 Www.a-d-w-a-r-e.com Unable To Get Rid Of It, Popups and ads that I can not get cleaned up |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
  Sep 15 2006, 09:02 PM
Post
#1
|
|
 Member  Group: Members Posts: 18 Joined: 17-August 05 Member No.: 31,472  |
 , Adware SE, Housecall Anti Virus, and McAfee Stinger like you suggest to do before posting a hijackthis log. Each time there have been multiple adwares, malwares, trojans, and spywares cleaned from the computer. However, I am unable to get the 2 popups from happening www.ad-w-a-r-e.com (no punctuation between the a & d), and url.cpvfeed.com. Also my system has slowed down to almost a crawl. ** Since this has all started I am now getting a blue screen when I restart my computer that says the Autochk is missing and has been skipped. **Also I received after running the Adware SE: An exception occured while trying to run ""C:\windows\system32\ivetppui.dll", dllgetversion" **When the www.ad-w-a-r-e.com or url.cpvfeed.com pops - it immediately shows a different address and it is different each time or I would have given you that information also. However I have noticed that the url.cpvfarm.com then also goes to adfarm.com **Also Ewido kept trying to clean and quarantine Adware.Look2Me earlier before I ran the other programs. So I am not sure if that is still an issue or not. I have not gotten prompted lately. Here is a Hijackthis log: Any help you can give me would be so very appreciated. Logfile of HijackThis v1.99.1 Scan saved at 8:26:58 PM, on 9/15/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE C:\Program Files\Browser Mouse\mouse32a.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\HP\KBD\KBD.EXE C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - _{D58FCAFA-2431-5FBE-4105-5AF077BC61E0} - (no file) R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: UserInit=userinit.exe O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\notify.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .xml: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157672564437 O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\mv0sl9d71.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe |
 |
 
|
|
Sep 16 2006, 04:45 AM
Post
#2
|
|
|
Forum Addict Group: HJT Team Posts: 10,603 Joined: 28-October 05 From: London Member No.: 38,920 |
Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today. Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/ R3 - URLSearchHook: (no name) - _{D58FCAFA-2431-5FBE-4105-5AF077BC61E0} - (no file) R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\mv0sl9d71.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ Click on Fix Checked when finished and exit HijackThis. Make sure your Internet Explorer is closed when you click Fix Checked! Open HijackThis. Click on Open Misc Tools Section Make sure that both boxes beside "Generate StartupList Log" are checked:
Click Yes at the prompt. It will open a text file. Please copy the entire contents of that page and paste it here Please download Combofix to your desktop. Doubleclick combo.exe to launch the application. Follow the prompts that will be displayed on the screen. Don't click on the window while the fix is running, because that will cause your system to hang. When finished, it should produce a log, combofix.txt. Post this log in your next reply together with a new hijackthislog. Also post the startup list. David |
|
|
|
|
Sep 16 2006, 06:32 AM
Post
#3
|
|
|
Member Group: Members Posts: 18 Joined: 17-August 05 Member No.: 31,472 |
Hi David, My name is Ashley. Thank you so much for taking time to help me out.
