50CA278505432
CRC32: AD85C64C
Version: 4.0.2.0
{6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager)
DPF name:
CLSID name: HP Download Manager
Installer: C:\WINDOWS\Downloaded Program Files\HPDEXAXO.inf
Codebase: https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: HPDEXAXO.dll
Short name:
Date (created): 10/18/2007 10:04:16 AM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 10/18/2007 10:04:16 AM
Filesize: 341296
Attributes: archive
MD5: CDE357CD3FC047F5C7D8B8345B6A42BF
CRC32: 7ABDC22F
Version: 1.0.5.1
{73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class)
DPF name:
CLSID name: GMNRev Class
Installer: C:\WINDOWS\Downloaded Program Files\setup.inf
Codebase: http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
Path: C:\Program Files\HP\Common\
Long name: HPGMNRev.dll
Short name:
Date (created): 4/6/2009 4:25:18 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 4/6/2009 4:25:18 PM
Filesize: 187448
Attributes: archive
MD5: 6C064B89690EEBCE38E71BA9937A60E7
CRC32: 49724F32
Version: 9.7.2.0
{7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist))
DPF name:
CLSID name: Microsoft RDP Client Control (redist)
Installer: C:\WINDOWS\Downloaded Program Files\msrdp.inf
Codebase: http://accounting1.coaxis-asp.net/msrdp.cab
description:
classification: Legitimate
known filename: msrdp.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: msrdp.ocx
Short name:
Date (created): 3/24/2003 11:03:32 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 3/24/2003 11:03:32 PM
Filesize: 683008
Attributes: archive
MD5: FCBE8CFB80B08BB731DC816F3261E4C7
CRC32: 504BF2EF
Version: 5.2.3790.0
{7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher)
DPF name:
CLSID name: SpinTop Games Launcher
Installer: C:\WINDOWS\Downloaded Program Files\SpinTopGamesLauncher.inf
Codebase: http://www.gamehouse.com/realarcade-webgames/mysterysolitairesecretisland/SpinTopGamesLauncher.cab
Path: C:\WINDOWS\DOWNLO~1\
Long name: SpinTopGamesLauncher.dll
Short name: SPINTO~1.DLL
Date (created): 12/19/2006 4:25:34 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 12/19/2006 4:25:34 PM
Filesize: 106496
Attributes: archive
MD5: 6643E988145189105A085731BC466173
CRC32: DB455993
Version: 1.0.0.1
{7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control)
DPF name:
CLSID name: Windows Live Photo Upload Control
Installer: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MSNPUpld.inf
Codebase: http://sorrowandhope.spaces.live.com/PhotoUpload/MsnPUpld.cab
Path: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\
Long name: MsnPUpld.dll
Short name:
Date (created): 8/2/2007 11:31:32 AM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 8/2/2007 11:31:32 AM
Filesize: 360320
Attributes: archive
MD5: C670858E2347EAB5C9507A91A142210F
CRC32: B1C9923E
Version: 10.0.916.0
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class)
DPF name:
CLSID name: MessengerStatsClient Class
Installer:
Codebase: http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
description:
classification: Legitimate
known filename: messengerstatsclient.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: messengerstatsclient.dll
Short name: MESSEN~1.DLL
Date (created): 5/29/2003 3:00:20 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 5/29/2003 3:00:20 PM
Filesize: 160864
Attributes: archive
MD5: B069B555A00AA026F657AA4FD13AE154
CRC32: 89BB01E1
Version: 7.1.9502.1
{8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\SpinTopGamesLauncher.inf
Codebase: http://www.gamehouse.com/realarcade-webgames/mysterysolitairesecretisland/SpinTopGamesLauncher.cab
{9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class)
DPF name:
CLSID name: ZoneAxRcMgr Class
Installer:
Codebase: http://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
description:
classification: Legitimate
known filename: ZAxRcMgr.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ZAxRcMgr.ocx
Short name:
Date (created): 12/23/2003 3:52:46 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 12/23/2003 3:52:46 PM
Filesize: 62184
Attributes: archive
MD5: 5C761570E7D918860D1B7BDFFD5175CB
CRC32: 32D1AAFA
Version: 9.2.5188.1
{9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object)
DPF name:
CLSID name: ZPA_TexasHoldem Object
Installer:
Codebase: http://zone.msn.com/bingame/zpagames/zpa_txhe.cab43895.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: zpa_txhe.ocx
Short name:
Date (created): 3/15/2006 3:27:08 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 3/15/2006 3:27:08 PM
Filesize: 2795048
Attributes: archive
MD5: 898EFC187504FF3DD5351C425A98BEAA
CRC32: 9BE5D3C1
Version: 9.4.3895.1
{AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control)
DPF name:
CLSID name: Get_ActiveX Control
Installer:
Codebase: https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
description:
classification: Legitimate
known filename: HPGetDownloadManager.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: HPGetDownloadManager.ocx
Short name: HPGETD~1.OCX
Date (created): 6/7/2007 6:08:38 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 6/7/2007 6:08:38 PM
Filesize: 88136
Attributes: archive
MD5: 200E3189656F9A29FB5BC7F71AB3F283
CRC32: 8C85B2F9
Version: 3.3.0.0
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class)
DPF name:
CLSID name: MsnMessengerSetupDownloadControl Class
Installer: C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.inf
Codebase: http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
description:
classification: Legitimate
known filename: MsnMessengerSetupDownloader.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MsnMessengerSetupDownloader.ocx
Short name: MSNMES~1.OCX
Date (created): 8/14/2005 12:26:04 AM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 8/14/2005 12:26:04 AM
Filesize: 113664
Attributes: archive
MD5: C403792A3FF639C215067D5AA680C482
CRC32: 7CD0769A
Version: 1.0.0.3
{B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer)
DPF name:
CLSID name: MSN Games - Installer
Installer:
Codebase: http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
description:
classification: Legitimate
known filename: ZIntro.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ZIntro.ocx
