Sign In
Create Account
2
I can't seem to get rid of a file called liyuwuviho in my registry which is calling a nesilifo.dll. There are probably hidden files that I am not catching.
Here is HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:30 PM, on 11/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Symantec AntiVirus\SNAC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Sun\SDK\lib\appservService.exe
C:\PROGRA~1\HPAVAD~1\avChgSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Remote tools\msraLinkMonitor.exe
C:\Sun\SDK\jdk\bin\java.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Sun\SDK\jdk\bin\javaw.exe
C:\Program Files\Symantec AntiVirus\SymCorpUI.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autocache.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7c65880c-643b-4724-890f-4d191275a79e} - C:\WINDOWS\system32\vupowose.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [COEMsgDisplay] c:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [IDA] c:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [T-Mobile Connection Manager] "C:\Program Files\T-Mobile\Connection Manager\TMobileCM.exe" -a
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [GetIT] "C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [liyuwuviho] Rundll32.exe "C:\WINDOWS\system32\nesilifo.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HP Virtual Rooms] C:\PROGRA~1\HEWLET~1\HPVIRT~1.0\\HPVIRT~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [liyuwuviho] Rundll32.exe "C:\WINDOWS\system32\nesilifo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [liyuwuviho] Rundll32.exe "C:\WINDOWS\system32\nesilifo.dll",s (User 'NETWORK SERVICE')
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
O9 - Extra 'Tools' menuitem: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://*.compaq.com
O15 - Trusted Zone: *.cpqcorp.net
O15 - Trusted Zone: http://*.dcu.org
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://*.dec.com
O15 - Trusted Zone: *.hp.com
O15 - Trusted Zone: http://*.hpe-learning.com
O15 - Trusted Zone: *.hpqcorp.net
O15 - Trusted Zone: *.hpshopping.com
O15 - Trusted Zone: http://*.listen.com
O15 - Trusted Zone: http://*.llnwd.net
O15 - Trusted Zone: *.real.com
O15 - Trusted Zone: http://allegisgroup.skillport.com
O15 - Trusted Zone: http://library.skillport.com
O15 - Trusted Zone: http://*.skillport.com
O15 - Trusted Zone: http://*.skillsoft.com
O15 - Trusted Zone: http://ie.config.tandem.com
O15 - Trusted Zone: http://*.tandem.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)
O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)
O16 - DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab
O16 - DPF: {00000021-9593-4264-8B29-930B3E4EDCCD} - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall21.cab
O16 - DPF: {00000030-9593-4264-8B29-930B3E4EDCCD} - https://test.rooms.hp.com/vRoom_Cab/WebHPVCInstall30.cab
O16 - DPF: {00000032-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms32 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall32.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPITWeb/Customer...DataManager.CAB
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199561706073
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1220563491695
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://digitalbadge.external.hp.com/hp/HPPKI.cab
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://digitalbadge.external.hp.com/hp/capicom.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://66.193.150.85/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\yifiroso.dll
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: SunJavaSystemAppserver9PE (AppServer9PE) - Unknown owner - C:\Sun\SDK\lib\appservService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP-AV Change Monitor Service (AvChgSvc) - Unknown owner - C:\PROGRA~1\HPAVAD~1\avChgSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: MSRA Link Monitor (msralinkmonitor) - Unknown owner - C:\Program Files\Remote tools\msraLinkMonitor.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 16584 bytes
Panda Active Scan:
;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-11-29 15:42:04
PROTECTIONS: 1
MALWARE: 55
SUSPECTS: 1
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Windows Defender 1.1.3903.0 No No
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00041904 adware/sidesearch Adware No 0 Yes No hkey_classes_root\sep.av.scandlgs
00041904 adware/sidesearch Adware No 0 Yes No hkey_local_machine\software\classes\sep.av.scandlgs
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@trafficmp[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@casalemedia[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@atdmt[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@247realmedia[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@fastclick[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@mediaplex[2].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@revenue[2].txt
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@www.myaffiliateprogram[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@com[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@com[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@xiti[1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@azjmp[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@statcounter[1].txt
00167795 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@club.cdfreaks[2].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@perf.overture[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@ad.yieldmanager[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@ad.yieldmanager[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@burstnet[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@serving-sys[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@serving-sys[5].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@bs.serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@bs.serving-sys[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@www.burstbeacon[1].txt
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@cdfreaks[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@adtech[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@server.iad.liveperson[1].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@stat.onestat[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@advertising[2].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@media.adrevolver[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@statse.webtrendslive[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@ads.pointroll[2].txt
00170549 Cookie/FortuneCity TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@fortunecity[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@overture[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@questionmarket[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@zedo[2].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@bluestreak[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@adrevolver[1].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@bravenet[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@go[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@go[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@searchportal.information[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@target[1].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\hpadmin\Cookies\hpadmin@did-it[1].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@did-it[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@atwola[2].txt
00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@smartadserver[1].txt
00286732 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@www3.addfreestats[2].txt
00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@www6.addfreestats[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@ads.addynamix[1].txt
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@citi.bridgetrack[1].txt
00444270 Adware/InternetSpeedMonitor Adware No 0 No No C:\Program Files\Common Files\Real\Update_OB\020a57bd.exe[iCheck.exe]
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@enhance[1].txt
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\unpingco\Cookies\unpingco@adserver.easyad[2].txt
02897073 Cookie/Revenue TrackingCookie No 0 Yes No C:\WINDOWS\Temp\Cookies\unpingco@adsrevenue[1].txt
02900551 Application/ProductKeyExplorer HackTools No 0 Yes No C:\Program Files\VisualStudio2005\productkeyexplorer_setup.exe
03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{40A9C770-9957-4CD1-8CA8-2B0B29CCF829}\RP378\A0087300.sys
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location ȕ
;===============================================================================
================================================================================
=
===================
No C:\Program Files\Common Files\Real\Update_OB\020a57bd.exe[GetModule20.exe] ȕ
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description ȕ
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
MBAM:
Malwarebytes' Anti-Malware 1.30
Database version: 1435
Windows 5.1.2600 Service Pack 3
11/29/2008 2:45:08 PM
mbam-log-2008-11-29 (14-44-54).txt
Scan type: Quick Scan
Objects scanned: 61698
Time elapsed: 9 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liyuwuviho (Trojan.Agent) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
SPYBOT S&D:
--- Search result list ---
Hint of the Day: Click the bar at the right of this to see more information! ()
Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-839522115-1383384898-515967899-1351697\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe
Microsoft.WindowsSecurityCenter.FirewallBypass: [SBI $D80580B5] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe
Microsoft.WindowsSecurityCenter.FirewallBypass: [SBI $B067B5B7] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe
Virtumonde.prx: [SBI $3F5CA9DA] Autorun settings (liyuwuviho) (Registry value, nothing done)
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liyuwuviho
Virtumonde.prx: [SBI $3F5CA9DA] Autorun settings (liyuwuviho) (Registry value, nothing done)
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liyuwuviho
Virtumonde.prx: [SBI $3F5CA9DA] Autorun settings (liyuwuviho) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\liyuwuviho
AdRevolver: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
Omniture: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
Omniture: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
CoreMetrics: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
DoubleClick: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
AdRevolver: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
FastClick: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
Zedo: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
MediaPlex: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
AdRevolver: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
Right Media: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
MediaPlex: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
BurstMedia: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
AdRevolver: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
WebTrends live: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
BurstMedia: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
DoubleClick: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
Statcounter: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
DoubleClick: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
BlueStreak: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: unpingco) (Cookie, nothing done)
DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)
WebTrends live: Tracking cookie (Firefox: default) (Cookie, nothing done)
CoreMetrics: Tracking cookie (Firefox: default) (Cookie, nothing done)
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)
HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)
FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)
Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)
Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)
Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)
Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)
Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)
BlueStreak: Tracking cookie (Firefox: default) (Cookie, nothing done)
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)
FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)
HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)
HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)
HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)
HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)
Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)
Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)
FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)
BurstMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)
BurstMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)
BurstMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)
Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)
DirectTrack: Tracking cookie (Firefox: default) (Cookie, nothing done)
DirectTrack: Tracking cookie (Firefox: default) (Cookie, nothing done)
DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-08-30 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-11-04 Includes\Adware.sbi (*)
2008-11-25 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2008-11-18 Includes\HijackersC.sbi (*)
2008-09-09 Includes\Keyloggers.sbi (*)
2008-11-18 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2008-11-25 Includes\MalwareC.sbi (*)
2008-11-03 Includes\PUPS.sbi (*)
2008-11-25 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-17 Includes\Security.sbi (*)
2008-11-25 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-11-04 Includes\Spyware.sbi (*)
2008-11-11 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-11-04 Includes\Trojans.sbi (*)
2008-11-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB928367)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Service Pack 3 (KB867461)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Microsoft Visual Studio 2005 Professional Edition - ENU: This service pack is for Microsoft Visual Studio 2005 Professional Edition - ENU. \n
If you later install a more recent service pack, this service pack will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/926601
/ Microsoft Visual Studio 2005 Professional Edition - ENU: This Security Update is for Microsoft Visual Studio 2005 Professional Edition - ENU. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/937061
/ Microsoft Visual Studio 2005 Professional Edition - ENU: This Security Update is for Microsoft Visual Studio 2005 Professional Edition - ENU. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/947738
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB923723)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB954154)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB953838)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB956390)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Security Update for Windows XP (KB938464)
/ Windows XP / SP4: Hotfix for Windows XP (KB944043-v3)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Update for Windows XP (KB951072-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951376)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Update for Windows XP (KB951978)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB953839)
/ Windows XP / SP4: Security Update for Windows XP (KB954211)
/ Windows XP / SP4: Security Update for Windows XP (KB954459)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Security Update for Windows XP (KB956391)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956841)
/ Windows XP / SP4: Security Update for Windows XP (KB957095)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0
--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: 8B9145D229D4E89D15ACB820D4A3A90F
Located: HK_LM:Run, ATIPTA
command: "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
file: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
size: 344064
MD5: 8756D853A97FB6DD2A1571D7DF4F1146
Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 115560
MD5: BF8EB12E412E02CD3C42CCF663324C5A
Located: HK_LM:Run, COEMsgDisplay
command: c:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
file: c:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
size: 26624
MD5: 6C96B7D32DC5D84A4EFACA63A259CAB6
Located: HK_LM:Run, Communicator
command: "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
file: C:\Program Files\Microsoft Office Communicator\communicator.exe
size: 5720072
MD5: 834E4F1038FB0145D559C775E0EEEA8B
Located: HK_LM:Run, Corel Photo Downloader
command: "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
file: C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
size: 531272
MD5: C9D4451B13578840134FB9F2A23F0A86
Located: HK_LM:Run, GetIT
command: "C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe"
file: C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe
size: 286720
MD5: B1AA54916858F0186FC0D175FD6C41B9
Located: HK_LM:Run, hpWirelessAssistant
command: C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
file: C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
size: 507904
MD5: 2DF07BC576F814D9122F338EAD4B4220
Located: HK_LM:Run, IDA
command: c:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
file: c:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
size: 176128
MD5: 24C6CA88F49012E7AC34AE02A350F2F1
Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 267048
MD5: 04A9F0C58B170F30445BCC0683EF9FFC
Located: HK_LM:Run, liyuwuviho
command: Rundll32.exe "C:\WINDOWS\system32\nesilifo.dll",s
file: C:\WINDOWS\system32\nesilifo.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, QuickPassword
command: C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
file: C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
size: 225280
MD5: 5F824265FFFF698E8AB5B5BC841602DE
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 6CD5C3276C83F72677D647F27EE14ABD
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
size: 132496
MD5: D4F0F7437327DBAA264338BAAFB5E5AF
Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 185896
MD5: 89D583FC41D48328128A974C25AFAEB7
Located: HK_LM:Run, T-Mobile Connection Manager
command: "C:\Program Files\T-Mobile\Connection Manager\TMobileCM.exe" -a
file: C:\Program Files\T-Mobile\Connection Manager\TMobileCM.exe
size: 18968
MD5: EB620DC31EE482EB24DC7CD4985C83E0
Located: HK_LM:Run, Windows Defender
command: "C:\Program Files\Windows Defender\MSASCui.exe" -hide
file: C:\Program Files\Windows Defender\MSASCui.exe
size: 866584
MD5: 77C03BF23AE56B0A31AE4D5BB4B3D0AC
Located: HK_LM:RunOnce, Malwarebytes' Anti-Malware
command: C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
file: C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
size: 399504
MD5: 7D45E5C4D5F76DA84DD04EDE6C5C109B
Located: HK_CU:Run, swg
where: PE_C_HPADMIN...
command: C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, liyuwuviho
where: S-1-5-19...
command: Rundll32.exe "C:\WINDOWS\system32\nesilifo.dll",s
file: C:\WINDOWS\system32\nesilifo.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, liyuwuviho
where: S-1-5-20...
command: Rundll32.exe "C:\WINDOWS\system32\nesilifo.dll",s
file: C:\WINDOWS\system32\nesilifo.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-839522115-1383384898-515967899-1351697...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, HP Virtual Rooms
where: S-1-5-21-839522115-1383384898-515967899-1351697...
command: C:\PROGRA~1\HEWLET~1\HPVIRT~1.0\\HPVIRT~1.EXE
file: C:\PROGRA~1\HEWLET~1\HPVIRT~1.0\\HPVIRT~1.EXE
size: 10294616
MD5: 3351F5D89615619FAA125BF9BCE19B8C
Located: HK_CU:Run, MSMSGS
where: S-1-5-21-839522115-1383384898-515967899-1351697...
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1695232
MD5: 3E930C641079443D4DE036167A69CAA2
Located: HK_CU:Run, swg
where: S-1-5-21-839522115-1383384898-515967899-1351697...
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
Located: HK_CU:RunOnce, FlashPlayerUpdate
where: S-1-5-21-839522115-1383384898-515967899-1351697...
command: C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -p
file: C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe
size: 218496
MD5: 8F9BDC7695F4DAAE45DBF23BE59BE0C8
Located: Startup (common), Adobe Gamma Loader.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: C2FF17734176CD15221C10044EF0BA1A
Located: Startup (common), Sonic CinePlayer Quick Launch.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Common Files\Sonic Shared\CineTray.exe
file: C:\Program Files\Common Files\Sonic Shared\CineTray.exe
size: 114688
MD5: BA0B29A846FC42ABAE57945F7BA76901
Located: Startup (common), Windows Desktop Search.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Windows Desktop Search\WindowsSearch.exe
file: C:\Program Files\Windows Desktop Search\WindowsSearch.exe
size: 118784
MD5: 946467B375D696FA073A6B9370A4C6CE
Located: Startup (common), WinZip Quick Pick.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Windows Desktop Search\WindowsSearch.exe
file: C:\Program Files\Windows Desktop Search\WindowsSearch.exe
size: 118784
MD5: 946467B375D696FA073A6B9370A4C6CE
Located: Startup (user), SDK Tray Menu.lnk
where: C:\Documents and Settings\unpingco\Start Menu\Programs\Startup...
command: C:\Sun\SDK\jdk\bin\javaw.exe
file: C:\Sun\SDK\jdk\bin\javaw.exe
size: 135168
MD5: 80D62C1F4C24794FF54CFE2F98BB307E
Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{02478D38-C3F9-4efb-9B51-7695ECA05670} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
description: Yahoo Companion!
classification: Legitimate
known filename: Ycomp*_*_*_*.dll
info link: http://companion.yahoo.com/
info source: TonyKlein
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 2/15/2008 5:54:16 PM
Date (last access): 11/29/2008 12:45:32 PM
Date (last write): 2/15/2008 5:54:16 PM
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456
{3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: RealPlayer Download and Record Plugin for Internet Explorer
Path: C:\Program Files\Real\RealPlayer\
Long name: rpbrowserrecordplugin.dll
Short name: RPBROW~1.DLL
Date (created): 1/3/2008 4:35:16 PM
Date (last access): 11/29/2008 1:29:42 PM
Date (last write): 1/18/2008 1:01:42 PM
Filesize: 370296
Attributes: archive
MD5: 6E032715A135D156645D0548B90FEC6D
CRC32: 51F09C16
Version: 1.0.1.45
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 8/30/2008 9:24:56 PM
Date (last access): 11/29/2008 3:23:42 PM
Date (last write): 9/15/2008 2:25:44 PM
Filesize: 1562960
Attributes: readonly hidden sysfile archive
MD5: 35F73F1936BDE91F1B6995510A61E7A8
CRC32: BE6A5D15
Version: 1.6.2.14
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Yahoo! IE Services Button
Path: C:\Program Files\Yahoo!\Common\
Long name: yiesrvc.dll
Short name:
Date (created): 12/12/2007 2:09:42 PM
Date (last access): 11/29/2008 1:52:16 PM
Date (last write): 12/12/2007 2:09:42 PM
Filesize: 222448
Attributes: archive
MD5: BBDE3B4ACB928F30A35DBA4DD11564E1
CRC32: F07520BB
Version: 2007.12.12.1
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_03\bin\
Long name: ssv.dll
Short name:
Date (created): 1/8/2008 12:33:46 PM
Date (last access): 11/29/2008 1:02:08 PM