 Okay - I have all of the logs you need. 2 things to tell you - I received an error when I ran ComboFix - C:\sUBs\tsf\ntp.exe C:\PROGRAM~1\\Symantec\S32EVNT1.DLL. An installable Virtual Device Driver failed Dll initialization. Choose 'close' to terminate the application. I could only ignore to continue because it would shut down ComboFix to choose close. Also - I am still receiving autochk.exe could not be found - skipping autochk - when I restart Windows. Thanks again for helping out !! -------------------------------------------------------------------------------------------------------------------- Here are all three logs: Combo Fix Owner - 06-09-16 6:02:39.57 Service Pack 2 ComboFix 06.09.14 - Running from: C:\Documents and Settings\Owner\Desktop ((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))) REGISTRY ENTRIES REMOVED: [HKEY_CLASSES_ROOT\CLSID\{50418F6D-F276-49FE-B98F-DC53BC20FD05}] @="" [HKEY_CLASSES_ROOT\CLSID\{50418F6D-F276-49FE-B98F-DC53BC20FD05}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{50418F6D-F276-49FE-B98F-DC53BC20FD05}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{50418F6D-F276-49FE-B98F-DC53BC20FD05}\InprocServer32] @="C:\\WINDOWS\\system32\\guard.tmp" "ThreadingModel"="Apartment" * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * FILES REMOVED: C:\WINDOWS\system32\CADBUIRoxio.dll C:\WINDOWS\system32\jt2407fqe.dll C:\WINDOWS\system32\jt4m07h1e.dll C:\WINDOWS\system32\mv0sl9d71.dll C:\WINDOWS\system32\nersno.dll C:\WINDOWS\system32\guard.tmp Granting sedebugprivilege to Administrators ... successful ((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Documents and Settings\Administrator\Application Data\Sskknwrd.dll C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\Duce6.exe C:\dfndrff_e2.exe C:\deskbar3.exe C:\WINDOWS\system32\adrot-uninst.exe C:\WINDOWS\system32\wapisu.exe C:\WINDOWS\justin.exe C:\WINDOWS\Eim03.exe C:\Program Files\PSLister ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\QooBox\Purity\Program Files\RACLE~1 C:\QooBox\Purity\Program Files\SEMBLY~1 C:\QooBox\Purity\Program Files\RACLE~1\dvdplay.exe C:\QooBox\Purity\Program Files\RACLE~1\?racle C:\QooBox\Purity\WINDOWS\SCURIT~1 C:\QooBox\Purity\WINDOWS\SCURIT~1\?xplorer.exe ((((((((((((((((((((((((((((((( Files Created from 2006-08-16 to 2006-09-16 )))))))))))))))))))))))))))))))))) 2006-09-14 09:03 186,223 --a------ C:\WINDOWS\srvazokfqw.exe 2006-09-14 08:58 396 --a------ C:\WINDOWS\dlcns.dll 2006-09-14 08:55 646,864 -r-hs---- C:\WINDOWS\vzwpufgA.exe 2006-09-14 08:55 215,308 --a------ C:\WINDOWS\srvihptiic.exe 2006-09-14 08:55 163,840 --a------ C:\WINDOWS\win32095135701241.exe 2006-09-14 08:52 119,069 --a------ C:\WINDOWS\YazzleBundle-1264.exe 2006-09-07 07:39 215,308 --a------ C:\WINDOWS\srvzgcmxkr.exe 2006-09-07 07:37 75,546 --a------ C:\WINDOWS\popupwithcast.exe 2006-08-20 11:28 98,354 --a------ C:\WINDOWS\system32\gwldo132.dll 2006-08-20 11:28 757,818 --a------ C:\WINDOWS\system32\gwadd1.dll 2006-08-20 11:28 74,240 --a------ C:\WINDOWS\system32\gwuninst.dll 2006-08-20 11:28 73,728 --a------ C:\WINDOWS\system32\ldapx.dll 2006-08-20 11:28 696,391 --a------ C:\WINDOWS\system32\xgbas10.dll 2006-08-20 11:28 57,344 --a------ C:\WINDOWS\system32\gwabl1us.dll 2006-08-20 11:28 53,248 --a------ C:\WINDOWS\system32\gwabs1us.dll 2006-08-20 11:28 53,248 --a------ C:\WINDOWS\system32\gwabp1us.dll 2006-08-20 11:28 503,877 --a------ C:\WINDOWS\system32\xgdm10.dll 2006-08-20 11:28 5,935,157 --a------ C:\WINDOWS\system32\gwenv1.dll 2006-08-20 11:28 491,589 --a------ C:\WINDOWS\system32\xgab10.dll 2006-08-20 11:28 487,424 --a------ C:\WINDOWS\system32\ldapssl.dll 2006-08-20 11:28 45,124 --a------ C:\WINDOWS\system32\gwshlext.dll 2006-08-20 11:28 36,932 --a------ C:\WINDOWS\system32\gwcnndll.dll 2006-08-20 11:28 331,830 --a------ C:\WINDOWS\system32\gwmsp132.dll 2006-08-20 11:28 303,166 --a------ C:\WINDOWS\system32\gwodm132.dll 2006-08-20 11:28 299,057 --a------ C:\WINDOWS\system32\gwabp132.dll 2006-08-20 11:28 282,673 --a------ C:\WINDOWS\system32\gwabs132.dll 2006-08-20 11:28 28,740 --a------ C:\WINDOWS\system32\gwshlimp.exe 2006-08-20 11:28 262,144 --a------ C:\WINDOWS\system32\ldapsdk.dll 2006-08-20 11:28 249,927 --a------ C:\WINDOWS\system32\xgcal10.dll 2006-08-20 11:28 24,644 --a------ C:\WINDOWS\system32\gwshlsnd.exe 2006-08-20 11:28 24,576 --a------ C:\WINDOWS\system32\gwshl1us.dll 2006-08-20 11:28 217,138 --a------ C:\WINDOWS\system32\gwabl132.dll 2006-08-20 11:28 196,662 --a------ C:\WINDOWS\system32\gwxpp132.dll 2006-08-20 11:28 196,608 --a------ C:\WINDOWS\system32\gwenl1us.dll 2006-08-20 11:28 16,384 --a------ C:\WINDOWS\system32\gwxpp1us.dll 2006-08-20 11:28 16,384 --a------ C:\WINDOWS\system32\gwodmus.dll 2006-08-20 11:28 16,384 --a------ C:\WINDOWS\system32\gwmsp1us.dll 2006-08-20 11:28 155,700 --a------ C:\WINDOWS\system32\odma32.dll 2006-08-20 11:28 1,749,057 --a------ C:\WINDOWS\system32\gwxis10.dll 2006-08-20 11:28 1,499,207 --a------ C:\WINDOWS\system32\xgmsg10.dll 2006-08-20 11:28 1,355,840 --a------ C:\WINDOWS\system32\gwwww1.dll 2006-08-20 11:25 280,064 --a------ C:\WINDOWS\system32\csta32.