Short name:
Date (created): 1/31/2005 11:26:46 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 2/19/2007 11:26:28 AM
Filesize: 159128
Attributes: archive
MD5: E681AC948003CCA59C6C00D3F5EC3D4B
CRC32: C8723760
Version: 9.5.6649.1
{BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class)
DPF name:
CLSID name: CBreakshotControl Class
Installer:
Codebase: http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
description:
classification: Legitimate
known filename: Banksht2.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: Banksht2.dll
Short name:
Date (created): 5/11/2004 11:55:38 AM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 5/11/2004 11:55:38 AM
Filesize: 1277992
Attributes: archive
MD5: 5409FBE248ACC1E2A8FE5C03442BEF74
CRC32: FC1429F1
Version: 1.0.5.11
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
description:
classification: Legitimate
known filename: NPJPI150.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0\bin\
Long name: NPJPI150.dll
Short name:
Date (created): 10/14/2005 7:34:56 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 10/14/2005 7:34:56 PM
Filesize: 69740
Attributes: archive
MD5: D25BB4762A876A3DBF6F2BAA36A179FA
CRC32: 9367234B
Version: 1.5.0.0
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash10c.ocx
Short name:
Date (created): 7/17/2009 8:12:12 PM
Date (last access): 9/22/2009 5:46:10 PM
Date (last write): 7/17/2009 8:12:12 PM
Filesize: 3979680
Attributes: readonly archive
MD5: 43C6ACDFB92A18C3E516E6BD5F1ACD51
CRC32: D6F40D46
Version: 10.0.32.18
{D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control)
DPF name:
CLSID name: TikGames Online Control
Installer: C:\WINDOWS\Downloaded Program Files\gpcontrol.inf
Codebase: http://zone.msn.com/bingame/shpo/default/shapo.cab
description:
classification: Legitimate
known filename: gpcontrol.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: gpcontrol.dll
Short name: GPCONT~1.DLL
Date (created): 10/12/2005 12:37:14 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 10/12/2005 12:37:14 PM
Filesize: 278528
Attributes: archive
MD5: 454568FEE8A99AEDF7F94E1376AC0E32
CRC32: 776FD505
Version: 1.0.2.12
{DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class)
DPF name:
CLSID name: StadiumProxy Class
Installer:
Codebase: http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
description:
classification: Legitimate
known filename: StProxy.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: StProxy.dll
Short name:
Date (created): 12/7/2005 4:30:04 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 12/7/2005 4:30:04 PM
Filesize: 238120
Attributes: archive
MD5: D9436E26DFC4E1FB7DC83AA37A809BAA
CRC32: BCA95792
Version: 9.4.1227.1
{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)
DPF name:
CLSID name: PopCapLoader Object
Installer: C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Codebase: http://zone.msn.com/bingame/popcaploader_v10.cab
description:
classification: Legitimate
known filename: POPCAPLOADER.DLL
info link:
info source: Safer Networking Ltd.
{E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class)
DPF name:
CLSID name: HeartbeatCtl Class
Installer: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\heartbeat.inf
Codebase: http://fdl.msn.com/zone/datafiles/heartbeat.cab
description:
classification: Legitimate
known filename: hrtbeat.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: hrtbeat.ocx
Short name:
Date (created): 7/26/2004 8:36:00 PM
Date (last access): 9/22/2009 6:03:00 PM
Date (last write): 7/26/2004 8:36:00 PM
Filesize: 101464
Attributes: archive
MD5: 4BB1D03DFDFBBC51A7EC5D65D269EF42
CRC32: 5A8F1091
Version: 9.2.9524.1
--- Process list ---
PID: 0 ( 0) [System]
PID: 688 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 764 ( 688) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 796 ( 688) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 840 ( 796) C:\WINDOWS\system32\services.exe
size: 110592
MD5: 65DF52F5B8B6E9BBD183505225C37315
PID: 852 ( 796) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 1016 ( 840) C:\WINDOWS\system32\Ati2evxx.exe
size: 512000
MD5: 3E47191DDAFFCDD9B28CBC50FB6499B5
PID: 1036 ( 840) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1116 ( 840) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1240 ( 840) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1300 ( 796) C:\WINDOWS\system32\Ati2evxx.exe
size: 512000
MD5: 3E47191DDAFFCDD9B28CBC50FB6499B5
PID: 1364 ( 840) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1472 ( 840) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1604 ( 840) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 456 ( 840) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 488 ( 840) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
size: 132424
MD5: A8AA9D47F971570A5162B862B80F87E8
PID: 552 ( 840) C:\WINDOWS\system32\libusbd-nt.exe
size: 18944
MD5: 8B4B572753419FE601220526205F9455
PID: 608 ( 840) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
size: 73728
MD5: E4973B3229E0015345AFBE43A8A8EB3B
PID: 640 ( 840) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
size: 322120
MD5: 11F714F85530A2BD134074DC30E99FCA
PID: 1192 ( 840) C:\WINDOWS\system32\locator.exe
size: 75264
MD5: AAED593F84AFA419BBAE8572AF87CF6A
PID: 1228 ( 840) C:\WINDOWS\system32\tcpsvcs.exe
size: 19456
MD5: 32933B07FC16D9F778BEE12545FA1B1A
PID: 1296 ( 840) C:\WINDOWS\System32\snmp.exe
size: 33280
MD5: 60C377BE6B3CC83F6A8584934B181D2E
PID: 1344 ( 840) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 196 ( 840) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 8C515081584A38AA007909CD02020B3D
PID: 1004 (1240) C:\WINDOWS\system32\wscntfy.exe
size: 13824
MD5: F92E1076C42FCD6DB3D72D8CFE9816D5
PID: 1076 (1084) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 1216 (1076) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
size: 81920
MD5: 763DAB43BDAB27316DBF3373192823D7
PID: 2116 (1076) C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
size: 54576
MD5: 5516C26A6AF8EB4E2CAB48EC98A74398
PID: 2192 (1076) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 2264 (1076) C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
