http://www.antisource.com/forums/ Fri, 18 May 2012 08:20:23 +0000 MyBB http://www.antisource.com/forums/showthread.php?tid=4699 Fri, 18 Feb 2011 18:29:34 +0000 http://www.antisource.com/forums/showthread.php?tid=4699
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:56:51 AM, on 2/18/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\AOL\1146369632\ee\AOLSoftware.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\MYWEBS~1\bar\7.bin\mwsoemon.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\Dell V310-V510 Series\dleamon.exe
C:\Program Files\Dell V310-V510 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\dleaserv.exe
C:\WINDOWS\system32\dleacoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\AOL\1146369632\EE\anotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Documents and Settings\W. Lou Thompson\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\7.bin\MWSSRCAS.DLL
R3 - URLSearchHook: (no name) - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\7.bin\MWSSRCAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\7.bin\MWSBAR.DLL
O2 - BHO: Dell Toolbar - {09B71986-2AC5-482d-B6CB-42EA34F4F85B} - C:\Program Files\Dell Toolbar\toolband.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\7.bin\MWSBAR.DLL
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
O3 - Toolbar: Dell Toolbar - {09B71986-2AC5-482d-B6CB-42EA34F4F85B} - C:\Program Files\Dell Toolbar\toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146369632\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\7.bin\mwsoemon.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [dleamon.exe] "C:\Program Files\Dell V310-V510 Series\dleamon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Dell V310-V510 Series\ezprint.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\7.bin\m3SrchMn.exe" /m=2 /w /h
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\7.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredit...YYYYYYTKUS
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache....0.1.1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared...insctl.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://fb.familylink.com/we_are_related/...oader5.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared...cgdmgr.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: dleaCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dleaserv.exe
O23 - Service: dlea_device - - C:\WINDOWS\system32\dleacoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11403 bytes]]>
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:56:51 AM, on 2/18/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\AOL\1146369632\ee\AOLSoftware.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\MYWEBS~1\bar\7.bin\mwsoemon.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\Dell V310-V510 Series\dleamon.exe
C:\Program Files\Dell V310-V510 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\dleaserv.exe
C:\WINDOWS\system32\dleacoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\AOL\1146369632\EE\anotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Documents and Settings\W. Lou Thompson\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\7.bin\MWSSRCAS.DLL
R3 - URLSearchHook: (no name) - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\7.bin\MWSSRCAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\7.bin\MWSBAR.DLL
O2 - BHO: Dell Toolbar - {09B71986-2AC5-482d-B6CB-42EA34F4F85B} - C:\Program Files\Dell Toolbar\toolband.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\7.bin\MWSBAR.DLL
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
O3 - Toolbar: Dell Toolbar - {09B71986-2AC5-482d-B6CB-42EA34F4F85B} - C:\Program Files\Dell Toolbar\toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146369632\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\7.bin\mwsoemon.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [dleamon.exe] "C:\Program Files\Dell V310-V510 Series\dleamon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Dell V310-V510 Series\ezprint.exe"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\7.bin\m3SrchMn.exe" /m=2 /w /h
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\7.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredit...YYYYYYTKUS
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache....0.1.1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared...insctl.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://fb.familylink.com/we_are_related/...oader5.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared...cgdmgr.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: dleaCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dleaserv.exe
O23 - Service: dlea_device - - C:\WINDOWS\system32\dleacoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11403 bytes]]> http://www.antisource.com/forums/showthread.php?tid=4695 Wed, 01 Dec 2010 00:10:07 +0000 http://www.antisource.com/forums/showthread.php?tid=4695
Take care
Marisa
======================================
http://www.antisource.com rocks! | Roulette Reaper Review]]>
Take care
Marisa
======================================
http://www.antisource.com rocks! | Roulette Reaper Review]]> http://www.antisource.com/forums/showthread.php?tid=4257 Sat, 06 Feb 2010 06:13:05 +0000 http://www.antisource.com/forums/showthread.php?tid=4257 What is SQL Injection Attacks

With the growing up of B/S model application development, more and more programmer write program with it. Unfortunately, many programmers did not judge the validity of users’ input data during encoding, and then, there will be security risk in the application.

Malicious attackers submit a special section of database query code to the server, the server will disclosure some sensitive information when respond with corresponding result. This is SQL Injection Attacks. The main trend Firewall currently will not alarm when there is SQL attack because of the SQL Injection is via normal point and hidden and difficult to be detected, seemingly normal website visit.

The danger of SQL Injection Attacks

According to the statistics of CVE in 2006, there are more than 70% attacks based on web application. The SQL Injection Attacks increase year by year, it arrives at 1078 in 2006. Even though, these data is only for the vulnerability in universal applications currently.
<!-- m --><a class="postlink" href="http://www.ids-sax2.com/articles/images/CVESQLInjectVulnerabilities.gif">http://www.ids-sax2.com/articles/images ... lities.gif</a><!-- m -->
The danger of SQL Injection Attacks including:

 Change the data in database without authorization.
Gain the administration authority of a site without authorization.
 Maliciously change content of a site without authorization.
 XSS attacks.
 Gain the control authority of the server without authorization.
 Add, delete and change the accounts in the server without authorization.

The process of detect and revert SQL Injection Attacks

Some IDS software will execute effective detection for SQL Injection Attacks, though, firewall can not. Now, we go to the process of detect and revert SQL Injection Attacks with IDS software Ax3soft Sax2.

The steps of SQL Injection Attacks are:

a) Determine environment to find the injection point.
b) Determine the type of database.
c) Guess datasheet.
d) Guess the field.
e) Guess the content.

The steps “Guess datasheet”, “Guess the field” and “Guess the content” are very important fro SQL Injection Attacks during the full process. Let’s analyze these there steps.

Sax2 will detect and alarm the attacks in network real-time. It will show the in the table Event when there is SQL Injection Attacks, see the figure 1.
<!-- m --><a class="postlink" href="http://www.ids-sax2.com/articles/images/DetectSQLInjectionAttacks(1">http://www.ids-sax2.com/articles/images ... nAttacks(1</a><!-- m -->).gif
Figure 1 Sax2 alarm the MS_SQL Injection Attacks real-time

The selected event in the Figure 1 shows the attacker’s IP 192.168.21.103, the victim’s IP 125.65.112.10. And the original message is “select * from [dirs]”, means enquire whether there is a datasheet named “dirs” in current database, in the Original Communication view.
The attacker will repeat the operation to gain the expected datasheet. He will try to guess the filed in the datasheet if found the corresponding datasheet in the database.
<!-- m --><a class="postlink" href="http://www.ids-sax2.com/articles/images/DetectSQLInjectionAttacks(2">http://www.ids-sax2.com/articles/images ... nAttacks(2</a><!-- m -->).gif
Figure 2 Sax2 analysis the attacker is guessing the filed in the admin database

The code in the red circle in the Figure 2 show the attacker is guessing the “paths” filed in the admin database. Also, the attacker will repeat the operation till find the corresponding filed.

The attacker will determine the length of the filed and guess the content after found the corresponding filed. It will be a SQL Injection Attacks after the attacker guess the content in the filed successfully. Sometimes, the attacker has to decryption the content if it in MD5 encryption.

Above is the whole process of SQL Injection Attacks and we detect it with Sax2. As we know, Sax2 can effectively detect and alarm the SQL Injection Attacks when it occurs. IDS software Sax2 is a useful tool for SQL Injection Attacks and make your network security combine with firewall software.]]> What is SQL Injection Attacks

With the growing up of B/S model application development, more and more programmer write program with it. Unfortunately, many programmers did not judge the validity of users’ input data during encoding, and then, there will be security risk in the application.