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-16 05:54 -------- d-------- C:\Program Files\HijackThis 2006-09-15 18:53 -------- d-------- C:\Program Files\Internet Explorer 2006-09-15 16:53 -------- d-------- C:\Program Files\Lavasoft 2006-09-15 16:53 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft 2006-09-15 10:44 -------- d-------- C:\Program Files\ewido anti-spyware 4.0 2006-09-14 21:31 -------- d-------- C:\Program Files\Common Files 2006-09-14 18:44 -------- d-------- C:\Program Files\PSCloner 2006-09-14 08:20 -------- d-------- C:\Documents and Settings\Owner\Application Data\Google 2006-09-13 10:14 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM 2006-09-13 10:04 -------- d-------- C:\Program Files\SPSS 2006-09-13 07:37 -------- d-------- C:\Program Files\Google 2006-09-12 15:25 3631 --a------ C:\Documents and Settings\Owner\Application Data\evpro32.prf 2006-09-10 19:59 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft 2006-09-07 10:45 -------- d-------- C:\Program Files\MSN Gaming Zone 2006-09-07 08:27 -------- d--h----- C:\Program Files\WindowsUpdate 2006-09-07 07:38 -------- d-------- C:\Program Files\popupwithcast 2006-09-01 21:45 -------- d-------- C:\Program Files\Absolute Poker 2006-08-26 14:21 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-08-26 14:21 -------- d-------- C:\Program Files\QuickTime 2006-08-26 14:18 -------- d-------- C:\Program Files\iTunes 2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll 2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe 2006-08-21 04:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys 2006-08-20 11:24 -------- d-------- C:\Program Files\Windows NT 2006-08-14 19:52 78848 --a------ C:\WINDOWS\system32\nsh10CF.dll 2006-08-13 20:07 -------- d-------- C:\Program Files\Microsoft Works 2006-08-13 20:06 -------- d-------- C:\Program Files\Common Files\Microsoft Shared 2006-08-01 16:58 -------- d-------- C:\Documents and Settings\Owner\Application Data\Logitech 2006-08-01 16:55 -------- d-------- C:\Program Files\Logitech 2006-07-30 23:06 4778 --a------ C:\Documents and Settings\Owner\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log 2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll 2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll 2006-06-22 00:06 69120 --a------ C:\WINDOWS\system32\ciodm.dll 2006-06-22 00:06 1435648 --a------ C:\WINDOWS\system32\query.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe" "CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe" "DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe" "FLMK08KB"="C:\\Program Files\\Muiltmedia keyboard utility\\1.1\\MMKEYBD.EXE" "FLMOFFICE4DMOUSE"="C:\\Program Files\\Browser Mouse\\mouse32a.exe" "ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe" "Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup" "KBD"="C:\\HP\\KBD\\KBD.EXE" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled] "WildTangent CDA"="\"C:\\Program Files\\WildTangent\\Apps\\CDA\\GameDrvr.exe\" /startup \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0500.dll\"" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce] "AAW"="" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="http://espn.go.com/i/story/storypage_bg.gif" "SubscribedURL"="http://espn.go.com/i/story/storypage_bg.gif" "FriendlyName"="" "Flags"=dword:00000001 "Position"=hex:2c,00,00,00,00,00,00,00,17,01,00,00,80,02,00,00,14,00,00,00,e8,\ 03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:01,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,17,01,00,00,80,02,00,00,14,00,\ 00,00,01,00,00,40 "RestoredStateInfo"=hex:dc,ff,51,02,09,48,e9,77,88,32,e8,77,ff,ff,ff,ff,de,60,\ e7,77,20,00,68,03 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\ 00,00,04,00,00,40 "RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\ 00,00,01,00,00,00 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Qkdpmx"="C:\\WINDOWS\\system32\\d?xplore.exe" "Notn"="C:\\Program Files\\apsi\\wtta.exe" [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Qkdpmx"="C:\\WINDOWS\\system32\\d?xplore.exe" "Notn"="C:\\Program Files\\apsi\\wtta.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "CDRAutoRun"=dword:00000000 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "CDRAutoRun"=dword:00000000 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-disabled] "AUNPS2"="RUNDLL32 AUNPS2.DLL,_Run@16" "tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf" "LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver3\\LVCOMS.EXE" "nwiz"="nwiz.exe /install" "IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job Completion time: Sat 09/16/2006 6:05:44.34 ComboFix.txt ComboFix2.txt ----------------------------------------------------------------------------------------------------- HijackThis Startup List StartupList report, 9/16/2006, 5:54:34 AM StartupList version: 1.52.2 Started from : C:\Program Files\HijackThis\HijackThis.EXE Detected: Windows XP SP2 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180) * Using default options * Including empty and uninteresting sections * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE C:\Program Files\Browser Mouse\mouse32a.