Date (last write): 9/25/2007 1:11:34 AM
Filesize: 501136
Attributes: archive
MD5: D787E3123FAD2BD58AB45B9A5C360ACD
CRC32: DDC625C2
Version: 6.0.30.5
{7c65880c-643b-4724-890f-4d191275a79e} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: vupowose.dll
Short name:
Date (created): 8/28/2008 12:10:40 PM
Date (last access): 11/29/2008 2:35:12 PM
Date (last write): 8/28/2008 12:10:40 PM
Filesize: 61952
Attributes: hidden sysfile archive
MD5: 240C379881BCB5A96B32809DF51314C7
CRC32: 3E734432
Version: 9.0.0.3250
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 1/3/2008 4:34:06 PM
Date (last access): 11/29/2008 12:11:44 PM
Date (last write): 1/3/2008 4:34:06 PM
Filesize: 2403392
Attributes: readonly archive
MD5: 6319F2D4708DBCAE37CFA03DA10782C0
CRC32: D51D8296
Version: 4.0.1601.4978
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\
Long name: swg.dll
Short name:
Date (created): 9/9/2008 9:27:54 PM
Date (last access): 11/29/2008 12:51:26 PM
Date (last write): 9/9/2008 9:27:56 PM
Filesize: 737776
Attributes: archive
MD5: AB32387A8F8C696A0739768B6B913714
CRC32: F4E76414
Version: 3.1.807.1746
{B164E929-A1B6-4A06-B104-2CD0E90A88FF} (McAfee SiteAdvisor BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: McAfee SiteAdvisor BHO
Path: c:\PROGRA~1\mcafee\SITEAD~1\
Long name: McIEPlg.dll
Short name:
Date (created): 7/31/2008 10:16:54 AM
Date (last access): 11/29/2008 1:05:44 PM
Date (last write): 9/30/2008 12:05:24 PM
Filesize: 145424
Attributes: archive
MD5: 1B23DA47D1A3CB73B3909E320C1671D8
CRC32: EA0E7DA3
Version: 1.0.1.203
--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
{00000014-9593-4264-8B29-930B3E4EDCCD} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\WebInstall.inf
Codebase: https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab
{00000021-9593-4264-8B29-930B3E4EDCCD} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\WebInstall.inf
Codebase: https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall21.cab
{00000030-9593-4264-8B29-930B3E4EDCCD} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\WebInstall.inf
Codebase: https://test.rooms.hp.com/vRoom_Cab/WebHPVCInstall30.cab
{00000032-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms32 Class)
DPF name:
CLSID name: HPVirtualRooms32 Class
Installer: C:\WINDOWS\Downloaded Program Files\WebInstall.inf
Codebase: https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall32.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: HPVirtualRooms32.dll
Short name: HPVIRT~4.DLL
Date (created): 1/23/2008 12:49:12 PM
Date (last access): 11/29/2008 2:19:28 PM
Date (last write): 1/23/2008 12:49:12 PM
Filesize: 409600
Attributes: archive
MD5: 6AB718E5A04B1FF4A93008DC580AB205
CRC32: DD343A82
Version: 1.0.0.100
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\swdir.inf
Codebase: http://fpdownload.macromedia.com/get/shock...director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\macromed\Director\
Long name: swdir.dll
Short name:
Date (created): 3/14/2008 10:40:48 AM
Date (last access): 11/29/2008 3:00:50 PM
Date (last write): 1/7/2008 10:26:46 AM
Filesize: 181672
Attributes: archive
MD5: B9360F674059276D5D3E8420216F8191
CRC32: B7DC4223
Version: 10.3.0.24
{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://download.microsoft.com/download/8/b...heckControl.cab
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.dll
Short name: LEGITC~1.DLL
Date (created): 5/17/2006 2:23:38 AM
Date (last access): 11/29/2008 2:40:42 PM
Date (last write): 9/5/2008 10:30:06 PM
Filesize: 1480232
Attributes: archive
MD5: D0E44C9C8BD85350828458EAD715BD30
CRC32: 1F5F2366
Version: 1.8.31.9
{1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services)
DPF name:
CLSID name: Hewlett-Packard Online Support Services
Installer: C:\WINDOWS\Downloaded Program Files\HPISDataManager.inf
Codebase: http://h50203.www5.hp.com/HPITWeb/Customer...DataManager.CAB
Path: C:\WINDOWS\Downloaded Program Files\
Long name: HPISDataManager.dll
Short name: HPISDA~1.DLL
Date (created): 1/22/2008 11:41:40 AM
Date (last access): 11/29/2008 2:19:28 PM
Date (last write): 1/22/2008 11:41:40 AM
Filesize: 206208
Attributes: archive
MD5: F8F4BEAAA78B3DAEE48C0F26063864A1
CRC32: 46DAD22F
Version: 1.0.0.24
{2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class)
DPF name:
CLSID name: ActiveScan 2.0 Installer Class
Installer: C:\WINDOWS\Downloaded Program Files\as2stubie.inf
Codebase: http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: as2stubie.dll
Short name: AS2STU~1.DLL
Date (created): 6/30/2008 10:39:58 AM
Date (last access): 11/29/2008 2:19:28 PM
Date (last write): 6/30/2008 10:39:58 AM
Filesize: 128256
Attributes: archive
MD5: BB482DD127289F0FAD474610F5A4C3E3
CRC32: 1CF0CB03
Version: 1.0.0.10
{48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control)
DPF name:
CLSID name: MySpace Uploader Control
Installer: C:\WINDOWS\Downloaded Program Files\MySpaceUploader.inf
Codebase: http://lads.myspace.com/upload/MySpaceUploader1006.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MySpaceUploader.ocx
Short name: MYSPAC~1.OCX
Date (created): 2/1/2008 2:17:04 AM
Date (last access): 11/29/2008 2:19:30 PM
Date (last write): 2/1/2008 2:17:04 AM
Filesize: 2637440
Attributes: archive
MD5: 2245B3CAE09AF148D983F88F62153628
CRC32: A47295FA
Version: 1.0.0.6
{49232000-16E4-426C-A231-62846947304B} (SysData Class)
DPF name:
CLSID name: SysData Class
Installer: C:\WINDOWS\Downloaded Program Files\sysinfo.inf
Codebase: http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
description:
classification: Legitimate
known filename: SysInfo.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: SysInfo.dll
Short name:
Date (created): 5/15/2007 4:33:20 PM
Date (last access): 11/29/2008 2:19:30 PM
Date (last write): 5/15/2007 4:33:20 PM
Filesize: 251448
Attributes: archive
MD5: 55E8A05DDA26E8C455A7730721DCAF60
CRC32: 38BB3B52
Version: 2.4.0.0
{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://www.update.microsoft.com/windowsupd...b?1199561706073
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 1/26/2007 2:44:16 AM
Date (last access): 11/29/2008 2:42:08 PM
Date (last write): 7/18/2008 9:09:44 PM
Filesize: 205000
Attributes: archive
MD5: 4889720E56E85E1FE4659039BB5F6E3F
CRC32: EE278BD5
Version: 7.2.6001.784
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\muweb.inf
Codebase: http://update.microsoft.com/microsoftupdat...b?1220563491695
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: muweb.dll
Short name:
Date (created): 7/30/2007 7:18:34 PM
Date (last access): 11/29/2008 2:41:06 PM
Date (last write): 7/18/2008 9:07:54 PM
Filesize: 210976
Attributes: archive
MD5: 5D5DE96F10C6ACDFBEF06125D0EC5890
CRC32: 8B6B8748
Version: 7.2.6001.784
{6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager)
DPF name:
CLSID name: HP Download Manager
Installer: C:\WINDOWS\Downloaded Program Files\HPDEXAXO.inf
Codebase: https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: HPDEXAXO.dll
Short name:
Date (created): 10/18/2007 10:04:16 AM
Date (last access): 11/29/2008 2:19:28 PM
Date (last write): 10/18/2007 10:04:16 AM
Filesize: 341296
Attributes: archive
MD5: CDE357CD3FC047F5C7D8B8345B6A42BF
CRC32: 7ABDC22F
Version: 1.0.5.1
{857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control)
DPF name:
CLSID name: HPPKI Control
Installer: C:\WINDOWS\Downloaded Program Files\HPPKI.inf
Codebase: https://digitalbadge.external.hp.com/hp/HPPKI.cab
description:
classification: Open for discussion
known filename: HPPKI.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: HPPKI.ocx
Short name:
Date (created): 11/12/2007 9:06:28 AM
Date (last access): 11/29/2008 2:19:28 PM
Date (last write): 11/12/2007 9:06:28 AM
Filesize: 475136
Attributes: archive
MD5: 742BEF26AC2DE4D4B1567B70C94D60A1
CRC32: 0FE5217F
Version: 1.0.0.12
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_03\bin\
Long name: npjpi160_03.dll
Short name: NPJPI1~1.DLL
Date (created): 9/24/2007 11:31:44 PM
Date (last access): 11/29/2008 1:02:08 PM
Date (last write): 9/25/2007 1:11:34 AM
Filesize: 132496
Attributes: archive
MD5: D6A4682A6FF41832A3F1A7AB9AE08199
CRC32: 9080B537
Version: 6.0.30.5
{A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class)
DPF name:
CLSID name: Settings Class
Installer: C:\WINDOWS\Downloaded Program Files\capicom.inf
Codebase: https://digitalbadge.external.hp.com/hp/capicom.cab
description:
classification: Legitimate
known filename: capicom.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\System32\
Long name: capicom.dll
Short name:
Date (created): 1/26/2007 8:18:42 AM
Date (last access): 11/29/2008 2:39:54 PM
Date (last write): 4/11/2007 11:11:20 AM
Filesize: 511328
Attributes: archive
MD5: 9130CCE19B5DB3D2E31F9F789263FC4A
CRC32: 8E32474C
Version: 2.1.0.2
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_10
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_10.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0_10\bin\
Long name: NPJPI150_10.dll
Short name: NPJPI1~1.DLL
Date (created): 11/9/2006 6:07:34 AM
Date (last access): 11/29/2008 1:01:22 PM
Date (last write): 11/9/2006 6:21:54 AM
Filesize: 75528
Attributes: archive
MD5: 635F4B3A0F1C661B5CEDE628BA85E46B
CRC32: 0C9B7145
Version: 5.0.100.3
{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_15
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_15\bin\
Long name: NPJPI150_15.dll
Short name: NPJPI1~1.DLL
Date (created): 2/9/2008 2:05:04 AM
Date (last access): 11/29/2008 1:01:44 PM
Date (last write): 2/9/2008 2:19:44 AM
Filesize: 75264
Attributes: archive
MD5: E4868D23B38819DC25A911C750880485
CRC32: E048A7D1
Version: 5.0.150.4
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_03\bin\
Long name: npjpi160_03.dll
Short name: NPJPI1~1.DLL
Date (created): 9/24/2007 11:31:44 PM
Date (last access): 11/29/2008 3:23:48 PM
Date (last write): 9/25/2007 1:11:34 AM
Filesize: 132496
Attributes: archive
MD5: D6A4682A6FF41832A3F1A7AB9AE08199
CRC32: 9080B537
Version: 6.0.30.5
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_03\bin\
Long name: npjpi160_03.dll
Short name: NPJPI1~1.DLL
Date (created): 9/24/2007 11:31:44 PM
Date (last access): 11/29/2008 3:23:48 PM
Date (last write): 9/25/2007 1:11:34 AM
Filesize: 132496
Attributes: archive
MD5: D6A4682A6FF41832A3F1A7AB9AE08199
CRC32: 9080B537
Version: 6.0.30.5
{DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class)
DPF name:
CLSID name: AxisMediaControlEmb Class
Installer: C:\WINDOWS\Downloaded Program Files\setup.inf
Codebase: http://66.193.150.85/activex/AMC.cab
description:
classification: Open for discussion
known filename: AxisMediaControlEmb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Axis Communications\AXIS Media Control Embedded\
Long name: AxisMediaControlEmb.dll
Short name: AXISME~1.DLL
Date (created): 8/31/2008 1:02:16 PM
Date (last access): 11/29/2008 11:56:06 AM
Date (last write): 9/2/2005 7:37:30 AM
Filesize: 589824
Attributes: archive
MD5: 8F23C100DCB7FC2960EF25F71A8E42E2
CRC32: 2EFA37F1
Version: 3.32.14.0
--- Process list ---
PID: 0 ( 0) [System]
PID: 888 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 944 ( 888) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 968 ( 888) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 1016 ( 968) C:\WINDOWS\system32\services.exe
size: 108544
MD5: 0E776ED5F7CC9F94299E70461B7B8185
PID: 1028 ( 968) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 1184 (1016) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1268 (1016) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1480 (1016) C:\Program Files\Symantec AntiVirus\Smc.exe
size: 2479488
MD5: 848591D563FF6A996B6BCCFCC7FE88BA