Malicious attackers submit a special section of database query code to the server, the server will disclosure some sensitive information when respond with corresponding result. This is SQL Injection Attacks. The main trend Firewall currently will not alarm when there is SQL attack because of the SQL Injection is via normal point and hidden and difficult to be detected, seemingly normal website visit.

The danger of SQL Injection Attacks

According to the statistics of CVE in 2006, there are more than 70% attacks based on web application. The SQL Injection Attacks increase year by year, it arrives at 1078 in 2006. Even though, these data is only for the vulnerability in universal applications currently.
<!-- m --><a class="postlink" href="http://www.ids-sax2.com/articles/images/CVESQLInjectVulnerabilities.gif">http://www.ids-sax2.com/articles/images ... lities.gif</a><!-- m -->
The danger of SQL Injection Attacks including:

 Change the data in database without authorization.
Gain the administration authority of a site without authorization.
 Maliciously change content of a site without authorization.
 XSS attacks.
 Gain the control authority of the server without authorization.
 Add, delete and change the accounts in the server without authorization.

The process of detect and revert SQL Injection Attacks

Some IDS software will execute effective detection for SQL Injection Attacks, though, firewall can not. Now, we go to the process of detect and revert SQL Injection Attacks with IDS software Ax3soft Sax2.

The steps of SQL Injection Attacks are:

a) Determine environment to find the injection point.
b) Determine the type of database.
c) Guess datasheet.
d) Guess the field.
e) Guess the content.

The steps “Guess datasheet”, “Guess the field” and “Guess the content” are very important fro SQL Injection Attacks during the full process. Let’s analyze these there steps.

Sax2 will detect and alarm the attacks in network real-time. It will show the in the table Event when there is SQL Injection Attacks, see the figure 1.
<!-- m --><a class="postlink" href="http://www.ids-sax2.com/articles/images/DetectSQLInjectionAttacks(1">http://www.ids-sax2.com/articles/images ... nAttacks(1</a><!-- m -->).gif
Figure 1 Sax2 alarm the MS_SQL Injection Attacks real-time

The selected event in the Figure 1 shows the attacker’s IP 192.168.21.103, the victim’s IP 125.65.112.10. And the original message is “select * from [dirs]”, means enquire whether there is a datasheet named “dirs” in current database, in the Original Communication view.
The attacker will repeat the operation to gain the expected datasheet. He will try to guess the filed in the datasheet if found the corresponding datasheet in the database.
<!-- m --><a class="postlink" href="http://www.ids-sax2.com/articles/images/DetectSQLInjectionAttacks(2">http://www.ids-sax2.com/articles/images ... nAttacks(2</a><!-- m -->).gif
Figure 2 Sax2 analysis the attacker is guessing the filed in the admin database

The code in the red circle in the Figure 2 show the attacker is guessing the “paths” filed in the admin database. Also, the attacker will repeat the operation till find the corresponding filed.

The attacker will determine the length of the filed and guess the content after found the corresponding filed. It will be a SQL Injection Attacks after the attacker guess the content in the filed successfully. Sometimes, the attacker has to decryption the content if it in MD5 encryption.

Above is the whole process of SQL Injection Attacks and we detect it with Sax2. As we know, Sax2 can effectively detect and alarm the SQL Injection Attacks when it occurs. IDS software Sax2 is a useful tool for SQL Injection Attacks and make your network security combine with firewall software.]]> http://www.antisource.com/forums/showthread.php?tid=4258 Sat, 11 Jul 2009 23:23:34 +0000 http://www.antisource.com/forums/showthread.php?tid=4258
I seem to have this problem as well, I've searched your forums for advice on this, and found some... but unsure about using some of the software or scripts that you've discussed on these forums.

Any help in regards to this would be most appreciated.

I've downloaded the necessary files and stuff, and have the files zipped up and ready to send.

Regards.]]>
I seem to have this problem as well, I've searched your forums for advice on this, and found some... but unsure about using some of the software or scripts that you've discussed on these forums.

Any help in regards to this would be most appreciated.

I've downloaded the necessary files and stuff, and have the files zipped up and ready to send.

Regards.]]> http://www.antisource.com/forums/showthread.php?tid=4259 Wed, 24 Jun 2009 11:48:55 +0000 http://www.antisource.com/forums/showthread.php?tid=4259
i've got server with one network interface (le0), one public IP address (A.B.C.D) and there is remote proxy (W.X.Y.Z) port 3128. How to redirecting www traffict to use remote proxy using pf ? I use this pf rule but still not work.

rdr on le0 proto tcp from $my_if to any port www -> W.X.Y.Z port 3128


thanks
Reply With Quote]]>
i've got server with one network interface (le0), one public IP address (A.B.C.D) and there is remote proxy (W.X.Y.Z) port 3128. How to redirecting www traffict to use remote proxy using pf ? I use this pf rule but still not work.

rdr on le0 proto tcp from $my_if to any port www -> W.X.Y.Z port 3128


thanks
Reply With Quote]]> http://www.antisource.com/forums/showthread.php?tid=4260 Thu, 04 Jun 2009 06:29:25 +0000 http://www.antisource.com/forums/showthread.php?tid=4260
Here is my log.


Thanks for your Help.

Rhonda
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:50 PM, on 6/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Symantec AntiVirus\DWHWIZRD.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://sympatico.msn.ca/">http://sympatico.msn.ca/</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: trueads search enhancer - {224B657E-C6FB-8649-7A70-40DB54998B75} - C:\WINDOWS\system32\escbvinayuwmgdj.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: trueads - {f4c52357-874f-58fc-babd-ad61d06f4ae6} - C:\WINDOWS\system32\nsfD.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DameWare MRC Agent] C:\WINDOWS\system32\DWRCST.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2000478354-1958367476-1417001333-1006\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'Jordan')
O4 - HKUS\S-1-5-21-2000478354-1958367476-1417001333-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Jordan')
O4 - HKUS\S-1-5-21-2000478354-1958367476-1417001333-1007\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'Whitney')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - <!-- m --><a class="postlink" href="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233830112531">http://update.microsoft.com/microsoftup ... 3830112531</a><!-- m -->
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - <!-- m --><a class="postlink" href="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233830105375">http://update.microsoft.com/microsoftup ... 3830105375</a><!-- m -->
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - <!-- m --><a class="postlink" href="http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab">http://messenger.zone.msn.com/binary/Me ... b56907.cab</a><!-- m -->
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - <!-- m --><a class="postlink" href="http://driveragent.com/files/driveragent.cab">http://driveragent.com/files/driveragent.cab</a><!-- m -->
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9208 bytes]]>
Here is my log.


Thanks for your Help.