size: 237568
MD5: 9FD48B9EC796B5F67E873685DCC6F640
PID: 2284 (1076) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
size: 258048
MD5: C519CEC624CF9BCBA3059F32266C8FFF
PID: 2384 (1076) C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
size: 36903
MD5: 84A6C6456F86ED03B79DB55BCBCDB2BD
PID: 2452 ( 840) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 3484 (2340) C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
size: 425984
MD5: 6B2B9B46D7DA5C67397412DEA6CF9A14
PID: 3716 ( 840) C:\WINDOWS\system32\HPZipm12.exe
size: 69632
MD5: 9D84376931440F3679BEEF2A414FA493
PID: 3216 (2284) C:\WINDOWS\system32\HPZinw12.exe
size: 61440
MD5: DAC898E74FC2A35C9766FA51B27897BD
PID: 288 ( 840) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
PID: 2084 (1216) c:\program files\common files\installshield\updateservice\isuspm.exe
size: 221184
MD5: FB9E5C251CF6C37749F296BACB34A69B
PID: 432 (1036) c:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
size: 503808
MD5: 9212D6DF2A00DAB5C0C8A65399167CB2
PID: 208 (2072) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 4 ( 0) System
PID: 3328 (1076) C:\Program Files\Internet Explorer\iexplore.exe
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 2356 (3328) C:\Program Files\Internet Explorer\iexplore.exe
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 9/22/2009 6:17:35 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.truckworksinc.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwLe98kRA1QsB0Q6JZuqeC1m9AuZJIf9jwxxXUZYLHAobF5lBXuCddJoNTRd0U+MpURAB0yyBff9Prxrh14N1ePrybh6ZvH9Vj
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD nwlnkipx [IPX]
GUID: {11058240-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware UPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkipx *
Protocol 6: MSAFD nwlnkspx [SPX]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *
Protocol 7: MSAFD nwlnkspx [SPX] [Pseudo Stream]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *
Protocol 8: MSAFD nwlnkspx [SPX II]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *
Protocol 9: MSAFD nwlnkspx [SPX II] [Pseudo Stream]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *
Protocol 10: MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{1971838C-C458-4589-BDA4-ADDF97873BDE}] SEQPACKET 11
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{1971838C-C458-4589-BDA4-ADDF97873BDE}] DATAGRAM 11
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{3DC441A0-81EC-41C7-B5A2-08788681DCCB}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{3DC441A0-81EC-41C7-B5A2-08788681DCCB}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{B79CD0E0-7DB7-4724-A9D0-ED3179536593}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{B79CD0E0-7DB7-4724-A9D0-ED3179536593}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{2EE54709-4E56-4BD6-A77A-75125ABD4267}] SEQPACKET 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{2EE54709-4E56-4BD6-A77A-75125ABD4267}] DATAGRAM 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{28262E0B-A829-42C0-92A5-ABC286399DA6}] SEQPACKET 10
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{28262E0B-A829-42C0-92A5-ABC286399DA6}] DATAGRAM 10
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1971838C-C458-4589-BDA4-ADDF97873BDE}] SEQPACKET 12
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1971838C-C458-4589-BDA4-ADDF97873BDE}] DATAGRAM 12
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CCD4EEC6-83E7-4C7B-9E77-CE623551CEE9}] SEQPACKET 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CCD4EEC6-83E7-4C7B-9E77-CE623551CEE9}] DATAGRAM 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 26: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3DC441A0-81EC-41C7-B5A2-08788681DCCB}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 27: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3DC441A0-81EC-41C7-B5A2-08788681DCCB}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 28: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2EE54709-4E56-4BD6-A77A-75125ABD4267}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 29: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2EE54709-4E56-4BD6-A77A-75125ABD4267}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 30: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B79CD0E0-7DB7-4724-A9D0-ED3179536593}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 31: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B79CD0E0-7DB7-4724-A9D0-ED3179536593}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 32: MSAFD NetBIOS [\Device\NetBT_Tcpip_{10EFAA97-60A6-4486-B246-26E2209C3A57}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 33: MSAFD NetBIOS [\Device\NetBT_Tcpip_{10EFAA97-60A6-4486-B246-26E2209C3A57}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 34: MSAFD NetBIOS [\Device\NetBT_Tcpip_{025056E4-ED8C-4D97-BE08-178D48F8D486}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 35: MSAFD NetBIOS [\Device\NetBT_Tcpip_{025056E4-ED8C-4D97-BE08-178D48F8D486}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Namespace Provider 3: NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
GUID: {E02DAAF0-7E9F-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\nwprovau.dll
Description: Microsoft Windows NT/2k/XP Novell Netware name space provider
DB filename: %SystemRoot%\system32\nwprovau.dll
DB protocol: NWLink IPX/SPX/NetBIOS*
Namespace Provider 4: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename: C:\WINDOWS\system32\pnrpnsp.dll
Namespace Provider 5: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename: C:\WINDOWS\system32\pnrpnsp.dll
racedriver1972
2009-09-23, 04:23
this one is short and if you need ones after it let me know.
Thanks again, Rob.
22.09.2009 18:27:38 - ##### check started #####
22.09.2009 18:27:38 - ### Version: 1.6.2
22.09.2009 18:27:38 - ### Date: 9/22/2009 6:27:38 PM
22.09.2009 18:27:41 - ##### checking bots #####
22.09.2009 18:46:31 - found: Virtumonde.Dll Library
22.09.2009 19:12:48 - ##### check finished #####
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
racedriver1972
2009-09-23, 15:49
Will post after work tonight again.