PID: 1528 (1016) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1552 (1016) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1588 (1016) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1876 (1016) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
size: 108392
MD5: 673D6DE6D6E9D50CD5E9C78F0C916CB8
PID: 1416 (1016) C:\Program Files\Symantec AntiVirus\Rtvscan.exe
size: 2240944
MD5: 3EF7AA62C2AE7ACF940C316C0158E3D2
PID: 780 (1400) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 728 (1480) C:\Program Files\Symantec AntiVirus\SmcGui.exe
size: 1660288
MD5: A7565C8515EF819284E5B8C9D685401B
PID: 428 ( 728) C:\Program Files\Symantec AntiVirus\SymCorpUI.exe
size: 624048
MD5: CEC5A49E0B04E6927C61648685D34ACC
PID: 3504 (3484) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 2756 ( 780) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
PID: 4 ( 0) System
PID: 2908 ( 780) C:\Program Files\Internet Explorer\iexplore.exe
size: 635848
MD5: 1F03216084447F990AE797317D0A6E70
PID: 3416 ( 780) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
size: 396288
MD5: C4CA7416A6DF6D95075F81D9E3B41AD1
PID: 2052 (3416) C:\WINDOWS\system32\NOTEPAD.EXE
size: 69120
MD5: 5E28284F9B5F9097640D58A73D38AD4C
PID: 3604 (3484) C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
size: 1261200
MD5: AABD7AA2B9EC0D0802002E028F8E9A81
PID: 3304 ( 780) C:\WINDOWS\system32\NOTEPAD.EXE
size: 69120
MD5: 5E28284F9B5F9097640D58A73D38AD4C
PID: 2408 (2756) C:\WINDOWS\hh.exe
size: 10752
MD5: 6BA0A833DCABF3E28622143689E2C92E
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 11/29/2008 3:23:48 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.yahoo.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{194F5AE1-0FA8-4322-8B98-16054A09E6AC}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{194F5AE1-0FA8-4322-8B98-16054A09E6AC}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{73D9B310-54B3-41B5-A42F-21193AD21572}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{73D9B310-54B3-41B5-A42F-21193AD21572}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0A52FE8B-3467-4DDD-BB9A-0B5FE70B6EBB}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0A52FE8B-3467-4DDD-BB9A-0B5FE70B6EBB}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C86402F7-FD94-40BA-BE9C-59FBD61A7714}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C86402F7-FD94-40BA-BE9C-59FBD61A7714}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CAA2E763-2E14-4800-B60F-ADD1888C41D3}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CAA2E763-2E14-4800-B60F-ADD1888C41D3}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2C7924E0-07A5-4F94-B2E8-79173BD47B95}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2C7924E0-07A5-4F94-B2E8-79173BD47B95}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AA947764-93F7-46CC-A062-30F0503850C9}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AA947764-93F7-46CC-A062-30F0503850C9}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Namespace Provider 3: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP
Thanks in advance for your help! It is greatly appreciated.
-
This topic is locked
Back to top
#2
Posted 01 December 2008 - 10:30 PM
-
- Members
-
- 13 posts
New Member
The situation has gotten worse. Here is the latest HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29:27 PM, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Symantec AntiVirus\SNAC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Sun\SDK\lib\appservService.exe
C:\PROGRA~1\HPAVAD~1\avChgSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Remote tools\msraLinkMonitor.exe
C:\WINDOWS\system32\PSIService.exe
C:\Sun\SDK\jdk\bin\java.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Sun\SDK\jdk\bin\javaw.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\CMMON32.EXE
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autocache.hp.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7c65880c-643b-4724-890f-4d191275a79e} - C:\WINDOWS\system32\vupowose.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [COEMsgDisplay] c:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [IDA] c:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [T-Mobile Connection Manager] "C:\Program Files\T-Mobile\Connection Manager\TMobileCM.exe" -a
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [GetIT] "C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [liyuwuviho] Rundll32.exe "C:\WINDOWS\system32\nesilifo.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HP Virtual Rooms] C:\PROGRA~1\HEWLET~1\HPVIRT~1.0\\HPVIRT~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [liyuwuviho] Rundll32.exe "C:\WINDOWS\system32\nesilifo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [liyuwuviho] Rundll32.exe "C:\WINDOWS\system32\nesilifo.dll",s (User 'NETWORK SERVICE')
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
O9 - Extra 'Tools' menuitem: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://*.compaq.com
O15 - Trusted Zone: *.cpqcorp.net
O15 - Trusted Zone: http://*.dcu.org
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://*.dec.com
O15 - Trusted Zone: *.hp.com
O15 - Trusted Zone: http://*.hpe-learning.com
O15 - Trusted Zone: *.hpqcorp.net
O15 - Trusted Zone: *.hpshopping.com
O15 - Trusted Zone: http://*.listen.com
O15 - Trusted Zone: http://*.llnwd.net
O15 - Trusted Zone: *.real.com
O15 - Trusted Zone: http://allegisgroup.skillport.com
O15 - Trusted Zone: http://library.skillport.com
O15 - Trusted Zone: http://*.skillport.com
O15 - Trusted Zone: http://*.skillsoft.com
O15 - Trusted Zone: http://ie.config.tandem.com
O15 - Trusted Zone: http://*.tandem.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)
O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)
O16 - DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} - https://www.rooms.hp...VCInstall14.cab
O16 - DPF: {00000021-9593-4264-8B29-930B3E4EDCCD} - https://www.rooms.hp...VCInstall21.cab
O16 - DPF: {00000030-9593-4264-8B29-930B3E4EDCCD} - https://test.rooms.h...VCInstall30.cab
O16 - DPF: {00000032-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms32 Class) - https://www.rooms.hp...VCInstall32.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPITWeb/Customer...DataManager.CAB
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecu...s/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199561706073
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1220563491695
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://digitalbadge...om/hp/HPPKI.cab
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://digitalbadge.../hp/capicom.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://66.193.150.85/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA947764-93F7-46CC-A062-30F0503850C9}: NameServer = 16.110.135.51 16.110.135.52
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\yifiroso.dll
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: SunJavaSystemAppserver9PE (AppServer9PE) - Unknown owner - C:\Sun\SDK\lib\appservService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP-AV Change Monitor Service (AvChgSvc) - Unknown owner - C:\PROGRA~1\HPAVAD~1\avChgSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: MSRA Link Monitor (msralinkmonitor) - Unknown owner - C:\Program Files\Remote tools\msraLinkMonitor.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 16725 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29:27 PM, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Symantec AntiVirus\SNAC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Sun\SDK\lib\appservService.exe
C:\PROGRA~1\HPAVAD~1\avChgSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Remote tools\msraLinkMonitor.exe
C:\WINDOWS\system32\PSIService.exe
C:\Sun\SDK\jdk\bin\java.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Sun\SDK\jdk\bin\javaw.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\CMMON32.EXE
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autocache.hp.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7c65880c-643b-4724-890f-4d191275a79e} - C:\WINDOWS\system32\vupowose.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [COEMsgDisplay] c:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [IDA] c:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [T-Mobile Connection Manager] "C:\Program Files\T-Mobile\Connection Manager\TMobileCM.exe" -a
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [GetIT] "C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [liyuwuviho] Rundll32.exe "C:\WINDOWS\system32\nesilifo.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HP Virtual Rooms] C:\PROGRA~1\HEWLET~1\HPVIRT~1.0\\HPVIRT~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [liyuwuviho] Rundll32.exe "C:\WINDOWS\system32\nesilifo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [liyuwuviho] Rundll32.exe "C:\WINDOWS\system32\nesilifo.dll",s (User 'NETWORK SERVICE')
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
O9 - Extra 'Tools' menuitem: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://*.compaq.com
O15 - Trusted Zone: *.cpqcorp.net
O15 - Trusted Zone: http://*.dcu.org
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://*.dec.com
O15 - Trusted Zone: *.hp.com
O15 - Trusted Zone: http://*.hpe-learning.com
O15 - Trusted Zone: *.hpqcorp.net
O15 - Trusted Zone: *.hpshopping.com
O15 - Trusted Zone: http://*.listen.com
O15 - Trusted Zone: http://*.llnwd.net
O15 - Trusted Zone: *.real.com
O15 - Trusted Zone: http://allegisgroup.skillport.com
O15 - Trusted Zone: http://library.skillport.com
O15 - Trusted Zone: http://*.skillport.com
O15 - Trusted Zone: http://*.skillsoft.com
O15 - Trusted Zone: http://ie.config.tandem.com
O15 - Trusted Zone: http://*.tandem.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)
O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)
O16 - DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} - https://www.rooms.hp...VCInstall14.cab
O16 - DPF: {00000021-9593-4264-8B29-930B3E4EDCCD} - https://www.rooms.hp...VCInstall21.cab
O16 - DPF: {00000030-9593-4264-8B29-930B3E4EDCCD} - https://test.rooms.h...VCInstall30.cab
O16 - DPF: {00000032-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms32 Class) - https://www.rooms.hp...VCInstall32.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPITWeb/Customer...DataManager.CAB
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecu...s/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199561706073
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1220563491695
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://digitalbadge...om/hp/HPPKI.cab
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://digitalbadge.../hp/capicom.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://66.193.150.85/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA947764-93F7-46CC-A062-30F0503850C9}: NameServer = 16.110.135.51 16.110.135.52
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\yifiroso.dll
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: SunJavaSystemAppserver9PE (AppServer9PE) - Unknown owner - C:\Sun\SDK\lib\appservService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP-AV Change Monitor Service (AvChgSvc) - Unknown owner - C:\PROGRA~1\HPAVAD~1\avChgSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: MSRA Link Monitor (msralinkmonitor) - Unknown owner - C:\Program Files\Remote tools\msraLinkMonitor.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 16725 bytes
#3
Posted 08 December 2008 - 09:40 PM
-
- Experts
-
- 387 posts
True Member
- Gender:Male
- Location:Manchester UK
Quote
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
- Please Read All Instructions Carefully
- If you don't understand something, stop and ask! Don't keep going on.