Rhonda
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:50 PM, on 6/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Symantec AntiVirus\DWHWIZRD.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://sympatico.msn.ca/">http://sympatico.msn.ca/</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: trueads search enhancer - {224B657E-C6FB-8649-7A70-40DB54998B75} - C:\WINDOWS\system32\escbvinayuwmgdj.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: trueads - {f4c52357-874f-58fc-babd-ad61d06f4ae6} - C:\WINDOWS\system32\nsfD.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DameWare MRC Agent] C:\WINDOWS\system32\DWRCST.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2000478354-1958367476-1417001333-1006\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'Jordan')
O4 - HKUS\S-1-5-21-2000478354-1958367476-1417001333-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Jordan')
O4 - HKUS\S-1-5-21-2000478354-1958367476-1417001333-1007\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'Whitney')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - <!-- m --><a class="postlink" href="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233830112531">http://update.microsoft.com/microsoftup ... 3830112531</a><!-- m -->
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - <!-- m --><a class="postlink" href="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233830105375">http://update.microsoft.com/microsoftup ... 3830105375</a><!-- m -->
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - <!-- m --><a class="postlink" href="http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab">http://messenger.zone.msn.com/binary/Me ... b56907.cab</a><!-- m -->
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - <!-- m --><a class="postlink" href="http://driveragent.com/files/driveragent.cab">http://driveragent.com/files/driveragent.cab</a><!-- m -->
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9208 bytes]]> http://www.antisource.com/forums/showthread.php?tid=4261 Thu, 28 May 2009 17:41:33 +0000 http://www.antisource.com/forums/showthread.php?tid=4261
I often use the saved passwords of my Firefox browser to see and sometimes erase the passwords...only everytime I must go to Tools - Options - Safety - saved password.
I was arguing if there is a way to insert a link in the toolbar to simplify and speed up this task.

Thank you and hallo to everyone.]]>
I often use the saved passwords of my Firefox browser to see and sometimes erase the passwords...only everytime I must go to Tools - Options - Safety - saved password.
I was arguing if there is a way to insert a link in the toolbar to simplify and speed up this task.

Thank you and hallo to everyone.]]> http://www.antisource.com/forums/showthread.php?tid=4262 Sat, 16 May 2009 10:06:57 +0000 http://www.antisource.com/forums/showthread.php?tid=4262 http://www.antisource.com/forums/showthread.php?tid=4263 Tue, 24 Mar 2009 12:04:03 +0000 http://www.antisource.com/forums/showthread.php?tid=4263 be able to show some evidence of a problem I did run a kaspersky scan as well and it apparently
shows a worm in an email related file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:50 AM, on 3/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\greg\Local Settings\Temp\jkos-greg\binaries\ScanningProcess.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.amperite.com
O15 - Trusted Zone: *.antisource.com
O15 - Trusted Zone: *.asp.net
O15 - Trusted Zone: *.biblechurch.org
O15 - Trusted Zone: *.bitdefender.com
O15 - Trusted Zone: *.bookpool.com
O15 - Trusted Zone: *.cnbc.com
O15 - Trusted Zone: *.consumerreports.org
O15 - Trusted Zone: *.craigslist.com
O15 - Trusted Zone: *.drudgereport.com
O15 - Trusted Zone: *.durham.nc.us
O15 - Trusted Zone: *.durhamnc.gov
O15 - Trusted Zone: *.e-statement.com
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.fidelity.com
O15 - Trusted Zone: *.globalspec.com
O15 - Trusted Zone: *.investorvillage.com
O15 - Trusted Zone: *.java.com
O15 - Trusted Zone: *.kaspersky.com
O15 - Trusted Zone: *.nasa.gov
O15 - Trusted Zone: *.ncmail.net
O15 - Trusted Zone: *.oilintel.com
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.ripoffreport.com
O15 - Trusted Zone: *.rr.com
O15 - Trusted Zone: *.scottrade.com
O15 - Trusted Zone: *.stockcharts.com
O15 - Trusted Zone: *.sun.com
O15 - Trusted Zone: *.thermastor.com
O15 - Trusted Zone: *.tradethenews.com
O15 - Trusted Zone: *.ustaxdata.com
O15 - Trusted Zone: *.wral.com
O15 - Trusted Zone: *.wraltv.com
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5365 bytes


================================================================================​=======

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, March 24, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 23, 2009 23:13:13
Records in database: 1958593


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 149144
Threat name 9
Infected objects 11
Suspicious objects 0
Duration of the scan 04:11:24

File name Threat name Threats count
C:\Documents and Settings\greg\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Infected: Worm.Win32.AutoRun.lpp 1

C:\SDFix\backups_old1\backups.zip Infected: Trojan-Downloader.Win32.PurityScan.gb 2

C:\SDFix\backups_old1\backups.zip Infected: not-a-virus:AdWare.Win32.CommAd.a 2

C:\SDFix\backups_old1\backups.zip Infected: not-virus:Hoax.Win32.Renos.daw 1

C:\SDFix\backups_old1\backups.zip Infected: Trojan-Downloader.Win32.Homles.cx 1

C:\SDFix\backups_old1\backups.zip Infected: not-a-virus:Monitor.Win32.NetMon.a 1

C:\SDFix\backups_old1\backups.zip Infected: not-a-virus:AdWare.Win32.PurityScan.gp 1

C:\SDFix\backups_old2\backups.zip Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.d 1

C:\SDFix\backups_old2\backups.zip Infected: Trojan.Win32.Crypt.cz 1

The selected area was scanned.]]> be able to show some evidence of a problem I did run a kaspersky scan as well and it apparently
shows a worm in an email related file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:50 AM, on 3/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\greg\Local Settings\Temp\jkos-greg\binaries\ScanningProcess.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.amperite.com
O15 - Trusted Zone: *.antisource.com
O15 - Trusted Zone: *.asp.net
O15 - Trusted Zone: *.biblechurch.org
O15 - Trusted Zone: *.bitdefender.com
O15 - Trusted Zone: *.bookpool.com
O15 - Trusted Zone: *.cnbc.com
O15 - Trusted Zone: *.consumerreports.org
O15 - Trusted Zone: *.craigslist.com
O15 - Trusted Zone: *.drudgereport.com
O15 - Trusted Zone: *.durham.nc.us
O15 - Trusted Zone: *.durhamnc.gov
O15 - Trusted Zone: *.e-statement.com
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.fidelity.com
O15 - Trusted Zone: *.globalspec.com
O15 - Trusted Zone: *.investorvillage.com
O15 - Trusted Zone: *.java.com
O15 - Trusted Zone: *.kaspersky.com
O15 - Trusted Zone: *.nasa.gov
O15 - Trusted Zone: *.ncmail.net
O15 - Trusted Zone: *.oilintel.com
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.ripoffreport.com
O15 - Trusted Zone: *.rr.com
O15 - Trusted Zone: *.scottrade.com
O15 - Trusted Zone: *.stockcharts.com
O15 - Trusted Zone: *.sun.com
O15 - Trusted Zone: *.thermastor.com
O15 - Trusted Zone: *.tradethenews.com
O15 - Trusted Zone: *.ustaxdata.com
O15 - Trusted Zone: *.wral.com
O15 - Trusted Zone: *.wraltv.com
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5365 bytes


================================================================================​=======

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, March 24, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 23, 2009 23:13:13
Records in database: 1958593


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 149144
Threat name 9
Infected objects 11
Suspicious objects 0
Duration of the scan 04:11:24

File name Threat name Threats count
C:\Documents and Settings\greg\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Infected: Worm.Win32.AutoRun.lpp 1

C:\SDFix\backups_old1\backups.zip Infected: Trojan-Downloader.Win32.PurityScan.gb 2

C:\SDFix\backups_old1\backups.zip Infected: not-a-virus:AdWare.Win32.CommAd.a 2

C:\SDFix\backups_old1\backups.zip Infected: not-virus:Hoax.Win32.Renos.daw 1

C:\SDFix\backups_old1\backups.zip Infected: Trojan-Downloader.Win32.Homles.cx 1

C:\SDFix\backups_old1\backups.zip Infected: not-a-virus:Monitor.Win32.NetMon.a 1

C:\SDFix\backups_old1\backups.zip Infected: not-a-virus:AdWare.Win32.PurityScan.gp 1