Thanks, Rob.
racedriver1972
2009-09-24, 03:43
Here are the logs.
Thanks again, Rob
ComboFix 09-09-23.02 - Becki 09/23/2009 18:04.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.585 [GMT -7:00]
Running from: c:\documents and settings\Becki\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Becki\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Becki\Local Settings\Temp\IadHide5.dll
.
---- Previous Run -------
.
c:\docume~1\Becki\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Becki\Desktop\EZ-Tracks.com.lnk
c:\documents and settings\Becki\Desktop\Get 25 Free Downloads from eMusic.lnk
c:\documents and settings\Becki\Local Settings\Temp\IadHide5.dll
c:\program files\INSTALL.LOG
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\33430.msp
c:\windows\Installer\53b0222.msp
c:\windows\Installer\53b0225.msp
c:\windows\Installer\5a09c.msp
c:\windows\Installer\94a33f3.msp
c:\windows\Installer\c6d7c64.msp
c:\windows\Installer\c6d7c77.msp
c:\windows\Installer\c6d7c8a.msp
c:\windows\Installer\c6d7c9d.msp
c:\windows\Installer\c6d7cb0.msp
c:\windows\Installer\c6d7cc3.msp
c:\windows\Installer\c6d7cd6.msp
c:\windows\run.log
c:\windows\system32\ps2.bat
c:\windows\viassary-hp.reg
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Service_Iprip
((((((((((((((((((((((((( Files Created from 2009-08-24 to 2009-09-24 )))))))))))))))))))))))))))))))
.
2009-09-23 23:17 . 2009-09-23 23:17 -------- d-----w- c:\documents and settings\kids_2\Application Data\Malwarebytes
2009-09-19 23:26 . 2009-09-19 23:26 -------- d-----w- c:\documents and settings\Becki\Application Data\WinBatch
2009-09-19 17:18 . 2009-09-19 17:19 -------- d-----w- c:\program files\ERUNT
2009-09-19 16:58 . 2009-09-19 23:59 -------- d-----w- c:\documents and settings\Becki\Application Data\HpUpdate
2009-09-19 16:58 . 2009-09-19 16:58 -------- d-----w- c:\windows\Hewlett-Packard
2009-09-14 04:17 . 2009-09-14 04:17 -------- d-----w- c:\documents and settings\Becki\Application Data\Malwarebytes
2009-09-14 04:17 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-14 04:17 . 2009-09-14 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-14 04:17 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-14 04:17 . 2009-09-14 04:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 21:29 . 2009-09-12 21:29 -------- d-----w- c:\documents and settings\Becki\Local Settings\Application Data\Windows Live Writer
2009-09-12 15:42 . 2009-09-12 15:42 -------- d-sh--w- c:\documents and settings\Becki\IECompatCache
2009-09-12 15:38 . 2009-09-12 15:38 -------- d-sh--w- c:\documents and settings\Becki\PrivacIE
2009-09-12 02:34 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-12 02:26 . 2009-09-12 02:26 -------- d-sh--w- c:\documents and settings\Becki\IETldCache
2009-09-01 03:52 . 2009-09-01 03:52 -------- d-sh--w- c:\documents and settings\kids_2\IECompatCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-24 01:27 . 2009-04-05 00:32 209044000 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-24 01:22 . 2009-04-05 00:32 2799644 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-23 02:23 . 2007-06-01 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-22 14:08 . 2007-06-01 02:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-19 16:58 . 2005-10-15 03:04 -------- d-----w- c:\program files\Hewlett-Packard
2009-09-12 03:06 . 2005-12-27 21:33 57008 ----a-w- c:\documents and settings\Becki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-12 02:26 . 2006-01-06 06:13 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-01 02:29 . 2006-08-17 22:14 57008 ----a-w- c:\documents and settings\kids_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 11:38 . 2009-08-19 11:38 -------- d-----w- c:\program files\MSBuild
2009-08-19 11:37 . 2009-08-19 11:37 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-04 05:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 05:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-08-04 05:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 05:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-28 03:04 . 2009-06-28 03:04 1411 ----a-w- c:\program files\baby george (34 x 34).jpg
2006-04-20 15:21 . 2006-04-20 15:21 26922 ----a-w- c:\program files\moviepass Terms.html
2006-04-08 05:25 . 2006-04-08 05:25 774144 ----a-w- c:\program files\RngInterstitial.dll
2009-05-07 02:18 . 2009-05-07 02:18 1433119 --sh--w- c:\windows\system32\oyeloyid.tmp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F691B5E-00E4-4E32-8E85-016DAB380CCA}]
2004-08-04 05:00 101376 ----a-w- c:\windows\system32\mhjuncd.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Walgreens PhotoShow Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe" [2006-04-20 237568]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2008-10-05 235936]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]
c:\documents and settings\kids_2\Start Menu\Programs\Startup\
STK02N 2.0 PNP Monitor.lnk - c:\windows\STK02N\STK02NM.exe [2007-12-24 163840]
c:\documents and settings\Becki\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
c:\documents and settings\Becki\Start Menu\Programs\Startup\AutorunsDisabled
wkcalrem.lnk.disabled [2006-5-19 941]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-10-14 36903]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wxgqrjmr]
2004-08-04 05:00 101376 ----a-w- c:\windows\system32\mhjuncd.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Registry Cleaner"="c:\program files\Registry Cleaner Trial\Regclean.exe" -startminimize
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"LSBWatcher"=c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
"Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
"PS2"=c:\windows\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bandwidth Monitor and Internet Tools\\Bandwidth Monitor.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\WINDOWS\\system32\\Adobe\\Shockwave 11\\SwHelper_1100429.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"57133:TCP"= 57133:TCP:Pando Media Booster
