Ehencric
2010-04-12, 01:45
Hello Spybot,
my computer has been affected with win32.agent.atta (detected by a scan of Spybot S&D). However, every time I click 'fix problem' and do another scan, the same problem comes back. Please help me fix it
~Thank you from ehencric.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:44 PM, on 4/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ADMonitor.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
c:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\Program Files\RSA Security\RSA Authentication Agent\da_svc.exe
c:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Remote Task Manager\rtmservice.exe
C:\Program Files\RSA Security\RSA Authentication Agent\Agenthost Autoreg Utility\sdregsrv.exe
C:\WINDOWS\system32\slClient.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\opear.exe
C:\Program Files\Windows NT\Accessories\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\PereSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM7\aim.exe
C:\EricChen\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Documents and Settings\mding\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\All Users\Application Data\ULrt0F68.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\EricChen\uTorrent\uTorrent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\445.exe
C:\EricChen\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://knightnet/KnightNet/index.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.knight.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://knightnet/KnightNet/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://knightnet/KnightNet/index.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Provided By Knight Equity Markets
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\EricChen\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Internet Explorer Plugin - {F4F5B58A-D3A6-4F85-B3EF-5642E8937E6F} - nsfwj2.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [RSANotificationIcon] "C:\Program Files\Common Files\RSA Shared\RSA Security Center\RSANotificationIcon.exe"
O4 - HKLM\..\Run: [UIService] "C:\Program Files\Common Files\RSA Shared\BackendUI\UIService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ewrgetuj] C:\DOCUME~1\mding\LOCALS~1\Temp\geurge.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SpybotSnD] "C:\EricChen\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM7\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\EricChen\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\mding\Application Data\Dropbox\bin\Dropbox.exe
O4 - Global Startup: Printkey 2000.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\EricChen\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\EricChen\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.adp.com
O15 - Trusted Zone: http://online.barrons.com
O15 - Trusted Zone: http://*.barrons.com
O15 - Trusted Zone: http://www.briefing.com
O15 - Trusted Zone: http://*.briefing.com
O15 - Trusted Zone: http://*.concureworkplace.com
O15 - Trusted Zone: http://*.directrade.com
O15 - Trusted Zone: http://*.dtrading.com
O15 - Trusted Zone: http://*.etrade.com
O15 - Trusted Zone: http://*.fidelity.com
O15 - Trusted Zone: http://www.gorillatrades.com
O15 - Trusted Zone: http://*.gorillatrades.com
O15 - Trusted Zone: http://*.hotspotfx.com
O15 - Trusted Zone: http://*.ibm.com
O15 - Trusted Zone: http://*.investors.com
O15 - Trusted Zone: http://*.knight-sec.com
O15 - Trusted Zone: http://*.knight.com
O15 - Trusted Zone: http://*.knightglobal.com
O15 - Trusted Zone: http://www.knobias.com
O15 - Trusted Zone: http://*.knobias.com
O15 - Trusted Zone: http://*.lenovo.com
O15 - Trusted Zone: http://www.mlx.ml.com
O15 - Trusted Zone: http://*.ml.com
O15 - Trusted Zone: http://*.myuhc.com
O15 - Trusted Zone: http://*.nasd.com
O15 - Trusted Zone: http://*.nasdaqtrader.com
O15 - Trusted Zone: http://*.nasdaqworkstation.com
O15 - Trusted Zone: http://bic.niteglobal.com
O15 - Trusted Zone: http://*.otcquote.com
O15 - Trusted Zone: http://*.sec.gov
O15 - Trusted Zone: http://www2.standardandpoors.com
O15 - Trusted Zone: http://*.standardandpoors.com
O15 - Trusted Zone: http://*.streetaccount.com
O15 - Trusted Zone: http://www010.streetevents.com
O15 - Trusted Zone: http://*.streetevents.com
O15 - Trusted Zone: http://www.streetsight.net
O15 - Trusted Zone: http://*.streetsight.net
O15 - Trusted Zone: http://www.sharewatch.tfn.com
O15 - Trusted Zone: http://*.tfn.com
O15 - Trusted Zone: http://*.tradingmarkets.com
O15 - Trusted Zone: http://*.vanguard.com
O15 - Trusted Zone: http://*.webex.com
O15 - Trusted Zone: http://commerce.wsj.com
O15 - Trusted Zone: http://*.wsj.com
O15 - Trusted Zone: http://www.wssource.com
O15 - Trusted Zone: http://*.wssource.com
O15 - Trusted Zone: http://online.barrons.com (HKLM)
O15 - Trusted Zone: http://www.briefing.com (HKLM)
O15 - Trusted Zone: http://*.directrade.com (HKLM)
O15 - Trusted Zone: http://*.dtrading.com (HKLM)
O15 - Trusted Zone: http://www.gorillatrades.com (HKLM)