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\HP\KBD\KBD.EXE C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\explorer.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HijackThis\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\Documents and Settings\Owner\Start Menu\Programs\Startup] *No files* Shell folders AltStartup: *Folder not found* User shell folders Startup: *Folder not found* User shell folders AltStartup: *Folder not found* Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] GroupWise Notify.lnk = C:\Novell\GroupWise\notify.exe Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe Shell folders Common AltStartup: *Folder not found* User shell folders Common Startup: *Folder not found* User shell folders Alternate Common Startup: *Folder not found* -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = userinit.exe [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon] *Registry key not found* [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] *Registry value not found* [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon] *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run hpsysdrv = c:\windows\system\hpsysdrv.exe CamMonitor = c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe dla = C:\WINDOWS\system32\dla\tfswctrl.exe HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe DeviceDiscovery = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe FLMK08KB = C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE FLMOFFICE4DMOUSE = C:\Program Files\Browser Mouse\mouse32a.exe ezShieldProtector for Px = C:\WINDOWS\System32\ezSP_Px.exe TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot HP Software Update = C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe Google Desktop Search = "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup KBD = C:\HP\KBD\KBD.EXE QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime !ewido = "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce AAW = -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run [AutorunsDisabled] WildTangent CDA = "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll" iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe" [OptionalComponents] *No values found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- File association entry for .EXE: HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .COM: HKEY_CLASSES_ROOT\comfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .BAT: HKEY_CLASSES_ROOT\batfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .PIF: HKEY_CLASSES_ROOT\piffile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .SCR: HKEY_CLASSES_ROOT\scrfile\shell\open\command (Default) = "%1" /S -------------------------------------------------- File association entry for .HTA: HKEY_CLASSES_ROOT\htafile\shell\open\command (Default) = C:\WINDOWS\System32\mshta.exe "%1" %* -------------------------------------------------- File association entry for .TXT: HKEY_CLASSES_ROOT\txtfile\shell\open\command (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1 -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP [>{26923b43-4d38-484f-9b9e-de460746276c}] * StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] * StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] * StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT [{4b218e3e-bc98-4770-93d3-2731b9329278}] * StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf [{5945c046-1e7d-11d1-bc44-00c04fd912be}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = %SystemRoot%\system32\ie4uinit.exe [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] * StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install [{8b15971b-5355-4c82-8c07-7e181ea07608}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser -------------------------------------------------- Enumerating ICQ Agent Autostart apps: HKCU\Software\Mirabilis\ICQ\Agent\Apps *Registry key not found* -------------------------------------------------- Load/Run keys from C:\WINDOWS\WIN.INI: load=*INI section not found* run=*INI section not found* Load/Run keys from Registry: HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\Windows: load= HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs= -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell= SCRNSAVE.EXE=C:\WINDOWS\System32\DONTTO~1.SCR drivers= Shell & screensaver key from Registry: Shell=explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Verifying REGEDIT.EXE integrity: - Regedit.exe found in C:\WINDOWS - .reg open command is normal (regedit.exe %1) - Company name OK: 'Microsoft Corporation' - Original filename OK: 'REGEDIT.EXE' - File description: 'Registry Editor' Registry check passed -------------------------------------------------- Enumerating Browser Helper Objects: *No BHO's found* -------------------------------------------------- Enumerating Task Scheduler jobs: Spybot - Search & Destroy - Scheduled Task.job -------------------------------------------------- Enumerating Download Program Files: [Microsoft XML Parser for Java] CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd [QuickTime