"57133:UDP"= 57133:UDP:Pando Media Booster
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 vcfwiaty;vcfwiaty;c:\windows\system32\drivers\vcfwiaty.sys [8/3/2004 10:00 PM 23424]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 10:00 PM 14336]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [6/14/2007 6:54 PM 33792]
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual Camera;c:\windows\system32\drivers\mr97310v.sys [2/3/2007 5:54 PM 114105]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qnclygzr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-24 c:\windows\Tasks\At1.job
- c:\windows\system32\mhjuncd.dll [2004-08-04 05:00]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uStart Page = hxxp://www.truckworksinc.com/
uInternet Settings,ProxyServer = 192.168.0.1:80
uSearchURL,(Default) = hxxp://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwLe98kRA1QsB0Q6JZuqeC1m9AuZJIf9jwxxXUZYLHAobF5lBXuCddJoNTRd0U+MpURAB0yyBff9Prxrh14N1ePrybh6ZvH9Vj
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
Trusted Zone: census.gov\factfinder
Trusted Zone: ford.com\www
Trusted Zone: fordvehicles.com\www55.forddirect
Trusted Zone: fordvehicles.com\www81.forddirect
Trusted Zone: garmin.com\buy
Trusted Zone: goodsamclub.com\www
Trusted Zone: hp.com
Trusted Zone: intel.com
Trusted Zone: intel.com\downloadcenter
Trusted Zone: intel.com\downloadmirror
Trusted Zone: intuit.com
Trusted Zone: intuit.com\turbotax
Trusted Zone: live.com\login
Trusted Zone: lowes.com\www
Trusted Zone: movietickets.com\www
Trusted Zone: trailerlifedirectory.com\www
Trusted Zone: turbotax.com
DPF: {240EEE8D-91DB-4D74-A87E-671026601333} - hxxp://accounting1.coaxis-asp.net/eolupcli.cab
DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} - hxxp://www.gamehouse.com/realarcade-webgames/mysterysolitairesecretisland/SpinTopGamesLauncher.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://www.gamehouse.com/realarcade-webgames/mysterysolitairesecretisland/SpinTopGamesLauncher.cab
.
- - - - ORPHANS REMOVED - - - -
BHO-{d5f35314-e80d-4615-b655-4f899437dd00} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-23 18:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1010\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3080)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\libusbd-nt.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\locator.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\HPZinw12.exe
.
**************************************************************************
.
Completion time: 2009-09-24 18:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-24 01:34
Pre-Run: 78,828,105,728 bytes free
Post-Run: 78,844,432,384 bytes free
279 --- E O F --- 2009-09-12 16:51
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:38:37 PM, on 9/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Becki\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.truckworksinc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwLe98kRA1QsB0Q6JZuqeC1m9AuZJIf9jwxxXUZYLHAobF5lBXuCddJoNTRd0U+MpURAB0yyBff9Prxrh14N1ePrybh6ZvH9Vj
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3F691B5E-00E4-4E32-8E85-016DAB380CCA} - c:\windows\system32\mhjuncd.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://factfinder.census.gov
O15 - Trusted Zone: http://www.ford.com
O15 - Trusted Zone: http://www55.forddirect.fordvehicles.com
O15 - Trusted Zone: http://www81.forddirect.fordvehicles.com
O15 - Trusted Zone: http://www.goodsamclub.com
O15 - Trusted Zone: *.hp.com
O15 - Trusted Zone: http://downloadcenter.intel.com
O15 - Trusted Zone: downloadmirror.intel.com
O15 - Trusted Zone: *.intel.com
O15 - Trusted Zone: http://turbotax.intuit.com
O15 - Trusted Zone: *.intuit.com
O15 - Trusted Zone: http://www.lowes.com
O15 - Trusted Zone: http://www.movietickets.com
O15 - Trusted Zone: http://www.trailerlifedirectory.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {240EEE8D-91DB-4D74-A87E-671026601333} (EOLUP.Version) - http://accounting1.coaxis-asp.net/eolupcli.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {596AF4AC-40A0-474A-9F86-33F0A90F0FD6} (PictureItLauncher Class) - http://photos.msn.com/resources/neutral/controls/DigWebX2.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://accounting1.coaxis-asp.net/msrdp.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://www.gamehouse.com/realarcade-webgames/mysterysolitairesecretisland/SpinTopGamesLauncher.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://sorrowandhope.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - http://www.gamehouse.com/realarcade-webgames/mysterysolitairesecretisland/SpinTopGamesLauncher.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab43895.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: wxgqrjmr - C:\WINDOWS\SYSTEM32\mhjuncd.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 12198 bytes
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\system32\mhjuncd.dll
c:\windows\Tasks\At1.job
c:\windows\system32\oyeloyid.tmp
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
racedriver1972
2009-09-24, 16:02
Here it is. Work once again and check again tonight.
Thanks for the help, Rob.
ComboFix 09-09-23.02 - Becki 09/24/2009 6:33.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.525 [GMT -7:00]
Running from: c:\documents and settings\Becki\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Becki\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
FILE ::
"c:\windows\system32\mhjuncd.dll"
"c:\windows\system32\oyeloyid.tmp"
"c:\windows\Tasks\At1.job"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\oyeloyid.tmp
c:\windows\Tasks\At1.job
c:\windows\system32\mhjuncd.dll . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2009-08-24 to 2009-09-24 )))))))))))))))))))))))))))))))
.
2009-09-23 23:17 . 2009-09-23 23:17 -------- d-----w- c:\documents and settings\kids_2\Application Data\Malwarebytes
2009-09-19 23:26 . 2009-09-19 23:26 -------- d-----w- c:\documents and settings\Becki\Application Data\WinBatch
2009-09-19 17:18 . 2009-09-19 17:19 -------- d-----w- c:\program files\ERUNT
2009-09-19 16:58 . 2009-09-19 23:59 -------- d-----w- c:\documents and settings\Becki\Application Data\HpUpdate
2009-09-19 16:58 . 2009-09-19 16:58 -------- d-----w- c:\windows\Hewlett-Packard
2009-09-14 04:17 . 2009-09-14 04:17 -------- d-----w- c:\documents and settings\Becki\Application Data\Malwarebytes
2009-09-14 04:17 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-14 04:17 . 2009-09-14 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-14 04:17 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-14 04:17 . 2009-09-14 04:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 21:29 . 2009-09-12 21:29 -------- d-----w- c:\documents and settings\Becki\Local Settings\Application Data\Windows Live Writer
2009-09-12 15:42 . 2009-09-12 15:42 -------- d-sh--w- c:\documents and settings\Becki\IECompatCache
2009-09-12 15:38 . 2009-09-12 15:38 -------- d-sh--w- c:\documents and settings\Becki\PrivacIE
2009-09-12 02:34 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-12 02:26 . 2009-09-12 02:26 -------- d-sh--w- c:\documents and settings\Becki\IETldCache
2009-09-01 03:52 . 2009-09-01 03:52 -------- d-sh--w- c:\documents and settings\kids_2\IECompatCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-24 13:53 . 2009-04-05 00:32 210692640 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-24 13:51 . 2009-04-05 00:32 2821796 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-23 02:23 . 2007-06-01 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-22 14:08 . 2007-06-01 02:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-19 16:58 . 2005-10-15 03:04 -------- d-----w- c:\program files\Hewlett-Packard
2009-09-12 03:06 . 2005-12-27 21:33 57008 ----a-w- c:\documents and settings\Becki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-12 02:26 . 2006-01-06 06:13 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-01 02:29 . 2006-08-17 22:14 57008 ----a-w- c:\documents and settings\kids_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 11:38 . 2009-08-19 11:38 -------- d-----w- c:\program files\MSBuild
2009-08-19 11:37 . 2009-08-19 11:37 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-04 05:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 05:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-08-04 05:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 05:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-28 03:04 . 2009-06-28 03:04 1411 ----a-w- c:\program files\baby george (34 x 34).jpg
2006-04-20 15:21 . 2006-04-20 15:21 26922 ----a-w- c:\program files\moviepass Terms.html
2006-04-08 05:25 . 2006-04-08 05:25 774144 ----a-w- c:\program files\RngInterstitial.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-09-24_01.27.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-24 13:52 . 2009-09-24 13:52 16384 c:\windows\Temp\Perflib_Perfdata_c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F691B5E-00E4-4E32-8E85-016DAB380CCA}]
2004-08-04 05:00 101376 ----a-w- c:\windows\system32\mhjuncd.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Walgreens PhotoShow Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe" [2006-04-20 237568]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2008-10-05 235936]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]
c:\documents and settings\kids_2\Start Menu\Programs\Startup\
STK02N 2.0 PNP Monitor.lnk - c:\windows\STK02N\STK02NM.exe [2007-12-24 163840]
c:\documents and settings\Becki\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
c:\documents and settings\Becki\Start Menu\Programs\Startup\AutorunsDisabled
wkcalrem.lnk.disabled [2006-5-19 941]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-10-14 36903]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wxgqrjmr]
2004-08-04 05:00 101376 ----a-w- c:\windows\system32\mhjuncd.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Registry Cleaner"="c:\program files\Registry Cleaner Trial\Regclean.exe" -startminimize
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"LSBWatcher"=c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
"Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
"PS2"=c:\windows\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bandwidth Monitor and Internet Tools\\Bandwidth Monitor.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\WINDOWS\\system32\\Adobe\\Shockwave 11\\SwHelper_1100429.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"57133:TCP"= 57133:TCP:Pando Media Booster
"57133:UDP"= 57133:UDP:Pando Media Booster
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 vcfwiaty;vcfwiaty;c:\windows\system32\drivers\vcfwiaty.sys [8/3/2004 10:00 PM 23424]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 10:00 PM 14336]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [6/14/2007 6:54 PM 33792]
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual Camera;c:\windows\system32\drivers\mr97310v.sys [2/3/2007 5:54 PM 114105]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qnclygzr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uStart Page = hxxp://www.truckworksinc.com/
uInternet Settings,ProxyServer = 192.168.0.1:80
uSearchURL,(Default) = hxxp://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwLe98kRA1QsB0Q6JZuqeC1m9AuZJIf9jwxxXUZYLHAobF5lBXuCddJoNTRd0U+MpURAB0yyBff9Prxrh14N1ePrybh6ZvH9Vj
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
Trusted Zone: census.gov\factfinder
Trusted Zone: ford.com\www
Trusted Zone: fordvehicles.com\www55.forddirect
Trusted Zone: fordvehicles.com\www81.forddirect
Trusted Zone: garmin.com\buy
Trusted Zone: goodsamclub.com\www
Trusted Zone: hp.com
Trusted Zone: intel.com
Trusted Zone: intel.com\downloadcenter
Trusted Zone: intel.com\downloadmirror
Trusted Zone: intuit.com
Trusted Zone: intuit.com\turbotax
Trusted Zone: live.com\login
Trusted Zone: lowes.com\www
Trusted Zone: movietickets.com\www
Trusted Zone: trailerlifedirectory.com\www
Trusted Zone: turbotax.com
DPF: {240EEE8D-91DB-4D74-A87E-671026601333} - hxxp://accounting1.coaxis-asp.net/eolupcli.cab
DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} - hxxp://www.gamehouse.com/realarcade-webgames/mysterysolitairesecretisland/SpinTopGamesLauncher.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://www.gamehouse.com/realarcade-webgames/mysterysolitairesecretisland/SpinTopGamesLauncher.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-24 06:52
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1010\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3220)
c:\windows\system32\WININET.dll
c:\docume~1\Becki\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\libusbd-nt.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\locator.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\HPZinw12.exe
.