C:\SDFix\backups_old2\backups.zip Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.d 1

C:\SDFix\backups_old2\backups.zip Infected: Trojan.Win32.Crypt.cz 1

The selected area was scanned.]]> http://www.antisource.com/forums/showthread.php?tid=4264 Fri, 06 Mar 2009 02:15:26 +0000 http://www.antisource.com/forums/showthread.php?tid=4264 http://www.antisource.com/forums/showthread.php?tid=4265 Mon, 02 Mar 2009 05:44:34 +0000 http://www.antisource.com/forums/showthread.php?tid=4265
SmitFraudFix v2.144

Scan done at 23:37:50.18, Thu 02/26/2009
Run from C:\Documents and Settings\Jay\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jay


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jay\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jay\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTask​Scheduler]
"{C5BF49A2-94F3-42BD-F434-3604812C8955}"="jgzfkj9w38rksndfi7r4"

[HKEY_CLASSES_ROOT\CLSID\{C5BF49A2-94F3-42BD-F434-3604812C8955}\InProcServer32]
@="C:\WINDOWS\system32\hhs3ijndfd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C5BF49A2-94F3-42BD-F434-3604812C8955}\InProcServer32]
@="C:\WINDOWS\system32\hhs3ijndfd.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\System32\\reshhf.dll"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


"Silent Runners.vbs", revision R50, <!-- m --><a class="postlink" href="http://www.silentrunners.org/">http://www.silentrunners.org/</a><!-- m -->
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"DW6" = ""C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"" [file not found]
"x4uhkp2rvxr06m" = "C:\DOCUME~1\Jay\LOCALS~1\Temp\vlhahkrbl3xm.exe" [file not found]
"dxyc4p3b2t6egdegh6qlwg6vj6ha4rnf1d33gqoho5" = "C:\DOCUME~1\Jay\LOCALS~1\Temp\uqnhhxdj2.exe" [file not found]
"ecyf83ieh1mgx8lak5g" = "C:\DOCUME~1\Jay\LOCALS~1\Temp\qbeywtg4.exe" [file not found]
"fglzf86v3s9gqw48bkqc6ak49s9fb53wklx00jtieuddr8wg7a" = "C:\DOCUME~1\Jay\LOCALS~1\Temp\xm9ic7lv04y.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"S4F" = "C:\Program Files\S4F\Filter7.exe" ["S4F, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"Gamevance" = "C:\Program Files\Gamevance\gamevance32.exe" [null data]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"AppleSyncNotifier" = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" ["Apple Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"Ibayig" = "rundll32.exe "C:\WINDOWS\Yyayoga.dll",e" [MS]
"jsf8uiw3jnjgffght" = "C:\DOCUME~1\Monique\LOCALS~1\Temp\winlognn.exe" [null data]
"Framework Windows" = "frmwrk32.exe" [null data]
"Xwejavaqegay" = "rundll32.exe "C:\WINDOWS\efuyuhasajubijam.dll",e" [MS]
"88d2667a" = "rundll32.exe "C:\WINDOWS\system32\dasakebe.dll",b" [MS]
"kumeforozi" = "Rundll32.exe "C:\WINDOWS\system32\wivovego.dll",s" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{C5BF49A2-94F3-42BD-F434-3604812C8955}\(Default) = (no title provided)
-> {HKLM...CLSID} = "C:\WINDOWS\system32\hhs3ijndfd.dll"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hhs3ijndfd.dll" [null data]
{e2b687e8-85c1-4fc1-a30e-24e1c12a6d86}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\gijoyeri.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
-> {HKLM...CLSID} = "Share-to-Web Upload Folder"
\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media"
-> {HKLM...CLSID} = "My Media"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
-> {HKLM...CLSID} = "VersionShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["Intuit, Inc."]
"{C55C499D-3518-44a1-998E-796AC5FC989D}" = "NetworkMagic"
-> {HKLM...CLSID} = "Network Magic Folders"
\InProcServer32\(Default) = "C:\Program Files\Pure Networks\Network Magic\nmspce.dll" ["Pure Networks, Inc."]
"{33F85093-44BB-4587-B25B-FFD05D5B9916}" = "NetworkMagic"
-> {HKLM...CLSID} = "Network Magic Folders"
\InProcServer32\(Default) = "C:\Program Files\Pure Networks\Network Magic\nmspce.dll" ["Pure Networks, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<<!>> "{C5BF49A2-94F3-42BD-F434-3604812C8955}" = "jgzfkj9w38rksndfi7r4"
-> {HKLM...CLSID} = "C:\WINDOWS\system32\hhs3ijndfd.dll"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hhs3ijndfd.dll" [null data]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"SsiEfr.e" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> crypt\DLLName = "crypts.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"_NoDriveTypeAutoRun" = (REG_DWORD) hex:0x00000091
{unrecognized setting}

"NoSetActiveDesktop" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoFolderOptions" = (REG_DWORD) hex:0x00000001
{Removes the Folder Options menu item from the Tools menu}

"NoActiveDesktopChanges" = (REG_DWORD) hex:0x00000001
{Prohibit changes}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSetActiveDesktop" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoActiveDesktopChanges" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000001
{Prevent access to registry editing tools}

"DisableTaskMgr" = (REG_DWORD) hex:0x00000001
{Remove Task Manager}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\

"Disable Config" = (REG_DWORD) hex:0x00000001
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"Spybot - Search & Destroy - Scheduled Task" -> launches: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe /AUTOCHECK" ["Safer Networking Limited"]
"uldclhlt" -> launches: "C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\urqPiiFV.dll",AddRefActCtx" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Ca​talog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Cat​alog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\DOCUME~1\Monique\LOCALS~1\Temp\ntdll64.dll [null data], 01, 33
C:\WINDOWS\system\wins4f.dll [null data], 02 - 16, 32
%SystemRoot%\system32\mswsock.dll [MS], 17 - 19, 22 - 31
%SystemRoot%\system32\rsvpsp.dll [MS], 20 - 21


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{D6A116E7-5906-42E4-87F6-E7E15936415E}\(Default) = "MoneySide"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll" ["Sun Microsystems, Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{DD6687B5-CB43-4211-BFC9-2942CCBDCB3E}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

.NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]
Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."]
ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" [MS]
Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Inc."]
Google Updater Service, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
MSSQLSERVER, MSSQLSERVER, "C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe -sMSSQLSERVER" [MS]
Network Provisioning Service, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}
Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
Pure Networks Net2Go Service, nmraapache, ""C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice" ["Pure Networks, Inc."]
SQL Server (XACTWARE), MSSQL$XACTWARE, ""C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sXACTWARE" [MS]
SQL Server Active Directory Helper, MSSQLServerADHelper, ""C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe"" [MS]
SQL Server VSS Writer, SQLWriter, ""C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"" [MS]
SQLSERVERAGENT, SQLSERVERAGENT, "C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE -i MSSQLSERVER" [MS]
Windows CardSpace, idsvc, ""C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"" [MS]
Windows Presentation Foundation Font Cache 3.0.0.0, FontCache3.0.0.0, "c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 255 seconds, including 19 seconds for message boxes)]]>
SmitFraudFix v2.144

Scan done at 23:37:50.18, Thu 02/26/2009
Run from C:\Documents and Settings\Jay\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jay


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jay\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jay\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTask​Scheduler]
"{C5BF49A2-94F3-42BD-F434-3604812C8955}"="jgzfkj9w38rksndfi7r4"