Object] InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab [Shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\system32\macromed\Shockwave 10\Download.dll CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab [Windows Genuine Advantage Validation Tool] InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204 [Trend Micro ActiveX Scan Agent 6.5] InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll CODEBASE = http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab [{233C1507-6A77-46A4-9443-F871F945D258}] CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab [MUWebControl Class] InProcServer32 = C:\WINDOWS\system32\muweb.dll CODEBASE = http://update.microsoft.com/microsoftupdat...b?1157672564437 [Update Class] InProcServer32 = C:\WINDOWS\system32\iuctl.dll CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...37694.835462963 [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab -------------------------------------------------- Enumerating Winsock LSP files: NameSpace #1: C:\WINDOWS\System32\mswsock.dll NameSpace #2: C:\WINDOWS\System32\winrnr.dll NameSpace #3: C:\WINDOWS\System32\mswsock.dll Protocol #1: C:\WINDOWS\system32\mswsock.dll Protocol #2: C:\WINDOWS\system32\mswsock.dll Protocol #3: C:\WINDOWS\system32\mswsock.dll Protocol #4: C:\WINDOWS\system32\rsvpsp.dll Protocol #5: C:\WINDOWS\system32\rsvpsp.dll Protocol #6: C:\WINDOWS\system32\mswsock.dll Protocol #7: C:\WINDOWS\system32\mswsock.dll Protocol #8: C:\WINDOWS\system32\mswsock.dll Protocol #9: C:\WINDOWS\system32\mswsock.dll Protocol #10: C:\WINDOWS\system32\mswsock.dll Protocol #11: C:\WINDOWS\system32\mswsock.dll Protocol #12: C:\WINDOWS\system32\mswsock.dll Protocol #13: C:\WINDOWS\system32\mswsock.dll Protocol #14: C:\WINDOWS\system32\mswsock.dll Protocol #15: C:\WINDOWS\system32\mswsock.dll Protocol #16: C:\WINDOWS\system32\mswsock.dll Protocol #17: C:\WINDOWS\system32\mswsock.dll Protocol #18: C:\WINDOWS\system32\mswsock.dll Protocol #19: C:\WINDOWS\system32\mswsock.dll Protocol #20: C:\WINDOWS\system32\mswsock.dll Protocol #21: C:\WINDOWS\system32\mswsock.dll Protocol #22: C:\WINDOWS\system32\mswsock.dll Protocol #23: C:\WINDOWS\system32\mswsock.dll Protocol #24: C:\WINDOWS\system32\mswsock.dll Protocol #25: C:\WINDOWS\system32\mswsock.dll Protocol #26: C:\WINDOWS\system32\mswsock.dll Protocol #27: C:\WINDOWS\system32\mswsock.dll -------------------------------------------------- Enumerating Windows NT/2000/XP services Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system) Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start) AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart) Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system) Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start) Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start) Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start) AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system) Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) 1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start) ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start) RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start) Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system) ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start) Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start) Automatic LiveUpdate Scheduler: "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" (autostart) Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start) CD-ROM Driver: System32\DRIVERS\cdrom.sys (system) Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start) ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled) COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start) Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart) DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Disk Driver: System32\DRIVERS\disk.sys (system) Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start) dmboot: System32\drivers\dmboot.sys (disabled) dmio: System32\drivers\dmio.sys (disabled) dmload: System32\drivers\dmload.sys (disabled) Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start) DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart) Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start) drvmcdb: system32\drivers\drvmcdb.sys (system) drvnddm: system32\drivers\drvnddm.sys (autostart) Intel® PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start) Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Event Log: %SystemRoot%\system32\services.exe (autostart) COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start) ewido anti-spyware 4.0 driver: \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys (system) ewido anti-spyware 4.0 guard: C:\Program Files\ewido anti-spyware 4.0\guard.exe (autostart) Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Fax: %systemroot%\system32\fxssvc.exe (autostart) Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start) Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start) FltMgr: system32\drivers\fltmgr.sys (system) Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system) GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start) Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start) Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) HTTP: System32\Drivers\HTTP.sys (manual start) HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start) i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system) i81x: System32\DRIVERS\i81xnt5.sys (manual start) iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start) iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start) iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start) iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start) iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start) iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start) iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start) iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start) iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start) ialm: System32\DRIVERS\ialmnt5.sys (manual start) InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start) %imapi_ServiceDesc%: System32\DRIVERS\imapi.sys (system) IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start) IntelIde: System32\DRIVERS\intelide.sys (system) Intel Processor Driver: System32\DRIVERS\intelppm.sys (system) IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start) IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start) IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start) IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start) iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start) IPSEC driver: System32\DRIVERS\ipsec.sys (system) IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start) PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system) Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system) Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start) Logitech SetPoint Keyboard Driver: system32\DRIVERS\L8042Kbd.sys (manual start) Logitech SetPoint PS/2 Mouse Filter Driver: system32\DRIVERS\L8042mou.Sys (manual start) Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) LiveUpdate: "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" (manual start) TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Logitech SetPoint Mouse Filter Driver: system32\DRIVERS\LMouKE.Sys (manual start) LT Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start) Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (manual start) Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start) Mouse Class Driver: System32\DRIVERS\mouclass.sys (system) WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start) MRXSMB: System32\DRIVERS\mrxsmb.sys (system) Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start) Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start) Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start) Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start) Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start) Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start) Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start) Macronix MX987xx Family Fast Ethernet NT Driver: System32\DRIVERS\mxnic.sys (manual start) NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start) Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start) Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start) NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start) Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start) NetBIOS Interface: System32\DRIVERS\netbios.sys (system) NetBT: System32\DRIVERS\netbt.sys (system) Network DDE: %SystemRoot%\system32\netdde.exe (manual start) Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start) Net Logon: %SystemRoot%\System32\lsass.exe (manual start) Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) 1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start) Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start) Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) nv: System32\DRIVERS\nv4_mini.sys (manual start) nv4: System32\DRIVERS\nv4.sys (manual start) NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart) NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system) IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start) IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start) Texas Instruments OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system) Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start) Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system) PalmUSBD: system32\drivers\PalmUSBD.sys (manual start) Parallel port driver: System32\DRIVERS\parport.sys (manual start) PCI Bus Driver: System32\DRIVERS\pci.sys (system) PCIIde: System32\DRIVERS\pciide.sys (system) Padus ASPI Shell: system32\drivers\pfc.sys (manual start) Plug and Play: %SystemRoot%\system32\services.exe (autostart) IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart) WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start) Processor Driver: System32\DRIVERS\processr.sys (system) Protected Storage: %SystemRoot%\system32\lsass.exe (autostart) PS2: System32\DRIVERS\PS2.sys (manual start) QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start) Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start) PxHelp20: System32\DRIVERS\PxHelp20.sys (system) Logitech QuickCam Express: System32\DRIVERS\LVCM.sys (manual start) Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system) Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start) Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start) Direct Parallel: System32\DRIVERS\raspti.sys (manual start) Rdbss: System32\DRIVERS\rdbss.sys (system) RDPCDD: System32\DRIVERS\RDPCDD.sys (system) Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start) Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system) Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start) Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start) S3Psddr: System32\DRIVERS\s3gnbm.sys (manual start) Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart) Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start) Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Secdrv: System32\DRIVERS\secdrv.sys (autostart) Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start) Serial port driver: System32\DRIVERS\serial.sys (system) Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) SiS315: System32\DRIVERS\sisgrp.sys (manual start) SiS AGP Filter: System32\DRIVERS\SISAGP.sys (system) BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start) Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start) Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart) System Restore Filter Driver: System32\DRIVERS\sr.sys (system) System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Srv: System32\DRIVERS\srv.sys (manual start) sscdbhk5: system32\drivers\sscdbhk5.sys (system) SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start) ssrtln: system32\drivers\ssrtln.sys (system) Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart) BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start) Software Bus Driver: System32\DRIVERS\swenum.sys (manual start) Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start) MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{13C56707-A75E-427F-A3E7-375956BFF577} (manual start) Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start) Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start) Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system) Terminal Device Driver: System32\DRIVERS\termdd.sys (system) Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start) tfsnboio: system32\dla\tfsnboio.sys (autostart) tfsncofs: system32\dla\tfsncofs.sys (autostart) tfsndrct: system32\dla\tfsndrct.sys (autostart) tfsndres: system32\dla\tfsndres.sys (autostart) tfsnifs: system32\dla\tfsnifs.sys (autostart) tfsnopio: system32\dla\tfsnopio.sys (autostart) tfsnpool: system32\dla\tfsnpool.sys (autostart) tfsnudf: system32\dla\tfsnudf.sys (autostart) tfsnudfa: system32\dla\tfsnudfa.sys (autostart) Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart) Microcode Update Driver: System32\DRIVERS\update.sys (manual start) Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start) Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start) USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start) Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start) Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start) Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start) Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start) Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start) USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start) USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start) Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start) VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system) VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system) ViaIde: System32\DRIVERS\viaide.sys (system) Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start) Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start) WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start) Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start) WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start) Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled) Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start) Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Intel® Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (system) Intel® Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start) -------------------------------------------------- Enumerating Windows NT logon/logoff scripts: *No scripts set to run* Windows NT checkdisk command: BootExecute = *Registry value not found* Windows NT 'Wininit.ini': PendingFileRenameOperations: C:\DOCUME~1\Owner\LOCALS~1\Temp\Mime.822 -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDO This post has been edited by jcwagb: Sep 16 2006, 06:46 AM |
|
|
|
|
Sep 16 2006, 06:49 AM
Post
#4
|
|
|
Forum Addict Group: HJT Team Posts: 10,603 Joined: 28-October 05 From: London Member No.: 38,920 |
Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today. It is a good idea to print off these instructions: This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. A print out of the instructions would be a good reference to make sure you don't yet lost. Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out! If you have any queries about the process or just general questions, just ask. Download KillBox from the following link : http://www.bleepingcomputer.com/files/killbox.php Unzip the folder to your desktop. Start Killbox.exe Select the "Delete on Reboot" option. Click on the "All Files" button (!important!),which will then flash green. Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C: C:\WINDOWS\srvazokfqw.exe C:\WINDOWS\dlcns.dll C:\WINDOWS\vzwpufgA.exe C:\WINDOWS\srvihptiic.exe C:\WINDOWS\win32095135701241.exe C:\WINDOWS\YazzleBundle-1264.exe C:\WINDOWS\srvzgcmxkr.exe C:\WINDOWS\popupwithcast.exe Open 'file' in the killboxmenu on top and choose Paste from clipboard You must use the file File menu--pasting by right-clicking the mouse will only enter one file. Then press the button that looks like a red circle with a white X in it. Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes". Click OK at any Pending File Rename Operations prompt, let me know if there appear. If you don't get that message, reboot manually. Your computer should reboot now. Go to this page. Enter the url of this thread in the first field. Where it says, browse to the file that you want to submit, copy and paste next in the field: C:\WINDOWS\system32\nsh10CF.dll Then click the Send File button below. Please let me know when you have submitted the file. Please open notepad and and copy and paste next bold in it: (don't forget to copy and paste REGEDIT4) QUOTE REGEDIT4 Save this as "fix.reg" Choose to save as *all files and place it on your desktop.[-HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] [-HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] It should look like this:  Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok. In regards to the error you are getting at startup I think I have a possible fix, but you need your XP installation CD that came with your computer is order to transfer the files across. If you do not have the CD let me know and do not follow the instructions below. 1. Insert the Windows XP startup disk, and then close the Welcome to Microsoft Windows XP window if it appears. 2. Click Start, click Run, type cmd, and then click OK. 3. At the command prompt, type the following command, and then press ENTER: copy drive letter:\i386\autochk.exe %WINDIR%\system32 Note The drive letter placeholder represents the drive, such as "D:", that is running the Windows XP startup disk. 4. Type Y when you receive the following message: Overwrite C:\WINDOWS\system32\autochk.exe? (Yes/No/All) 5. Remove the Windows XP startup disk, and then restart the computer. Let me know if you recieve the error when you reboot this time. Post back with a new Hijackthis log. David |
|
|
|
|
Sep 16 2006, 06:54 AM
Post
#5
|
|
|
Member Group: Members Posts: 18 Joined: 17-August 05 Member No.: 31,472 |
Here are the rest of the logs needed. I started where the HijackThis Startup List was cut off:
Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run *Registry key not found* -------------------------------------------------- End of report, 36,855 bytes Report generated in 0.094 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only --------------------------------------------------------------------------------------------------------------------------- New HijackThis log Logfile of HijackThis v1.99.1 Scan saved at 6:12:07 AM, on 9/16/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Browser Mouse\mouse32a.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\HP\KBD\KBD.EXE C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost F2 - REG:system.ini: UserInit=userinit.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\notify.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .xml: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157672564437 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe |
|
|
|
|
Sep 16 2006, 07:10 AM
Post
#6
|
|
|
Forum Addict Group: HJT Team Posts: 10,603 Joined: 28-October 05 From: London Member No.: 38,920 |
Ok thanks, please complete the instructions I posted in post#4.
|
|
|
|
|
Sep 16 2006, 07:19 AM
Post
#7
|
|
|
Member Group: Members Posts: 18 Joined: 17-August 05 Member No.: 31,472 |
I have completed all of the instructions you gave me in #4. I have also submitted the C:\WINDOWS\system32\nsh10CF.dll file.
For the startup error, I do not have a Windows XP startup disk. |
|
|
|
|
Sep 17 2006, 02:30 PM
Post
#8
|
|
|
Forum Addict Group: HJT Team Posts: 10,603 Joined: 28-October 05 From: London Member No.: 38,920 |
I now see a clean log here, there are no signs of malware or anything that may cause the problems you are having. I recommend that you post your autochk.exe question in the following forum as you will recieve better help there. Let them know you have had your Hijackthis log checked, and it isn't a serious security issue.
Windows XP Home and Professional |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 9th February 2010 - 04:27 PM |
© 2003-2010 All Rights Reserved Bleeping Computer LLC.