**************************************************************************
.
Completion time: 2009-09-24 7:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-24 14:00
ComboFix2.txt 2009-09-24 01:34
Pre-Run: 78,818,516,992 bytes free
Post-Run: 78,784,110,592 bytes free
255 --- E O F --- 2009-09-12 16:51
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
c:\windows\system32\mhjuncd.dll
c:\windows\system32\drivers\vcfwiaty.sys
Driver::
vcfwiaty
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
racedriver1972
2009-09-25, 04:00
As requested.
Thanks, Rob.
ComboFix 09-09-23.02 - Becki 09/24/2009 18:26.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.643 [GMT -7:00]
Running from: c:\documents and settings\Becki\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Becki\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
FILE ::
"c:\windows\system32\drivers\vcfwiaty.sys"
"c:\windows\system32\mhjuncd.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Becki\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Becki\Local Settings\Temp\IadHide5.dll
c:\windows\system32\drivers\vcfwiaty.sys
c:\windows\system32\mhjuncd.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_VCFWIATY
-------\Service_vcfwiaty
((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 )))))))))))))))))))))))))))))))
.
2009-09-23 23:17 . 2009-09-23 23:17 -------- d-----w- c:\documents and settings\kids_2\Application Data\Malwarebytes
2009-09-19 23:26 . 2009-09-19 23:26 -------- d-----w- c:\documents and settings\Becki\Application Data\WinBatch
2009-09-19 17:18 . 2009-09-19 17:19 -------- d-----w- c:\program files\ERUNT
2009-09-19 16:58 . 2009-09-19 23:59 -------- d-----w- c:\documents and settings\Becki\Application Data\HpUpdate
2009-09-19 16:58 . 2009-09-19 16:58 -------- d-----w- c:\windows\Hewlett-Packard
2009-09-14 04:17 . 2009-09-14 04:17 -------- d-----w- c:\documents and settings\Becki\Application Data\Malwarebytes
2009-09-14 04:17 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-14 04:17 . 2009-09-14 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-14 04:17 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-14 04:17 . 2009-09-14 04:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 21:29 . 2009-09-12 21:29 -------- d-----w- c:\documents and settings\Becki\Local Settings\Application Data\Windows Live Writer
2009-09-12 15:42 . 2009-09-12 15:42 -------- d-sh--w- c:\documents and settings\Becki\IECompatCache
2009-09-12 15:38 . 2009-09-12 15:38 -------- d-sh--w- c:\documents and settings\Becki\PrivacIE
2009-09-12 02:34 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-12 02:26 . 2009-09-12 02:26 -------- d-sh--w- c:\documents and settings\Becki\IETldCache
2009-09-01 03:52 . 2009-09-01 03:52 -------- d-sh--w- c:\documents and settings\kids_2\IECompatCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-25 01:48 . 2009-04-05 00:32 213570592 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-25 01:44 . 2009-04-05 00:32 2860628 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-23 02:23 . 2007-06-01 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-22 14:08 . 2007-06-01 02:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-19 16:58 . 2005-10-15 03:04 -------- d-----w- c:\program files\Hewlett-Packard
2009-09-12 03:06 . 2005-12-27 21:33 57008 ----a-w- c:\documents and settings\Becki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-12 02:26 . 2006-01-06 06:13 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-01 02:29 . 2006-08-17 22:14 57008 ----a-w- c:\documents and settings\kids_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 11:38 . 2009-08-19 11:38 -------- d-----w- c:\program files\MSBuild
2009-08-19 11:37 . 2009-08-19 11:37 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-04 05:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 05:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-08-04 05:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 05:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-28 03:04 . 2009-06-28 03:04 1411 ----a-w- c:\program files\baby george (34 x 34).jpg
2006-04-20 15:21 . 2006-04-20 15:21 26922 ----a-w- c:\program files\moviepass Terms.html
2006-04-08 05:25 . 2006-04-08 05:25 774144 ----a-w- c:\program files\RngInterstitial.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-09-24_01.27.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-24 13:52 . 2009-09-24 13:52 16384 c:\windows\Temp\Perflib_Perfdata_c8.dat
+ 2009-09-25 01:45 . 2009-09-25 01:45 16384 c:\windows\Temp\Perflib_Perfdata_4a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Walgreens PhotoShow Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe" [2006-04-20 237568]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2008-10-05 235936]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]
c:\documents and settings\kids_2\Start Menu\Programs\Startup\
STK02N 2.0 PNP Monitor.lnk - c:\windows\STK02N\STK02NM.exe [2007-12-24 163840]
c:\documents and settings\Becki\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
c:\documents and settings\Becki\Start Menu\Programs\Startup\AutorunsDisabled
wkcalrem.lnk.disabled [2006-5-19 941]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-10-14 36903]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Registry Cleaner"="c:\program files\Registry Cleaner Trial\Regclean.exe" -startminimize
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"LSBWatcher"=c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
"Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
"PS2"=c:\windows\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bandwidth Monitor and Internet Tools\\Bandwidth Monitor.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\WINDOWS\\system32\\Adobe\\Shockwave 11\\SwHelper_1100429.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"57133:TCP"= 57133:TCP:Pando Media Booster
"57133:UDP"= 57133:UDP:Pando Media Booster
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 10:00 PM 14336]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [6/14/2007 6:54 PM 33792]
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual Camera;c:\windows\system32\drivers\mr97310v.sys [2/3/2007 5:54 PM 114105]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qnclygzr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uStart Page = hxxp://www.truckworksinc.com/
uInternet Settings,ProxyServer = 192.168.0.1:80
uSearchURL,(Default) = hxxp://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwLe98kRA1QsB0Q6JZuqeC1m9AuZJIf9jwxxXUZYLHAobF5lBXuCddJoNTRd0U+MpURAB0yyBff9Prxrh14N1ePrybh6ZvH9Vj
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
Trusted Zone: census.gov\factfinder
Trusted Zone: ford.com\www
Trusted Zone: fordvehicles.com\www55.forddirect
Trusted Zone: fordvehicles.com\www81.forddirect
Trusted Zone: garmin.com\buy
Trusted Zone: goodsamclub.com\www
Trusted Zone: hp.com
Trusted Zone: intel.com
Trusted Zone: intel.com\downloadcenter
Trusted Zone: intel.com\downloadmirror
Trusted Zone: intuit.com
Trusted Zone: intuit.com\turbotax
Trusted Zone: live.com\login
Trusted Zone: lowes.com\www
Trusted Zone: movietickets.com\www
Trusted Zone: trailerlifedirectory.com\www
Trusted Zone: turbotax.com
DPF: {240EEE8D-91DB-4D74-A87E-671026601333} - hxxp://accounting1.coaxis-asp.net/eolupcli.cab
DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} - hxxp://www.gamehouse.com/realarcade-webgames/mysterysolitairesecretisland/SpinTopGamesLauncher.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://www.gamehouse.com/realarcade-webgames/mysterysolitairesecretisland/SpinTopGamesLauncher.cab
.