[HKEY_CLASSES_ROOT\CLSID\{C5BF49A2-94F3-42BD-F434-3604812C8955}\InProcServer32]
@="C:\WINDOWS\system32\hhs3ijndfd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C5BF49A2-94F3-42BD-F434-3604812C8955}\InProcServer32]
@="C:\WINDOWS\system32\hhs3ijndfd.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\System32\\reshhf.dll"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


"Silent Runners.vbs", revision R50, <!-- m --><a class="postlink" href="http://www.silentrunners.org/">http://www.silentrunners.org/</a><!-- m -->
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"DW6" = ""C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"" [file not found]
"x4uhkp2rvxr06m" = "C:\DOCUME~1\Jay\LOCALS~1\Temp\vlhahkrbl3xm.exe" [file not found]
"dxyc4p3b2t6egdegh6qlwg6vj6ha4rnf1d33gqoho5" = "C:\DOCUME~1\Jay\LOCALS~1\Temp\uqnhhxdj2.exe" [file not found]
"ecyf83ieh1mgx8lak5g" = "C:\DOCUME~1\Jay\LOCALS~1\Temp\qbeywtg4.exe" [file not found]
"fglzf86v3s9gqw48bkqc6ak49s9fb53wklx00jtieuddr8wg7a" = "C:\DOCUME~1\Jay\LOCALS~1\Temp\xm9ic7lv04y.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"S4F" = "C:\Program Files\S4F\Filter7.exe" ["S4F, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"Gamevance" = "C:\Program Files\Gamevance\gamevance32.exe" [null data]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"AppleSyncNotifier" = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" ["Apple Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"Ibayig" = "rundll32.exe "C:\WINDOWS\Yyayoga.dll",e" [MS]
"jsf8uiw3jnjgffght" = "C:\DOCUME~1\Monique\LOCALS~1\Temp\winlognn.exe" [null data]
"Framework Windows" = "frmwrk32.exe" [null data]
"Xwejavaqegay" = "rundll32.exe "C:\WINDOWS\efuyuhasajubijam.dll",e" [MS]
"88d2667a" = "rundll32.exe "C:\WINDOWS\system32\dasakebe.dll",b" [MS]
"kumeforozi" = "Rundll32.exe "C:\WINDOWS\system32\wivovego.dll",s" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{C5BF49A2-94F3-42BD-F434-3604812C8955}\(Default) = (no title provided)
-> {HKLM...CLSID} = "C:\WINDOWS\system32\hhs3ijndfd.dll"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hhs3ijndfd.dll" [null data]
{e2b687e8-85c1-4fc1-a30e-24e1c12a6d86}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\gijoyeri.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
-> {HKLM...CLSID} = "Share-to-Web Upload Folder"
\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media"
-> {HKLM...CLSID} = "My Media"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
-> {HKLM...CLSID} = "VersionShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["Intuit, Inc."]
"{C55C499D-3518-44a1-998E-796AC5FC989D}" = "NetworkMagic"
-> {HKLM...CLSID} = "Network Magic Folders"
\InProcServer32\(Default) = "C:\Program Files\Pure Networks\Network Magic\nmspce.dll" ["Pure Networks, Inc."]
"{33F85093-44BB-4587-B25B-FFD05D5B9916}" = "NetworkMagic"
-> {HKLM...CLSID} = "Network Magic Folders"
\InProcServer32\(Default) = "C:\Program Files\Pure Networks\Network Magic\nmspce.dll" ["Pure Networks, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<<!>> "{C5BF49A2-94F3-42BD-F434-3604812C8955}" = "jgzfkj9w38rksndfi7r4"
-> {HKLM...CLSID} = "C:\WINDOWS\system32\hhs3ijndfd.dll"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hhs3ijndfd.dll" [null data]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"SsiEfr.e" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> crypt\DLLName = "crypts.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"_NoDriveTypeAutoRun" = (REG_DWORD) hex:0x00000091
{unrecognized setting}

"NoSetActiveDesktop" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoFolderOptions" = (REG_DWORD) hex:0x00000001
{Removes the Folder Options menu item from the Tools menu}

"NoActiveDesktopChanges" = (REG_DWORD) hex:0x00000001
{Prohibit changes}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSetActiveDesktop" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoActiveDesktopChanges" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000001
{Prevent access to registry editing tools}

"DisableTaskMgr" = (REG_DWORD) hex:0x00000001
{Remove Task Manager}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\

"Disable Config" = (REG_DWORD) hex:0x00000001
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"Spybot - Search & Destroy - Scheduled Task" -> launches: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe /AUTOCHECK" ["Safer Networking Limited"]
"uldclhlt" -> launches: "C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\urqPiiFV.dll",AddRefActCtx" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Ca​talog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Cat​alog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\DOCUME~1\Monique\LOCALS~1\Temp\ntdll64.dll [null data], 01, 33
C:\WINDOWS\system\wins4f.dll [null data], 02 - 16, 32
%SystemRoot%\system32\mswsock.dll [MS], 17 - 19, 22 - 31
%SystemRoot%\system32\rsvpsp.dll [MS], 20 - 21


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{D6A116E7-5906-42E4-87F6-E7E15936415E}\(Default) = "MoneySide"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll" ["Sun Microsystems, Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{DD6687B5-CB43-4211-BFC9-2942CCBDCB3E}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

.NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]
Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."]
ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" [MS]
Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Inc."]
Google Updater Service, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
MSSQLSERVER, MSSQLSERVER, "C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe -sMSSQLSERVER" [MS]
Network Provisioning Service, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}
Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
Pure Networks Net2Go Service, nmraapache, ""C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice" ["Pure Networks, Inc."]
SQL Server (XACTWARE), MSSQL$XACTWARE, ""C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sXACTWARE" [MS]
SQL Server Active Directory Helper, MSSQLServerADHelper, ""C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe"" [MS]
SQL Server VSS Writer, SQLWriter, ""C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"" [MS]
SQLSERVERAGENT, SQLSERVERAGENT, "C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE -i MSSQLSERVER" [MS]
Windows CardSpace, idsvc, ""C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"" [MS]
Windows Presentation Foundation Font Cache 3.0.0.0, FontCache3.0.0.0, "c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 255 seconds, including 19 seconds for message boxes)]]> http://www.antisource.com/forums/showthread.php?tid=4266 Thu, 26 Feb 2009 13:28:16 +0000 http://www.antisource.com/forums/showthread.php?tid=4266
I used my friend's thumbdrive on my PC and now this msg keeps appearing when i remove anything plugged into the computer. Including my digital cam.
It also appears when the disc ejects]]>
I used my friend's thumbdrive on my PC and now this msg keeps appearing when i remove anything plugged into the computer. Including my digital cam.
It also appears when the disc ejects]]> http://www.antisource.com/forums/showthread.php?tid=4267 Wed, 25 Feb 2009 22:28:00 +0000 http://www.antisource.com/forums/showthread.php?tid=4267
anybody help , PLEASE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:48 PM, on 2/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\LEXBCES.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\LEXPPS.EXE
G:\Program Files\Java\jre6\bin\jqs.exe
G:\Program Files\M-Audio\Conectiv\MAUSBCVInst.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\PnkBstrA.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\SearchIndexer.exe
G:\WINDOWS\RTHDCPL.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\WINDOWS\System32\M-AudioTaskBarIcon.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Documents and Settings\hilen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
G:\Program Files\Windows Desktop Search\WindowsSearch.exe
G:\WINDOWS\system32\notepad.exe
G:\WINDOWS\explorer.exe
G:\WINDOWS\system32\SearchProtocolHost.exe
C:\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = <!-- m --><a class="postlink" href="http://windowsupdate.microsoft.com/">http://windowsupdate.microsoft.com/</a><!-- m -->
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - G:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - G:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [snpstd] G:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] G:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] G:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [36X Raid Configurer] G:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "G:\Documents and Settings\hilen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Gadu-Gadu] "G:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [DAEMON Tools Lite] "G:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ccleaner] "G:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - Global Startup: Adobe Gamma Loader.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Windows Search.lnk = G:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - <!-- m --><a class="postlink" href="res://G">res://G</a><!-- m -->:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - <!-- m --><a class="postlink" href="http://favorites.live.com/quickadd.aspx">http://favorites.live.com/quickadd.aspx</a><!-- m -->
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - <!-- m --><a class="postlink" href="res://E">res://E</a><!-- m -->:\PROGRA~1\msoffice\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\msoffice\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: <!-- m --><a class="postlink" href="http://mks.com.pl">http://mks.com.pl</a><!-- m -->
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - <!-- m --><a class="postlink" href="http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab">http://www.nvidia.com/content/DriverDow ... eqlab3.cab</a><!-- m -->
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - <!-- m --><a class="postlink" href="http://www.eset.eu/buxus/docs/OnlineScanner.cab">http://www.eset.eu/buxus/docs/OnlineScanner.cab</a><!-- m -->
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - <!-- m --><a class="postlink" href="http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223584199281">http://update.microsoft.com/windowsupda ... 3584199281</a><!-- m -->
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - <!-- m --><a class="postlink" href="http://www.mks.com.pl/skaner/SkanerOnline.cab">http://www.mks.com.pl/skaner/SkanerOnline.cab</a><!-- m -->
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - <!-- m --><a class="postlink" href="http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab">http://www.nvidia.com/content/DriverDow ... rtScan.cab</a><!-- m -->
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - <!-- m --><a class="postlink" href="https://sslvpn.action.pl/dana-cached/setup/JuniperSetupSP1.cab">https://sslvpn.action.pl/dana-cached/se ... tupSP1.cab</a><!-- m -->
O23 - Service: Adobe LM Service - Unknown owner - G:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - G:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - G:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: M-Audio Conectiv Installer (MAudioConectivService) - Avid Technology, Inc. - G:\Program Files\M-Audio\Conectiv\MAUSBCVInst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - G:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6817 bytes]]>
anybody help , PLEASE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:48 PM, on 2/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\LEXBCES.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\LEXPPS.EXE
G:\Program Files\Java\jre6\bin\jqs.exe
G:\Program Files\M-Audio\Conectiv\MAUSBCVInst.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\PnkBstrA.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\SearchIndexer.exe
G:\WINDOWS\RTHDCPL.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\WINDOWS\System32\M-AudioTaskBarIcon.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Documents and Settings\hilen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
G:\Program Files\Windows Desktop Search\WindowsSearch.exe
G:\WINDOWS\system32\notepad.exe
G:\WINDOWS\explorer.exe
G:\WINDOWS\system32\SearchProtocolHost.exe
C:\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = <!-- m --><a class="postlink" href="http://windowsupdate.microsoft.com/">http://windowsupdate.microsoft.com/</a><!-- m -->
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - G:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - G:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [snpstd] G:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] G:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] G:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [36X Raid Configurer] G:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "G:\Documents and Settings\hilen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Gadu-Gadu] "G:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [DAEMON Tools Lite] "G:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ccleaner] "G:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - Global Startup: Adobe Gamma Loader.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Windows Search.lnk = G:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - <!-- m --><a class="postlink" href="res://G">res://G</a><!-- m -->:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - <!-- m --><a class="postlink" href="http://favorites.live.com/quickadd.aspx">http://favorites.live.com/quickadd.aspx</a><!-- m -->
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - <!-- m --><a class="postlink" href="res://E">res://E</a><!-- m -->:\PROGRA~1\msoffice\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\msoffice\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: <!-- m --><a class="postlink" href="http://mks.com.pl">http://mks.com.pl</a><!-- m -->
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - <!-- m --><a class="postlink" href="http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab">http://www.nvidia.com/content/DriverDow ... eqlab3.cab</a><!-- m -->
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - <!-- m --><a class="postlink" href="http://www.eset.eu/buxus/docs/OnlineScanner.cab">http://www.eset.eu/buxus/docs/OnlineScanner.cab</a><!-- m -->
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - <!-- m --><a class="postlink" href="http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223584199281">http://update.microsoft.com/windowsupda ... 3584199281</a><!-- m -->
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - <!-- m --><a class="postlink" href="http://www.mks.com.pl/skaner/SkanerOnline.cab">http://www.mks.com.pl/skaner/SkanerOnline.cab</a><!-- m -->
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - <!-- m --><a class="postlink" href="http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab">http://www.nvidia.com/content/DriverDow ... rtScan.cab</a><!-- m -->
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - <!-- m --><a class="postlink" href="https://sslvpn.action.pl/dana-cached/setup/JuniperSetupSP1.cab">https://sslvpn.action.pl/dana-cached/se ... tupSP1.cab</a><!-- m -->
O23 - Service: Adobe LM Service - Unknown owner - G:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - G:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - G:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: M-Audio Conectiv Installer (MAudioConectivService) - Avid Technology, Inc. - G:\Program Files\M-Audio\Conectiv\MAUSBCVInst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - G:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6817 bytes]]> http://www.antisource.com/forums/showthread.php?tid=4268 Wed, 18 Feb 2009 11:12:08 +0000 http://www.antisource.com/forums/showthread.php?tid=4268
this also serves as a warning for others to watch out for such emails.

need help for someone to analyse the attached zip file that comes with the email, the file opens in windows as a pif file, although it is labeled as htm* ( * is a hidden character not visible in window )

i renamed the file to .txt but it still shows as MSDOS executable, on inspection through command prompt it is actualy .txt.pif

could some kind soul with more knowledge on msdos advise what the file does please.

not much info on the email, it came from IP 58.137.55.113.
did not have much luck looking up that IP.

thanks much.

WARNING : do not download unless you know what you are doing
***link removed***]]>
this also serves as a warning for others to watch out for such emails.

need help for someone to analyse the attached zip file that comes with the email, the file opens in windows as a pif file, although it is labeled as htm* ( * is a hidden character not visible in window )

i renamed the file to .txt but it still shows as MSDOS executable, on inspection through command prompt it is actualy .txt.pif

could some kind soul with more knowledge on msdos advise what the file does please.

not much info on the email, it came from IP 58.137.55.113.
did not have much luck looking up that IP.

thanks much.

WARNING : do not download unless you know what you are doing
***link removed***]]> http://www.antisource.com/forums/showthread.php?tid=4269 Fri, 13 Feb 2009 02:40:17 +0000 http://www.antisource.com/forums/showthread.php?tid=4269 Solution:

Diagnosis View is the most direct and effective place to locate ARP attack and should be our first choice. Its interface is displayed as picture1.

(picture1)

Picture 1 definitely points out that there are two kinds of ARP attack event, ARP Scan and ARP MAC address changed, in the network, and the attack source is clearly given at the bottom. Meanwhile, Sax2 NIDS will provide reasons of such ARP attacks and corresponding solutions.

For more information, visit <!-- m --><a class="postlink" href="http://www.ids-sax2.com/articles/QuickLocateARPAttackSource.htm">http://www.ids-sax2.com/articles/QuickL ... Source.htm</a><!-- m -->]]> Solution:

Diagnosis View is the most direct and effective place to locate ARP attack and should be our first choice. Its interface is displayed as picture1.