- Please do not run any other tools or scans whilst I am helping you
- Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
I apologize for the delay in responding, but as you can probably see the forums are quite busy
and helpers look for posts with zero replies.
Unfortunately there are far more people needing help than there are helpers.
If you still require help please do the following
I will be notified and I will get back to you ASAP.
Download and Run RSIT
- Please download Random's System Information Tool by random/random from here and save it to your desktop.
- Double click on RSIT.exe to run RSIT.
- Click Continue at the disclaimer screen.
- Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
- log.txt will be opened maximized.
- Please post the contents of both log.txt and info.txt.
PM's for help will be ignored
#4
Posted 11 December 2008 - 07:34 AM
-
- Members
-
- 13 posts
New Member
Katana, on Dec 8 2008, 01:40 PM, said:
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
If you can do those few things, everything should go smoothly
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
I apologize for the delay in responding, but as you can probably see the forums are quite busy
and helpers look for posts with zero replies.
Unfortunately there are far more people needing help than there are helpers.
If you still require help please do the following
I will be notified and I will get back to you ASAP.
Download and Run RSIT
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
- Please Read All Instructions Carefully
- If you don't understand something, stop and ask! Don't keep going on.
- Please do not run any other tools or scans whilst I am helping you
- Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
I apologize for the delay in responding, but as you can probably see the forums are quite busy
and helpers look for posts with zero replies.
Unfortunately there are far more people needing help than there are helpers.
If you still require help please do the following
I will be notified and I will get back to you ASAP.
Download and Run RSIT
- Please download Random's System Information Tool by random/random from here and save it to your desktop.
- Double click on RSIT.exe to run RSIT.
- Click Continue at the disclaimer screen.
- Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
- log.txt will be opened maximized.
- Please post the contents of both log.txt and info.txt.
#5
Posted 11 December 2008 - 07:38 AM
-
- Members
-
- 13 posts
New Member
Hi Katana:
Thanks for your response. I have a couple of questions. Since I last posted I went to another forum and they helped me clean up my last issue. However, tonight I ran a scan on spybot s&d and two trojan.vundo issues came up again, similar to last time. These were detected by my Symantec Endpoint Protection.
So should I start over again, and then do as you ask, or do I just proceed as you have instructed in your last email?
Thanks in advance for your help.
Regards,
matua105
Thanks for your response. I have a couple of questions. Since I last posted I went to another forum and they helped me clean up my last issue. However, tonight I ran a scan on spybot s&d and two trojan.vundo issues came up again, similar to last time. These were detected by my Symantec Endpoint Protection.
So should I start over again, and then do as you ask, or do I just proceed as you have instructed in your last email?
Thanks in advance for your help.
Regards,
matua105
#6
Posted 11 December 2008 - 12:11 PM
-
- Experts
-
- 387 posts
True Member
- Gender:Male
- Location:Manchester UK
#7
Posted 11 December 2008 - 12:54 PM
-
- Members
-
- 13 posts
New Member
Hello:
I received an error running RSIT:
"Line-1:
Error:Subscript used with non-Array variable."
while performing registry dump,
then it quit when I clicked ok.
I received an error running RSIT:
"Line-1:
Error:Subscript used with non-Array variable."
while performing registry dump,
then it quit when I clicked ok.
#8
Posted 11 December 2008 - 01:04 PM
-
- Experts
-
- 387 posts
True Member
- Gender:Male
- Location:Manchester UK
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial
Post the log from ComboFix when you've accomplished that.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial
Post the log from ComboFix when you've accomplished that.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
PM's for help will be ignored
#9
Posted 12 December 2008 - 05:39 AM
-
- Members
-
- 13 posts
New Member
Katana, on Dec 11 2008, 05:04 AM, said:
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial
Post the log from ComboFix when you've accomplished that.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial
Post the log from ComboFix when you've accomplished that.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
#10
Posted 12 December 2008 - 05:40 AM
-
- Members
-
- 13 posts
New Member
Hi Katana:
Here is the combofix log:
ComboFix 08-12-11.04 - unpingco 2008-12-11 20:52:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.465 [GMT -8:00]
Running from: c:\documents and settings\unpingco\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\unpingco\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.
2008-12-11 12:25 . 2008-12-11 12:25 <DIR> d-------- c:\windows\LastGood
2008-12-11 04:51 . 2008-12-11 04:51 <DIR> d-------- C:\rsit
2008-12-10 18:12 . 2008-12-11 09:02 <DIR> d-------- c:\program files\RA2HP
2008-12-03 20:46 . 2008-12-03 20:47 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-03 19:57 . 2008-12-03 19:58 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-03 19:57 . 2008-12-03 19:58 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-03 19:57 . 2008-12-03 19:58 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-03 19:57 . 2008-12-03 19:58 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-03 09:20 . 2008-12-03 09:20 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\SACore
2008-12-03 08:51 . 2008-12-03 08:51 249,592 --a------ c:\windows\system32\cssdll32.dll
2008-12-03 08:49 . 2008-12-03 09:59 <DIR> d-------- c:\program files\COMODO
2008-12-03 08:49 . 2008-12-03 09:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo
2008-12-02 17:04 . 2008-12-02 17:03 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-02 02:38 . 2008-12-02 02:38 221,184 --a------ c:\windows\SnoopFreeUI.exe
2008-12-02 02:38 . 2008-12-02 02:38 90,112 --a------ c:\windows\system32\SnoopFreeSvc.exe
2008-12-02 02:38 . 2008-12-02 02:38 45,056 --a------ c:\windows\SnoopFreeDll.dll
2008-12-02 02:38 . 2008-12-02 02:38 9,472 --a------ c:\windows\system32\drivers\SnopFree.sys
2008-12-02 02:35 . 2008-12-02 02:36 <DIR> d-------- C:\Snoopfree
2008-12-01 11:50 . 2008-12-01 12:04 <DIR> d-------- c:\documents and settings\unpingco\.SunDownloadManager
2008-12-01 11:22 . 2008-12-01 11:22 <DIR> d-------- c:\program files\Gmer
2008-12-01 11:17 . 2008-12-01 16:16 250 --a------ c:\windows\gmer.ini
2008-11-30 16:50 . 2008-11-30 16:50 1,281,506 --a------ C:\Sym_LoadPointDiag.zip
2008-11-30 16:43 . 2008-11-30 16:50 <DIR> d-------- C:\Sym_LoadPointDiag
2008-11-30 15:11 . 2008-11-30 15:11 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-30 15:04 . 2008-11-30 15:04 <DIR> d-------- c:\windows\ERUNT
2008-11-30 01:26 . 2008-11-30 01:26 0 --a------ C:\AVScript26.js
2008-11-29 12:06 . 2008-11-29 12:06 <DIR> d-------- c:\program files\Panda Security
2008-11-29 12:06 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-13 17:19 . 2008-11-13 17:19 1,138,869 --a------ C:\ESUGLPDU_2.01.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 04:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 17:23 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-04 05:33 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-04 05:01 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-04 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-04 04:01 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-04 03:58 --------- d-----w c:\program files\Symantec
2008-12-03 17:06 --------- d-----w c:\program files\McAfee
2008-12-03 16:59 --------- d-----w c:\program files\symantec antivirus
2008-12-03 01:03 --------- d-----w c:\program files\Java
2008-12-02 00:11 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-26 06:22 --------- d-----w c:\program files\LimeWire
2008-11-26 06:21 --------- d-----w c:\documents and settings\unpingco\Application Data\LimeWire