O15 - Trusted Zone: http://*.investors.com (HKLM)
O15 - Trusted Zone: http://www.knobias.com (HKLM)
O15 - Trusted Zone: http://www.mlx.ml.com (HKLM)
O15 - Trusted Zone: http://*.nasdaqtrader.com (HKLM)
O15 - Trusted Zone: http://bic.niteglobal.com (HKLM)
O15 - Trusted Zone: http://*.otcquote.com (HKLM)
O15 - Trusted Zone: http://*.sec.gov (HKLM)
O15 - Trusted Zone: http://www2.standardandpoors.com (HKLM)
O15 - Trusted Zone: http://www010.streetevents.com (HKLM)
O15 - Trusted Zone: http://www.streetsight.net (HKLM)
O15 - Trusted Zone: http://www.sharewatch.tfn.com (HKLM)
O15 - Trusted Zone: http://*.tradingmarkets.com (HKLM)
O15 - Trusted Zone: http://commerce.wsj.com (HKLM)
O15 - Trusted Zone: http://www.wssource.com (HKLM)
O15 - ESC Trusted Zone: http://www.wise.com
O15 - ESC Trusted Zone: http://www.wise.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224166690359
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.knight.com
O17 - HKLM\Software\..\Telephony: DomainName = global.knight.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = global.knight.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = global.knight.com
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
O20 - Winlogon Notify: gport_ - C:\WINDOWS\SYSTEM32\gport_.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: AD Monitor (ADMonitor) - Unknown owner - C:\WINDOWS\system32\ADMonitor.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - c:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Neoteris Setup Service - Juniper Networks - C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
O23 - Service: NetTime (NetTimeSvc) - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: RSA Authentication Agent Offline Local (OASVC_Local) - RSA Security Inc. - C:\Program Files\RSA Security\RSA Authentication Agent\da_svc.exe
O23 - Service: peresvc Service (peresvc) - Neto systems - C:\WINDOWS\system32\PereSvc.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - c:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - C:\Program Files\Remote Task Manager\rtmservice.exe
O23 - Service: Intel(R) PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - c:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: RSA Authentication Agent Auto-registration (sdadmreg) - Unknown owner - C:\Program Files\RSA Security\RSA Authentication Agent\Agenthost Autoreg Utility\sdregsrv.exe
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Software Corporation - C:\WINDOWS\system32\slClient.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
my computer has been affected with win32.agent.atta (detected by a scan of Spybot S&D). However, every time I click 'fix problem' and do another scan, the same problem comes back. Please help me fix it
~Thank you from ehencric.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:44 PM, on 4/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ADMonitor.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
c:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\Program Files\RSA Security\RSA Authentication Agent\da_svc.exe
c:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Remote Task Manager\rtmservice.exe
C:\Program Files\RSA Security\RSA Authentication Agent\Agenthost Autoreg Utility\sdregsrv.exe
C:\WINDOWS\system32\slClient.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\opear.exe
C:\Program Files\Windows NT\Accessories\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\PereSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM7\aim.exe
C:\EricChen\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Documents and Settings\mding\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\All Users\Application Data\ULrt0F68.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\EricChen\uTorrent\uTorrent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\445.exe
C:\EricChen\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://knightnet/KnightNet/index.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.knight.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://knightnet/KnightNet/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://knightnet/KnightNet/index.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Provided By Knight Equity Markets
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\EricChen\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Internet Explorer Plugin - {F4F5B58A-D3A6-4F85-B3EF-5642E8937E6F} - nsfwj2.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [RSANotificationIcon] "C:\Program Files\Common Files\RSA Shared\RSA Security Center\RSANotificationIcon.exe"
O4 - HKLM\..\Run: [UIService] "C:\Program Files\Common Files\RSA Shared\BackendUI\UIService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ewrgetuj] C:\DOCUME~1\mding\LOCALS~1\Temp\geurge.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SpybotSnD] "C:\EricChen\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM7\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\EricChen\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\mding\Application Data\Dropbox\bin\Dropbox.exe