(picture1)

Picture 1 definitely points out that there are two kinds of ARP attack event, ARP Scan and ARP MAC address changed, in the network, and the attack source is clearly given at the bottom. Meanwhile, Sax2 NIDS will provide reasons of such ARP attacks and corresponding solutions.

For more information, visit <!-- m --><a class="postlink" href="http://www.ids-sax2.com/articles/QuickLocateARPAttackSource.htm">http://www.ids-sax2.com/articles/QuickL ... Source.htm</a><!-- m -->]]> http://www.antisource.com/forums/showthread.php?tid=4270 Wed, 11 Feb 2009 04:56:51 +0000 http://www.antisource.com/forums/showthread.php?tid=4270 Thank you very much for any help.

Also, as far as the running processes go, I've already ended a lot of the *32.exe processes that were bogging the computer down.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:24 PM, on 2/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070124">http://www.google.com/ig/dell?hl=en&cli ... bd=5070124</a><!-- m -->
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://www.iastate.edu/">http://www.iastate.edu/</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://www.comcast.net/">http://www.comcast.net/</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = <!-- m --><a class="postlink" href="http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070124">http://www.google.com/ig/dell?hl=en&cli ... bd=5070124</a><!-- m -->
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CPV - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\WebShow\WebShow.dll
O2 - BHO: {6d4540f4-1ce4-3328-d3c4-56b46dccf491} - {194fccd6-4b65-4c3d-8233-4ec14f0454d6} - C:\WINDOWS\system32\lotsxv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: worldadmarketplace - {571cc086-fbb7-2cbb-4c88-d91b3fa280e1} - C:\WINDOWS\system32\nsgD.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\vtUkhiFX.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A02E6FB2-D5D4-4D62-9393-7698A18AF8DA} - C:\WINDOWS\system32\yaywvvur.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O2 - BHO: HelloWorldBHO - {D88E1558-7C2D-407A-953A-C044F5607CEA} - C:\Program Files\Mjcore\Mjcore.dll
O2 - BHO: worldadmarketplace browser enhancer - {EEABFA92-0B51-DF8F-BDAB-970AB5D10AD5} - C:\WINDOWS\system32\wkonygvgiueib.dll
O4 - HKLM\..\Run: [VirusRemover2008] C:\Program Files\VirusRemover2008\VRM2008.exe
O4 - HKLM\..\Run: [vbnualcukhrz] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\wkonygvgiueib.dll"
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\Run: [c0afcf83] rundll32.exe "C:\WINDOWS\system32\vqrsxgbw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Alyssa\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Alyssa\Application Data\Twain\Twain.exe
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Alyssa\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Alyssa\Application Data\Microsoft\Windows\bjssu.exe
O4 - HKCU\..\Run: [VnrPack23] "C:\Program Files\VnrPack\VnrPack23.exe"
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - <!-- m --><a class="postlink" href="http://photo.walgreens.com/WalgreensActivia.cab">http://photo.walgreens.com/WalgreensActivia.cab</a><!-- m -->
O20 - AppInit_DLLs: lotsxv.dll
O20 - Winlogon Notify: vtUkhiFX - C:\WINDOWS\SYSTEM32\vtUkhiFX.dll
O22 - SharedTaskScheduler: depreciable - {716002db-288c-4bf0-80cd-a467e78d8b55} - C:\WINDOWS\system32\dxovx.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWx5c3Nh\command.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7640 bytes]]> Thank you very much for any help.

Also, as far as the running processes go, I've already ended a lot of the *32.exe processes that were bogging the computer down.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:24 PM, on 2/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070124">http://www.google.com/ig/dell?hl=en&cli ... bd=5070124</a><!-- m -->
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://www.iastate.edu/">http://www.iastate.edu/</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://www.comcast.net/">http://www.comcast.net/</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = <!-- m --><a class="postlink" href="http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070124">http://www.google.com/ig/dell?hl=en&cli ... bd=5070124</a><!-- m -->
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CPV - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\WebShow\WebShow.dll
O2 - BHO: {6d4540f4-1ce4-3328-d3c4-56b46dccf491} - {194fccd6-4b65-4c3d-8233-4ec14f0454d6} - C:\WINDOWS\system32\lotsxv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: worldadmarketplace - {571cc086-fbb7-2cbb-4c88-d91b3fa280e1} - C:\WINDOWS\system32\nsgD.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\vtUkhiFX.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A02E6FB2-D5D4-4D62-9393-7698A18AF8DA} - C:\WINDOWS\system32\yaywvvur.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O2 - BHO: HelloWorldBHO - {D88E1558-7C2D-407A-953A-C044F5607CEA} - C:\Program Files\Mjcore\Mjcore.dll
O2 - BHO: worldadmarketplace browser enhancer - {EEABFA92-0B51-DF8F-BDAB-970AB5D10AD5} - C:\WINDOWS\system32\wkonygvgiueib.dll
O4 - HKLM\..\Run: [VirusRemover2008] C:\Program Files\VirusRemover2008\VRM2008.exe
O4 - HKLM\..\Run: [vbnualcukhrz] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\wkonygvgiueib.dll"
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\Run: [c0afcf83] rundll32.exe "C:\WINDOWS\system32\vqrsxgbw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Alyssa\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Alyssa\Application Data\Twain\Twain.exe
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Alyssa\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Alyssa\Application Data\Microsoft\Windows\bjssu.exe
O4 - HKCU\..\Run: [VnrPack23] "C:\Program Files\VnrPack\VnrPack23.exe"
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - <!-- m --><a class="postlink" href="http://photo.walgreens.com/WalgreensActivia.cab">http://photo.walgreens.com/WalgreensActivia.cab</a><!-- m -->
O20 - AppInit_DLLs: lotsxv.dll
O20 - Winlogon Notify: vtUkhiFX - C:\WINDOWS\SYSTEM32\vtUkhiFX.dll
O22 - SharedTaskScheduler: depreciable - {716002db-288c-4bf0-80cd-a467e78d8b55} - C:\WINDOWS\system32\dxovx.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWx5c3Nh\command.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7640 bytes]]> http://www.antisource.com/forums/showthread.php?tid=4271 Sun, 01 Feb 2009 16:15:09 +0000 http://www.antisource.com/forums/showthread.php?tid=4271 Main problem is that Internet explorer won't load and any other browser except moxilla won't run. Moxilla also freezes often.
most antispyware and malware programs won't update when I download them.

I have been trying to find the cause of this for weeks and today upon running Ad Aware it found a Win 32 worm Kelvir on the system.

I then ran an online scan on Panda Active Scan 2.0 and this found and disinfected the file- trj/Downloader.VFT.

Have tried uninstalling Speeditup Free and get the following message;
invalid ininstall control file C:\Program File\Speeditup Free\irunin.xml

Here is the log file from Hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:58:21, on 01/02/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Users\didean\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://en.uk.acer.yahoo.com">http://en.uk.acer.yahoo.com</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://en.uk.acer.yahoo.com">http://en.uk.acer.yahoo.com</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.equinoxsolutions.com:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c97047fbb13c30) (gupdate1c97047fbb13c30) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7817 bytes


Can anyone suggest what I can do to effectively eradicate and destroy the installed program? I would be most grateful for any help,]]> Main problem is that Internet explorer won't load and any other browser except moxilla won't run. Moxilla also freezes often.
most antispyware and malware programs won't update when I download them.

I have been trying to find the cause of this for weeks and today upon running Ad Aware it found a Win 32 worm Kelvir on the system.