2008-11-18 16:14 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-03 20:58 --------- d-----w c:\documents and settings\unpingco\Application Data\FileZilla
2008-11-02 04:24 --------- d-----w c:\program files\QuickTime
2008-11-02 04:23 --------- d-----w c:\program files\Common Files\Apple
2008-11-02 04:08 --------- d-----w c:\program files\Bonjour
2008-10-29 21:29 --------- d-----w c:\program files\FileZilla FTP Client
2008-10-29 21:28 3,696,811 ----a-w c:\program files\FileZilla_3.1.5_win32-setup.exe
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 13:21 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 14:36 --------- d-----w c:\program files\HPAVAdminScan
2008-10-14 15:54 --------- d-----w c:\documents and settings\unpingco\Application Data\Apple Computer
2008-10-14 15:51 349,880 ----a-w c:\windows\adminScanInstall.EXE
2008-10-07 15:01 3,659,444 ----a-w c:\program files\FileZilla_3.1.3.1_win32-setup.exe
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-02 23:38 3,648,871 ----a-w c:\program files\FileZilla_3.1.2_win32-setup.exe
2008-09-02 15:52 380,416 ----a-w c:\program files\CommunicatorPoliciesDocumentation.msi
2008-08-26 19:01 5,249,122 ----a-w c:\program files\FileZilla_3.1.1.1_win32.zip
2008-06-06 19:37 31,356,640 ----a-w c:\documents and settings\unpingco\symcdefsi32.exe
2008-03-07 23:31 260,608 ----a-w c:\program files\WordMailSupport.msi
2007-04-02 10:46 13,248 ----a-w c:\windows\system32\config\systemprofile\createprof.vbs
2007-04-02 10:46 13,248 ----a-w c:\documents and settings\hpadmin\createprof.vbs
2007-04-02 10:46 13,248 ----a-w c:\documents and settings\Default User\createprof.vbs
2007-02-23 14:43 851 ----a-w c:\windows\system32\config\systemprofile\enablecoe.vbs
2007-02-23 14:43 851 ----a-w c:\documents and settings\hpadmin\enablecoe.vbs
2006-10-28 05:06 2,480 ----a-w c:\program files\README.HTM
2008-02-01 19:05 88 --sh--r c:\windows\system32\9999CCE4CD.sys
2008-02-01 19:05 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-04 16:33 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090420080905\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-09 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"HP Virtual Rooms"="c:\progra~1\HEWLET~1\HPVIRT~1.0\\HPVIRT~1.EXE" [2008-02-24 10294616]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COEMsgDisplay"="c:\program files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" [2007-04-11 26624]
"QuickPassword"="c:\program files\ActivCard\ActivCard Gold\agquickp.exe" [2007-06-26 225280]
"IDA"="c:\program files\Hewlett-Packard\PC COE\IDA.EXE" [2008-08-12 176128]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-13 344064]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-18 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-02-15 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"T-Mobile Connection Manager"="c:\program files\T-Mobile\Connection Manager\TMobileCM.exe" [2007-07-23 18968]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-08-19 5720072]
"GetIT"="c:\program files\Hewlett-Packard\GetIT\GetIT.exe" [2007-12-03 286720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-07-08 115560]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
"SnoopFreeUI"="SnoopFreeUI.exe" [2008-12-02 c:\windows\SnoopFreeUI.exe]
c:\documents and settings\unpingco\Start Menu\Programs\Startup\
SDK Tray Menu.lnk - c:\sun\SDK\jdk\bin\javaw.exe [2008-01-09 135168]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-05 113664]
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2006-07-25 114688]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableNT4Policy"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RADUISHELL.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RadTray.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Hewlett-Packard\\PC COE\\Ida.exe"=
"c:\\Program Files\\ActivCard\\ActivCard Gold\\agutils.exe"=
"c:\\Program Files\\ActivCard\\ActivCard Initialization Utility\\ResetUtil.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE\\AboutCOE.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-29 28544]
R2 acautoreg;ActivCard Gold Autoregister;c:\program files\Common Files\ActivCard\acautoreg.exe [2007-06-26 53248]
R2 Accoca;ActivCard Gold service;c:\program files\Common Files\ActivCard\accoca.exe [2004-05-12 143360]
R2 AppServer9PE;SunJavaSystemAppserver9PE;c:\sun\SDK\lib\appservService.exe "\"c:\sun\SDK\bin\asadmin.bat\" start-domain --user admin domain1" "\"c:\sun\SDK\bin\asadmin.bat\" stop-domain domain1\" []
R2 AvChgSvc;HP-AV Change Monitor Service;c:\progra~1\HPAVAD~1\avChgSvc.exe [2008-10-07 238080]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-07-31 206096]
R2 radexecd;HP OVCM Notify Daemon;"c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe" [2007-02-20 270510]
R2 radsched;HP OVCM Scheduler Daemon;"c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe" [2007-03-22 172205]
R2 Radstgms;HP OVCM MSI Redirector;"c:\program files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe" [2008-07-03 315570]
R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\DRIVERS\akbus.sys [2007-01-26 13619]
R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\DRIVERS\akpcsc.sys [2007-01-26 9493]
R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\DRIVERS\aksbus.sys [2007-04-06 13647]
R3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [2007-06-28 27008]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\DRIVERS\akspcsc.sys [2007-06-28 10161]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-03 99376]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2005-08-23 231424]
R3 RadiaMsi;RadiaMsi;c:\windows\system32\DRIVERS\radiamsi.sys [2007-08-03 23424]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2008-01-03 114016]
S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-07-08 23888]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2006-12-02 2805000]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C99D666B-62E4-461B-A346-9375D55AB9BC}]
"c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe"
.
Contents of the 'Scheduled Tasks' folder
2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
2008-12-11 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
2008-12-11 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
2008-12-11 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
2008-12-12 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job
- c:\program files\Hewlett-Packard\PC COE\coetl32.exe [2007-06-24 00:27]
2008-12-12 c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-Symantec Antvirus
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
IE: {{E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\Hewlett-Packard\IEToolBar\HP IE Fix.exe -
Trusted Zone: *.cpqcorp.net
Trusted Zone: *.hp.com
Trusted Zone: *.hpqcorp.net
Trusted Zone: *.hpshopping.com
Trusted Zone: *.real.com
TCP: {AA947764-93F7-46CC-A062-30F0503850C9} = 16.110.135.51 16.110.135.52
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://66.193.150.85/activex/AMC.cab
c:\windows\Downloaded Program Files\setup.inf
FF - ProfilePath - c:\documents and settings\unpingco\Application Data\Mozilla\Firefox\Profiles\ccvwf14m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF - plugin: c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 20:59:31
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1040)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\accsp.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acpinto.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivCard\ActivCard Gold\resources\acerrmrc.dll
c:\program files\ActivCard\ActivCard Gold\resources\asphatrc.dll
c:\program files\ActivCard\ActivCard Gold\resources\accsprc.dll
c:\windows\system32\acgnd.dll
c:\program files\ActivCard\ActivCard Gold\resources\acgndrc.dll
- - - - - - - > 'lsass.exe'(1096)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2008-12-11 21:03:22
ComboFix-quarantined-files.txt 2008-12-12 05:02:04
ComboFix2.txt 2008-12-02 20:44:33
Pre-Run: 23,258,411,008 bytes free
Post-Run: 23,417,651,200 bytes free
272 --- E O F --- 2008-12-04 04:13:05
Here is the combofix log:
ComboFix 08-12-11.04 - unpingco 2008-12-11 20:52:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.465 [GMT -8:00]
Running from: c:\documents and settings\unpingco\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\unpingco\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.