- - - - ORPHANS REMOVED - - - -
BHO-{3F691B5E-00E4-4E32-8E85-016DAB380CCA} - c:\windows\system32\mhjuncd.dll
Notify-wxgqrjmr - mhjuncd.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-24 18:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1294802479-783438776-1001296409-1010\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(880)
c:\windows\system32\WININET.dll
c:\docume~1\Becki\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\libusbd-nt.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\locator.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\HPZinw12.exe
.
**************************************************************************
.
Completion time: 2009-09-25 18:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-25 01:55
ComboFix2.txt 2009-09-24 14:00
ComboFix3.txt 2009-09-24 01:34
Pre-Run: 78,738,141,184 bytes free
Post-Run: 78,743,248,896 bytes free
259 --- E O F --- 2009-09-12 16:51
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
racedriver1972
2009-09-26, 08:14
Here they are.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, September 25, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, September 26, 2009 01:32:00
Records in database: 2921883
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Objects scanned: 168400
Threats found: 4
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 03:58:24
File name / Threat / Threats count
C:\Documents and Settings\Becki\My Documents\games\Mystery-Case-Files-setup.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bu 1
C:\Program Files\EZT_Partner\eztracks.msi Infected: not-a-virus:AdWare.Win32.Eztracks.h 1
C:\Program Files\Online Services\AOL\United States\AOL90\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_vcfwiaty_.sys.zip Infected: Trojan.Win32.BHO.ext 1
Selected area has been scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:38 PM, on 9/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\HPZinw12.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
c:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Becki\Local Settings\Temp\jkos-Becki\binaries\ScanningProcess.exe
C:\Documents and Settings\Becki\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.truckworksinc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwLe98kRA1QsB0Q6JZuqeC1m9AuZJIf9jwxxXUZYLHAobF5lBXuCddJoNTRd0U+MpURAB0yyBff9Prxrh14N1ePrybh6ZvH9Vj
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://factfinder.census.gov
O15 - Trusted Zone: http://www.ford.com
O15 - Trusted Zone: http://www55.forddirect.fordvehicles.com
O15 - Trusted Zone: http://www81.forddirect.fordvehicles.com
O15 - Trusted Zone: http://www.goodsamclub.com
O15 - Trusted Zone: *.hp.com
O15 - Trusted Zone: http://downloadcenter.intel.com
O15 - Trusted Zone: downloadmirror.intel.com
O15 - Trusted Zone: *.intel.com
O15 - Trusted Zone: http://turbotax.intuit.com
O15 - Trusted Zone: *.intuit.com
O15 - Trusted Zone: http://www.kaspersky.com
O15 - Trusted Zone: http://www.lowes.com
O15 - Trusted Zone: http://www.movietickets.com
O15 - Trusted Zone: http://www.trailerlifedirectory.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {240EEE8D-91DB-4D74-A87E-671026601333} (EOLUP.Version) - http://accounting1.coaxis-asp.net/eolupcli.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {596AF4AC-40A0-474A-9F86-33F0A90F0FD6} (PictureItLauncher Class) - http://photos.msn.com/resources/neutral/controls/DigWebX2.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://accounting1.coaxis-asp.net/msrdp.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://www.gamehouse.com/realarcade-webgames/mysterysolitairesecretisland/SpinTopGamesLauncher.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://sorrowandhope.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - http://www.gamehouse.com/realarcade-webgames/mysterysolitairesecretisland/SpinTopGamesLauncher.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab43895.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
--
End of file - 12764 bytes
Empty this folder:
C:\Qoobox\Quarantine
Delete these:
C:\Documents and Settings\Becki\My Documents\games\Mystery-Case-Files-setup.exe
C:\Program Files\EZT_Partner
Empty Recycle Bin.
Still problems?
racedriver1972
2009-09-26, 16:02
It hasnt been continuing to reinstall that file, and is not experiencing the slow opening programs issue it had.
Thanks very much for the assistance.
Rob.
Good :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
Please download OTCleanIt (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)
Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)
Happy surfing and stay clean! :bigthumb:
racedriver1972
2009-09-26, 19:38
Thank You again, Will do! What is your opinion of Zone alarm security suite, as that is what i have been using. Although i think this computer was infected prior to installing it as it has popped up in zone alarm as a virus since i installed it, and has been in quarantine since.
Rob.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.