I then ran an online scan on Panda Active Scan 2.0 and this found and disinfected the file- trj/Downloader.VFT.

Have tried uninstalling Speeditup Free and get the following message;
invalid ininstall control file C:\Program File\Speeditup Free\irunin.xml

Here is the log file from Hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:58:21, on 01/02/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Users\didean\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://en.uk.acer.yahoo.com">http://en.uk.acer.yahoo.com</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://en.uk.acer.yahoo.com">http://en.uk.acer.yahoo.com</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.equinoxsolutions.com:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c97047fbb13c30) (gupdate1c97047fbb13c30) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7817 bytes


Can anyone suggest what I can do to effectively eradicate and destroy the installed program? I would be most grateful for any help,]]> http://www.antisource.com/forums/showthread.php?tid=4272 Thu, 15 Jan 2009 20:31:02 +0000 http://www.antisource.com/forums/showthread.php?tid=4272 Scan saved at 12:42:33 PM, on 1/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = <!-- m --><a class="postlink" href="http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html">http://us.rd.yahoo.com/customize/ie/def ... earch.html</a><!-- m -->
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com">http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com</a><!-- m -->
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://www.yahoo.com/">http://www.yahoo.com/</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://www.yahoo.com/">http://www.yahoo.com/</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <!-- m --><a class="postlink" href="http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com">http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = <!-- m --><a class="postlink" href="http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html">http://us.rd.yahoo.com/customize/ie/def ... earch.html</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com">http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://www.yahoo.com/">http://www.yahoo.com/</a><!-- m -->
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = <!-- m --><a class="postlink" href="http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com">http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com</a><!-- m -->
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [cat]
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - <!-- m --><a class="postlink" href="http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200561234789">http://www.update.microsoft.com/windows ... 0561234789</a><!-- m -->
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - <!-- m --><a class="postlink" href="http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab">http://www.nvidia.com/content/DriverDow ... eqlab2.cab</a><!-- m -->
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - <!-- m --><a class="postlink" href="http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab">http://fpdownload2.macromedia.com/get/s ... wflash.cab</a><!-- m -->
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7780 bytes]]> Scan saved at 12:42:33 PM, on 1/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = <!-- m --><a class="postlink" href="http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html">http://us.rd.yahoo.com/customize/ie/def ... earch.html</a><!-- m -->
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com">http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com</a><!-- m -->
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://www.yahoo.com/">http://www.yahoo.com/</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://www.yahoo.com/">http://www.yahoo.com/</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <!-- m --><a class="postlink" href="http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com">http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = <!-- m --><a class="postlink" href="http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html">http://us.rd.yahoo.com/customize/ie/def ... earch.html</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com">http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://www.yahoo.com/">http://www.yahoo.com/</a><!-- m -->
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = <!-- m --><a class="postlink" href="http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com">http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com</a><!-- m -->
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [cat]
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - <!-- m --><a class="postlink" href="http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200561234789">http://www.update.microsoft.com/windows ... 0561234789</a><!-- m -->
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - <!-- m --><a class="postlink" href="http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab">http://www.nvidia.com/content/DriverDow ... eqlab2.cab</a><!-- m -->
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - <!-- m --><a class="postlink" href="http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab">http://fpdownload2.macromedia.com/get/s ... wflash.cab</a><!-- m -->
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7780 bytes]]> http://www.antisource.com/forums/showthread.php?tid=4273 Sat, 10 Jan 2009 15:37:32 +0000 http://www.antisource.com/forums/showthread.php?tid=4273
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:01 AM, on 1/10/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Vista Softwares\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Vista Softwares\Registry Mechanic\RMTray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Vista Softwares\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\Vista Softwares\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Vista Softwares\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Opera\Opera.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - C:\Program Files\WebMediaViewer\hpmun.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Vista Softwares\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RegistryMechanic] C:\Vista Softwares\Registry Mechanic\RMTray.exe /H
O4 - HKCU\..\Run: [Cognac] C:\Users\Anuj\AppData\Local\Temp\~tmpb.exe
O4 - HKCU\..\Run: [MSFox] C:\Users\Anuj\AppData\Local\Temp\yyy17457.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [QuickTime Task] C:\Program Files\WebMediaViewer\qttask.exe
O4 - HKLM\..\Policies\Explorer\Run: [VMware hptray] C:\Program Files\WebMediaViewer\hpmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - <!-- m --><a class="postlink" href="http://www.iexplorsecurity.com/redirect.php">http://www.iexplorsecurity.com/redirect.php</a><!-- m --> (file missing)
O9 - Extra 'Tools' menuitem: Explorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - <!-- m --><a class="postlink" href="http://www.iexplorsecurity.com/redirect.php">http://www.iexplorsecurity.com/redirect.php</a><!-- m --> (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O13 - Gopher Prefix:
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - <!-- m --><a class="postlink" href="http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab">http://www.nvidia.com/content/DriverDow ... eqlab3.cab</a><!-- m -->
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9294 bytes

Any help will be appreciated. Thanks.]]>
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:01 AM, on 1/10/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Vista Softwares\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Vista Softwares\Registry Mechanic\RMTray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Vista Softwares\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\Vista Softwares\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Vista Softwares\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Opera\Opera.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=54896">http://go.microsoft.com/fwlink/?LinkId=54896</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://go.microsoft.com/fwlink/?LinkId=69157">http://go.microsoft.com/fwlink/?LinkId=69157</a><!-- m -->
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - C:\Program Files\WebMediaViewer\hpmun.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Vista Softwares\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RegistryMechanic] C:\Vista Softwares\Registry Mechanic\RMTray.exe /H
O4 - HKCU\..\Run: [Cognac] C:\Users\Anuj\AppData\Local\Temp\~tmpb.exe
O4 - HKCU\..\Run: [MSFox] C:\Users\Anuj\AppData\Local\Temp\yyy17457.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [QuickTime Task] C:\Program Files\WebMediaViewer\qttask.exe
O4 - HKLM\..\Policies\Explorer\Run: [VMware hptray] C:\Program Files\WebMediaViewer\hpmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - <!-- m --><a class="postlink" href="res://C">res://C</a><!-- m -->:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - <!-- m --><a class="postlink" href="http://www.iexplorsecurity.com/redirect.php">http://www.iexplorsecurity.com/redirect.php</a><!-- m --> (file missing)
O9 - Extra 'Tools' menuitem: Explorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - <!-- m --><a class="postlink" href="http://www.iexplorsecurity.com/redirect.php">http://www.iexplorsecurity.com/redirect.php</a><!-- m --> (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O13 - Gopher Prefix:
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - <!-- m --><a class="postlink" href="http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab">http://www.nvidia.com/content/DriverDow ... eqlab3.cab</a><!-- m -->
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9294 bytes

Any help will be appreciated. Thanks.]]> http://www.antisource.com/forums/showthread.php?tid=4274 Fri, 19 Dec 2008 14:42:09 +0000 http://www.antisource.com/forums/showthread.php?tid=4274
However, I created a group but this is empty - how do I add the users to group? Do I need to do this to configure the updates. I installed the managed edition of the client and pointed it at the server, but I am unable to ge the clients to be displayed in the Symantec System Centre Console, only via the 'Find Computer' utility. What am I missing?

Regards,

Michael]]>
However, I created a group but this is empty - how do I add the users to group? Do I need to do this to configure the updates. I installed the managed edition of the client and pointed it at the server, but I am unable to ge the clients to be displayed in the Symantec System Centre Console, only via the 'Find Computer' utility. What am I missing?

Regards,

Michael]]>