2008-12-11 12:25 . 2008-12-11 12:25 <DIR> d-------- c:\windows\LastGood
2008-12-11 04:51 . 2008-12-11 04:51 <DIR> d-------- C:\rsit
2008-12-10 18:12 . 2008-12-11 09:02 <DIR> d-------- c:\program files\RA2HP
2008-12-03 20:46 . 2008-12-03 20:47 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-03 19:57 . 2008-12-03 19:58 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-03 19:57 . 2008-12-03 19:58 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-03 19:57 . 2008-12-03 19:58 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-03 19:57 . 2008-12-03 19:58 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-03 09:20 . 2008-12-03 09:20 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\SACore
2008-12-03 08:51 . 2008-12-03 08:51 249,592 --a------ c:\windows\system32\cssdll32.dll
2008-12-03 08:49 . 2008-12-03 09:59 <DIR> d-------- c:\program files\COMODO
2008-12-03 08:49 . 2008-12-03 09:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo
2008-12-02 17:04 . 2008-12-02 17:03 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-02 02:38 . 2008-12-02 02:38 221,184 --a------ c:\windows\SnoopFreeUI.exe
2008-12-02 02:38 . 2008-12-02 02:38 90,112 --a------ c:\windows\system32\SnoopFreeSvc.exe
2008-12-02 02:38 . 2008-12-02 02:38 45,056 --a------ c:\windows\SnoopFreeDll.dll
2008-12-02 02:38 . 2008-12-02 02:38 9,472 --a------ c:\windows\system32\drivers\SnopFree.sys
2008-12-02 02:35 . 2008-12-02 02:36 <DIR> d-------- C:\Snoopfree
2008-12-01 11:50 . 2008-12-01 12:04 <DIR> d-------- c:\documents and settings\unpingco\.SunDownloadManager
2008-12-01 11:22 . 2008-12-01 11:22 <DIR> d-------- c:\program files\Gmer
2008-12-01 11:17 . 2008-12-01 16:16 250 --a------ c:\windows\gmer.ini
2008-11-30 16:50 . 2008-11-30 16:50 1,281,506 --a------ C:\Sym_LoadPointDiag.zip
2008-11-30 16:43 . 2008-11-30 16:50 <DIR> d-------- C:\Sym_LoadPointDiag
2008-11-30 15:11 . 2008-11-30 15:11 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-30 15:04 . 2008-11-30 15:04 <DIR> d-------- c:\windows\ERUNT
2008-11-30 01:26 . 2008-11-30 01:26 0 --a------ C:\AVScript26.js
2008-11-29 12:06 . 2008-11-29 12:06 <DIR> d-------- c:\program files\Panda Security
2008-11-29 12:06 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-13 17:19 . 2008-11-13 17:19 1,138,869 --a------ C:\ESUGLPDU_2.01.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 04:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 17:23 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-04 05:33 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-04 05:01 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-04 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-04 04:01 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-04 03:58 --------- d-----w c:\program files\Symantec
2008-12-03 17:06 --------- d-----w c:\program files\McAfee
2008-12-03 16:59 --------- d-----w c:\program files\symantec antivirus
2008-12-03 01:03 --------- d-----w c:\program files\Java
2008-12-02 00:11 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-26 06:22 --------- d-----w c:\program files\LimeWire
2008-11-26 06:21 --------- d-----w c:\documents and settings\unpingco\Application Data\LimeWire
2008-11-18 16:14 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-03 20:58 --------- d-----w c:\documents and settings\unpingco\Application Data\FileZilla
2008-11-02 04:24 --------- d-----w c:\program files\QuickTime
2008-11-02 04:23 --------- d-----w c:\program files\Common Files\Apple
2008-11-02 04:08 --------- d-----w c:\program files\Bonjour
2008-10-29 21:29 --------- d-----w c:\program files\FileZilla FTP Client
2008-10-29 21:28 3,696,811 ----a-w c:\program files\FileZilla_3.1.5_win32-setup.exe
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 13:21 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 14:36 --------- d-----w c:\program files\HPAVAdminScan
2008-10-14 15:54 --------- d-----w c:\documents and settings\unpingco\Application Data\Apple Computer
2008-10-14 15:51 349,880 ----a-w c:\windows\adminScanInstall.EXE
2008-10-07 15:01 3,659,444 ----a-w c:\program files\FileZilla_3.1.3.1_win32-setup.exe
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-02 23:38 3,648,871 ----a-w c:\program files\FileZilla_3.1.2_win32-setup.exe
2008-09-02 15:52 380,416 ----a-w c:\program files\CommunicatorPoliciesDocumentation.msi
2008-08-26 19:01 5,249,122 ----a-w c:\program files\FileZilla_3.1.1.1_win32.zip
2008-06-06 19:37 31,356,640 ----a-w c:\documents and settings\unpingco\symcdefsi32.exe
2008-03-07 23:31 260,608 ----a-w c:\program files\WordMailSupport.msi
2007-04-02 10:46 13,248 ----a-w c:\windows\system32\config\systemprofile\createprof.vbs
2007-04-02 10:46 13,248 ----a-w c:\documents and settings\hpadmin\createprof.vbs
2007-04-02 10:46 13,248 ----a-w c:\documents and settings\Default User\createprof.vbs
2007-02-23 14:43 851 ----a-w c:\windows\system32\config\systemprofile\enablecoe.vbs
2007-02-23 14:43 851 ----a-w c:\documents and settings\hpadmin\enablecoe.vbs
2006-10-28 05:06 2,480 ----a-w c:\program files\README.HTM
2008-02-01 19:05 88 --sh--r c:\windows\system32\9999CCE4CD.sys
2008-02-01 19:05 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-04 16:33 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090420080905\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-09 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"HP Virtual Rooms"="c:\progra~1\HEWLET~1\HPVIRT~1.0\\HPVIRT~1.EXE" [2008-02-24 10294616]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COEMsgDisplay"="c:\program files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" [2007-04-11 26624]
"QuickPassword"="c:\program files\ActivCard\ActivCard Gold\agquickp.exe" [2007-06-26 225280]
"IDA"="c:\program files\Hewlett-Packard\PC COE\IDA.EXE" [2008-08-12 176128]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-13 344064]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-18 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-02-15 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"T-Mobile Connection Manager"="c:\program files\T-Mobile\Connection Manager\TMobileCM.exe" [2007-07-23 18968]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-08-19 5720072]
"GetIT"="c:\program files\Hewlett-Packard\GetIT\GetIT.exe" [2007-12-03 286720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-07-08 115560]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
"SnoopFreeUI"="SnoopFreeUI.exe" [2008-12-02 c:\windows\SnoopFreeUI.exe]
c:\documents and settings\unpingco\Start Menu\Programs\Startup\
SDK Tray Menu.lnk - c:\sun\SDK\jdk\bin\javaw.exe [2008-01-09 135168]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-05 113664]
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2006-07-25 114688]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableNT4Policy"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RADUISHELL.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RadTray.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Hewlett-Packard\\PC COE\\Ida.exe"=
"c:\\Program Files\\ActivCard\\ActivCard Gold\\agutils.exe"=
"c:\\Program Files\\ActivCard\\ActivCard Initialization Utility\\ResetUtil.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE\\AboutCOE.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-29 28544]
R2 acautoreg;ActivCard Gold Autoregister;c:\program files\Common Files\ActivCard\acautoreg.exe [2007-06-26 53248]
R2 Accoca;ActivCard Gold service;c:\program files\Common Files\ActivCard\accoca.exe [2004-05-12 143360]
R2 AppServer9PE;SunJavaSystemAppserver9PE;c:\sun\SDK\lib\appservService.exe "\"c:\sun\SDK\bin\asadmin.bat\" start-domain --user admin domain1" "\"c:\sun\SDK\bin\asadmin.bat\" stop-domain domain1\" []
R2 AvChgSvc;HP-AV Change Monitor Service;c:\progra~1\HPAVAD~1\avChgSvc.exe [2008-10-07 238080]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-07-31 206096]
R2 radexecd;HP OVCM Notify Daemon;"c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe" [2007-02-20 270510]
R2 radsched;HP OVCM Scheduler Daemon;"c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe" [2007-03-22 172205]
R2 Radstgms;HP OVCM MSI Redirector;"c:\program files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe" [2008-07-03 315570]
R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\DRIVERS\akbus.sys [2007-01-26 13619]
R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\DRIVERS\akpcsc.sys [2007-01-26 9493]
R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\DRIVERS\aksbus.sys [2007-04-06 13647]
R3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [2007-06-28 27008]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\DRIVERS\akspcsc.sys [2007-06-28 10161]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-03 99376]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2005-08-23 231424]
R3 RadiaMsi;RadiaMsi;c:\windows\system32\DRIVERS\radiamsi.sys [2007-08-03 23424]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2008-01-03 114016]
S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-07-08 23888]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2006-12-02 2805000]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C99D666B-62E4-461B-A346-9375D55AB9BC}]
"c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe"
.
Contents of the 'Scheduled Tasks' folder
2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
2008-12-11 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
2008-12-11 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
2008-12-11 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
2008-12-12 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job
- c:\program files\Hewlett-Packard\PC COE\coetl32.exe [2007-06-24 00:27]
2008-12-12 c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-Symantec Antvirus
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
IE: {{E270AB82-96D5-45DB-ABE3-0BC038B92334} - c:\program files\Hewlett-Packard\IEToolBar\HP IE Fix.exe -
Trusted Zone: *.cpqcorp.net
Trusted Zone: *.hp.com
Trusted Zone: *.hpqcorp.net
Trusted Zone: *.hpshopping.com
Trusted Zone: *.real.com
TCP: {AA947764-93F7-46CC-A062-30F0503850C9} = 16.110.135.51 16.110.135.52
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://66.193.150.85/activex/AMC.cab
c:\windows\Downloaded Program Files\setup.inf
FF - ProfilePath - c:\documents and settings\unpingco\Application Data\Mozilla\Firefox\Profiles\ccvwf14m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF - plugin: c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 20:59:31
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1040)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\accsp.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acpinto.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivCard\ActivCard Gold\resources\acerrmrc.dll
c:\program files\ActivCard\ActivCard Gold\resources\asphatrc.dll
c:\program files\ActivCard\ActivCard Gold\resources\accsprc.dll
c:\windows\system32\acgnd.dll
c:\program files\ActivCard\ActivCard Gold\resources\acgndrc.dll
- - - - - - - > 'lsass.exe'(1096)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2008-12-11 21:03:22
ComboFix-quarantined-files.txt 2008-12-12 05:02:04
ComboFix2.txt 2008-12-02 20:44:33
Pre-Run: 23,258,411,008 bytes free
Post-Run: 23,417,651,200 bytes free
272 --- E O F --- 2008-12-04 04:13:05
#11
Posted 12 December 2008 - 02:21 PM
-
- Experts
-
- 387 posts
True Member
- Gender:Male
- Location:Manchester UK
OTMoveIt
Please download OTMoveIt3 by OldTimer and save it to your desktop
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review:
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Please download OTMoveIt3 by OldTimer and save it to your desktop
- Double-click OTMoveIt3.exe to run it.
- Copy the lines in the codebox below. ( Make sure you include :Processes )
:Processes
explorer
:Services
:Reg
[-hkey_classes_root\sep.av.scandlgs]
[-hkey_local_machine\software\classes\sep.av.scandlgs]
:Files
c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job
c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job
c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job
c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job
c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
- Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- - Close ALL open windows (especially Internet Explorer!)-
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar), and paste it in your next reply.
- Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review:
- Close any open programs.
- Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
- C:\Qoobox\Combofix2.txt
- OTMI Log
- Kaspersky Log
- How are things running now, any problems still ?
PM's for help will be ignored
#12
Posted 13 December 2008 - 05:41 AM
-
- Members
-
- 13 posts
New Member
Katana, on Dec 12 2008, 06:21 AM, said:
OTMoveIt
Please download OTMoveIt3 by OldTimer and save it to your desktop
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review:
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Please download OTMoveIt3 by OldTimer and save it to your desktop
- Double-click OTMoveIt3.exe to run it.
- Copy the lines in the codebox below. ( Make sure you include :Processes )
:Processes
explorer
:Services
:Reg
[-hkey_classes_root\sep.av.scandlgs]
[-hkey_local_machine\software\classes\sep.av.scandlgs]
:Files
c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job
c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job
c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job
c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job
c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
- Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- - Close ALL open windows (especially Internet Explorer!)-
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar), and paste it in your next reply.
- Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review:
- Close any open programs.
- Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
- C:\Qoobox\Combofix2.txt
- OTMI Log
- Kaspersky Log
- How are things running now, any problems still ?
#13
Posted 13 December 2008 - 05:43 AM
-
- Members
-
- 13 posts
New Member
Hi Katana:
I made the mistake of running OTMoveIt3 when I failed to realize an IE7 window was minimized. How do I clear the results and run it again. I have tried to delete it and delete the old files but that is not working.
Thanks.
Regards,
matua
I made the mistake of running OTMoveIt3 when I failed to realize an IE7 window was minimized. How do I clear the results and run it again. I have tried to delete it and delete the old files but that is not working.
Thanks.
Regards,
matua
#14
Posted 13 December 2008 - 10:12 AM
-
- Experts
-
- 387 posts
True Member
- Gender:Male
- Location:Manchester UK
#15
Posted 14 December 2008 - 02:34 AM
-
- Members
-
- 13 posts
New Member
Katana, on Dec 13 2008, 02:12 AM, said:
Don't worry, just run the Kaspersky scan 
Hi Katana. Here is the Kaspersky scan report
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 13, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 13, 2008 17:01:50
Records in database: 1458249
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Y:\
Scan statistics:
Files scanned: 232865
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:06:54
No malware has been detected. The scan area is clean.
The selected area was scanned.
#16
Posted 14 December 2008 - 10:04 AM
-
- Experts
-
- 387 posts
True Member
- Gender:Male
- Location:Manchester UK
#17
Posted 14 December 2008 - 07:08 PM
-
- Members
-
- 13 posts
New Member
Katana, on Dec 14 2008, 02:04 AM, said:
That's looking fine, are there any problems now ?
Thanks Katana. Things are looking good so far!
I greatly appreciate all your help on this!
Regards,
matua
#18
Posted 14 December 2008 - 10:35 PM
-
- Experts
-
- 387 posts
True Member
- Gender:Male
- Location:Manchester UK
Congratulations your logs look clean
Let's see if I can help you keep it that way
First lets tidy up
Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.
Open OTMoveIt Click Cleanup,
it will now connect to the internet and get a list of files to delete.
When a box pops up click YES.
----------------------------------------------------------- -----------------------------------------------------------
The following is some info to help you stay safe and clean.
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecu....com/activescan
http://www.kaspersky.com/kos/eng/partner/7...kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details
AntiSpyware
Prevention
Internet Browsers
Cleaning Temporary Internet Files and Tracking Cookies
Also PLEASE read this article.....So How Did I Get Infected In The First Place
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
Let's see if I can help you keep it that way
First lets tidy up
Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.
- Uninstall Combofix
- This will clear your System Volume Information restore points and remove all the infected files that were quarantined
- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
Open OTMoveIt Click Cleanup,
it will now connect to the internet and get a list of files to delete.
When a box pops up click YES.
----------------------------------------------------------- -----------------------------------------------------------
The following is some info to help you stay safe and clean.
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecu....com/activescan
http://www.kaspersky.com/kos/eng/partner/7...kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details
AntiSpyware
- AntiSpyware is not the same thing as Antivirus.
- Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
- It includes host protection and registry protection
- MalwareBytes Anti-malware <<< A New and effective program
- a-squared Free <<< A good "realtime" or "on demand" scanner
- superantispyware <<< A good "realtime" or "on demand" scanner
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Prevention
- These programs don't detect malware, they help stop it getting on your machine in the first place.
- Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
- An excellent startup manager and then some !!
- SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
- SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
- SpywareGuard provides real-time protection against spyware.
- ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
- MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
Each does a different job, so you can have more than one
Internet Browsers
- Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialise and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Change the Download signed ActiveX controls to Prompt
- Next press the Apply button and then the OK to exit the Internet Properties page.
- From within Internet Explorer click on the Tools menu and then click on Options.
Using a different web browser can help stop malware getting on your machine.
Cleaning Temporary Internet Files and Tracking Cookies
- Temporary Internet Files are mainly the files that are downloaded when you open a web page.
- ATF Cleaner
- Free and very simple to use
- CCleaner
- Free and very flexible, you can chose which cookies to keep
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
Also PLEASE read this article.....So How Did I Get Infected In The First Place
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
PM's for help will be ignored
#19
Posted 15 December 2008 - 09:29 PM
-
- Members
-
- 13 posts
New Member
Katana, on Dec 14 2008, 02:35 PM, said:
Congratulations your logs look clean
Let's see if I can help you keep it that way
First lets tidy up
Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.
Open OTMoveIt Click Cleanup,
it will now connect to the internet and get a list of files to delete.
When a box pops up click YES.
----------------------------------------------------------- -----------------------------------------------------------
The following is some info to help you stay safe and clean.
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecu....com/activescan
http://www.kaspersky.com/kos/eng/partner/7...kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details
AntiSpyware
Prevention
Internet Browsers
Cleaning Temporary Internet Files and Tracking Cookies
Also PLEASE read this article.....So How Did I Get Infected In The First Place
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
Let's see if I can help you keep it that way
First lets tidy up
Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.
- Uninstall Combofix
- This will clear your System Volume Information restore points and remove all the infected files that were quarantined
- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
Open OTMoveIt Click Cleanup,
it will now connect to the internet and get a list of files to delete.
When a box pops up click YES.
----------------------------------------------------------- -----------------------------------------------------------
The following is some info to help you stay safe and clean.
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecu....com/activescan
http://www.kaspersky.com/kos/eng/partner/7...kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details
AntiSpyware
- AntiSpyware is not the same thing as Antivirus.
- Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
- It includes host protection and registry protection
- MalwareBytes Anti-malware <<< A New and effective program
- a-squared Free <<< A good "realtime" or "on demand" scanner
- superantispyware <<< A good "realtime" or "on demand" scanner
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Prevention
- These programs don't detect malware, they help stop it getting on your machine in the first place.
- Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
- An excellent startup manager and then some !!
- SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
- SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
- SpywareGuard provides real-time protection against spyware.
- ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
- MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
Each does a different job, so you can have more than one
Internet Browsers
- Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialise and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Change the Download signed ActiveX controls to Prompt
- Next press the Apply button and then the OK to exit the Internet Properties page.
- From within Internet Explorer click on the Tools menu and then click on Options.
Using a different web browser can help stop malware getting on your machine.
Cleaning Temporary Internet Files and Tracking Cookies
- Temporary Internet Files are mainly the files that are downloaded when you open a web page.
- ATF Cleaner
- Free and very simple to use
- CCleaner
- Free and very flexible, you can chose which cookies to keep
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
Also PLEASE read this article.....So How Did I Get Infected In The First Place
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
Hi Katana:
I ran a scan using A2 free 3.5 and I found the following that Kaspersky missed:
a-squared Free - Version 3.5
Last update: 12/14/08 7:36:56 PM
Scan settings:
Objects: Memory, Traces, Cookies, C:\WINDOWS\, C:\Program Files
Scan archives: On
Heuristics: On
ADS Scan: On
Scan start: 12/15/08 8:31:44 AM
C:\Documents and Settings\unpingco\Cookies\unpingco@com[1].txt detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\unpingco\Application Data\Mozilla\Firefox\Profiles\ccvwf14m.default\cookies.sqlite:1229315842674129 detected: Trace.TrackingCookie.coremetrics!A2
C:\Documents and Settings\unpingco\Application Data\Mozilla\Firefox\Profiles\ccvwf14m.default\cookies.sqlite:1229315842674130 detected: Trace.TrackingCookie.coremetrics!A2
C:\Documents and Settings\unpingco\Application Data\Mozilla\Firefox\Profiles\ccvwf14m.default\cookies.sqlite:1229315842674131 detected: Trace.TrackingCookie.coremetrics!A2
C:\Program Files\RA2HP\rasHost.exe detected: Heuristic.Dialer.RAS!A2
C:\Program Files\Remote Tools OTP\MSRATroubleShooter.exe detected: Heuristic.Dialer.RAS!A2
Scanned
Files: 447439
Traces: 550194
Cookies: 1063
Processes: 73
Found
Files: 2
Traces: 0
Cookies: 4
Processes: 0
Registry keys: 0
Scan end: 12/15/08 1:07:12 PM
Scan time: 4:35:28
C:\Program Files\RA2HP\rasHost.exe Deleted Heuristic.Dialer.RAS!A2
C:\Program Files\Remote Tools OTP\MSRATroubleShooter.exe Deleted Heuristic.Dialer.RAS!A2
C:\Documents and Settings\unpingco\Application Data\Mozilla\Firefox\Profiles\ccvwf14m.default\cookies.sqlite:1229315842674129 Deleted Trace.TrackingCookie.coremetrics!A2
C:\Documents and Settings\unpingco\Application Data\Mozilla\Firefox\Profiles\ccvwf14m.default\cookies.sqlite:1229315842674130 Deleted Trace.TrackingCookie.coremetrics!A2
C:\Documents and Settings\unpingco\Application Data\Mozilla\Firefox\Profiles\ccvwf14m.default\cookies.sqlite:1229315842674131 Deleted Trace.TrackingCookie.coremetrics!A2
C:\Documents and Settings\unpingco\Cookies\unpingco@com[1].txt Deleted Trace.TrackingCookie.com!A2
Deleted
Files: 2
Traces: 0
Cookies: 4
I deleted them, and I will scan again later.
#20
Posted 15 December 2008 - 10:13 PM
-
- Experts
-
- 387 posts
True Member
- Gender:Male
- Location:Manchester UK
They are just a few cookies and a couple of remote access programs that look like they belong to Hewlett-Packard.
PM's for help will be ignored
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