O4 - Global Startup: Printkey 2000.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\EricChen\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\EricChen\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.adp.com
O15 - Trusted Zone: http://online.barrons.com
O15 - Trusted Zone: http://*.barrons.com
O15 - Trusted Zone: http://www.briefing.com
O15 - Trusted Zone: http://*.briefing.com
O15 - Trusted Zone: http://*.concureworkplace.com
O15 - Trusted Zone: http://*.directrade.com
O15 - Trusted Zone: http://*.dtrading.com
O15 - Trusted Zone: http://*.etrade.com
O15 - Trusted Zone: http://*.fidelity.com
O15 - Trusted Zone: http://www.gorillatrades.com
O15 - Trusted Zone: http://*.gorillatrades.com
O15 - Trusted Zone: http://*.hotspotfx.com
O15 - Trusted Zone: http://*.ibm.com
O15 - Trusted Zone: http://*.investors.com
O15 - Trusted Zone: http://*.knight-sec.com
O15 - Trusted Zone: http://*.knight.com
O15 - Trusted Zone: http://*.knightglobal.com
O15 - Trusted Zone: http://www.knobias.com
O15 - Trusted Zone: http://*.knobias.com
O15 - Trusted Zone: http://*.lenovo.com
O15 - Trusted Zone: http://www.mlx.ml.com
O15 - Trusted Zone: http://*.ml.com
O15 - Trusted Zone: http://*.myuhc.com
O15 - Trusted Zone: http://*.nasd.com
O15 - Trusted Zone: http://*.nasdaqtrader.com
O15 - Trusted Zone: http://*.nasdaqworkstation.com
O15 - Trusted Zone: http://bic.niteglobal.com
O15 - Trusted Zone: http://*.otcquote.com
O15 - Trusted Zone: http://*.sec.gov
O15 - Trusted Zone: http://www2.standardandpoors.com
O15 - Trusted Zone: http://*.standardandpoors.com
O15 - Trusted Zone: http://*.streetaccount.com
O15 - Trusted Zone: http://www010.streetevents.com
O15 - Trusted Zone: http://*.streetevents.com
O15 - Trusted Zone: http://www.streetsight.net
O15 - Trusted Zone: http://*.streetsight.net
O15 - Trusted Zone: http://www.sharewatch.tfn.com
O15 - Trusted Zone: http://*.tfn.com
O15 - Trusted Zone: http://*.tradingmarkets.com
O15 - Trusted Zone: http://*.vanguard.com
O15 - Trusted Zone: http://*.webex.com
O15 - Trusted Zone: http://commerce.wsj.com
O15 - Trusted Zone: http://*.wsj.com
O15 - Trusted Zone: http://www.wssource.com
O15 - Trusted Zone: http://*.wssource.com
O15 - Trusted Zone: http://online.barrons.com (HKLM)
O15 - Trusted Zone: http://www.briefing.com (HKLM)
O15 - Trusted Zone: http://*.directrade.com (HKLM)
O15 - Trusted Zone: http://*.dtrading.com (HKLM)
O15 - Trusted Zone: http://www.gorillatrades.com (HKLM)
O15 - Trusted Zone: http://*.investors.com (HKLM)
O15 - Trusted Zone: http://www.knobias.com (HKLM)
O15 - Trusted Zone: http://www.mlx.ml.com (HKLM)
O15 - Trusted Zone: http://*.nasdaqtrader.com (HKLM)
O15 - Trusted Zone: http://bic.niteglobal.com (HKLM)
O15 - Trusted Zone: http://*.otcquote.com (HKLM)
O15 - Trusted Zone: http://*.sec.gov (HKLM)
O15 - Trusted Zone: http://www2.standardandpoors.com (HKLM)
O15 - Trusted Zone: http://www010.streetevents.com (HKLM)
O15 - Trusted Zone: http://www.streetsight.net (HKLM)
O15 - Trusted Zone: http://www.sharewatch.tfn.com (HKLM)
O15 - Trusted Zone: http://*.tradingmarkets.com (HKLM)
O15 - Trusted Zone: http://commerce.wsj.com (HKLM)
O15 - Trusted Zone: http://www.wssource.com (HKLM)
O15 - ESC Trusted Zone: http://www.wise.com
O15 - ESC Trusted Zone: http://www.wise.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224166690359
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.knight.com
O17 - HKLM\Software\..\Telephony: DomainName = global.knight.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = global.knight.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = global.knight.com
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
O20 - Winlogon Notify: gport_ - C:\WINDOWS\SYSTEM32\gport_.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: AD Monitor (ADMonitor) - Unknown owner - C:\WINDOWS\system32\ADMonitor.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - c:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Neoteris Setup Service - Juniper Networks - C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
O23 - Service: NetTime (NetTimeSvc) - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: RSA Authentication Agent Offline Local (OASVC_Local) - RSA Security Inc. - C:\Program Files\RSA Security\RSA Authentication Agent\da_svc.exe
O23 - Service: peresvc Service (peresvc) - Neto systems - C:\WINDOWS\system32\PereSvc.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - c:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Remote Task Manager service (RTM) - Unknown owner - C:\Program Files\Remote Task Manager\rtmservice.exe
O23 - Service: Intel(R) PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - c:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: RSA Authentication Agent Auto-registration (sdadmreg) - Unknown owner - C:\Program Files\RSA Security\RSA Authentication Agent\Agenthost Autoreg Utility\sdregsrv.exe
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Software Corporation - C:\WINDOWS\system32\slClient.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe