Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Msiconf.exe Infection?


  • Please log in to reply
17 replies to this topic

#1 elroy325

elroy325

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 20 February 2008 - 11:28 AM

I keep getting spyware called abetterinternet.aurora and virtumonde. I have updated and run spybot in safe mode and fully booted up, but the problem keeps coming back I have run symantec antivirus (which comes up with nothing) in safe mode and when fully booted up.

i get tons of pop ups and then my symantec autoprotect pops up and notifies me that:
it deleted downloader 10_swp[1] and win7cc.tmp. It also deleted downloader.misleadapp with a file name of gos7d7.tmp
it aslo quarantined win7d2.tmp

as soon as i reboot everything starts happening again and I get similar notifications from symantec. another symptom is that my desktop icons disappear.

I downloaded virtumonde removal tool from symantec but when i run it it says virtumonde isnt on my computer. however spybot finds it and fixes it only to have it return again.


I believe the infection i have is called msiconf.exe but not sure. As soon as I start to use IE thats when everything freezes up, viruses get picked up by symantec auto protect and I have to reboot.

my hijackthis has also been affected. Im able to do a scan but when I try to save a log the program just closes.

Any help would be greatly appreciated. Thanks!

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:43 AM

Posted 20 February 2008 - 01:42 PM

Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection". (If using Vista, right-click on VundoFix.exe and select "Run As Administrator".)

After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 elroy325

elroy325
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 20 February 2008 - 04:41 PM

thanks for the advice.
I didnt run SDFix because it seems to be for those having a command prompt error
here is what I got with vundofix


VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 4:20:53 PM 2/20/2008

Listing files found while scanning....

C:\WINDOWS\system32\winipo32.dll
C:\WINDOWS\system32\winkrg32.dll

Beginning removal...

Edited by elroy325, 20 February 2008 - 04:42 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:43 AM

Posted 20 February 2008 - 06:32 PM

Your system is infected with more than vundo.

SDFix is a specialized file tool created by AndyManchesta to remove IRCBot variants, backdoor Trojans and the Rootkit components that come with them. This includes Msiconf.exe which you have identified as part of your infection. Go ahead and run the fix tool as instructed.

Edited by quietman7, 20 February 2008 - 06:33 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 elroy325

elroy325
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 20 February 2008 - 07:24 PM

SDFix: Version 1.144

Run by me on Wed 02/20/2008 at 06:56 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Checking Files:

Trojan Files Found:

C:\WINDOWS\Installer\{cc3d79c9-13c4-4f88-8a01-2324add6255c}\zip.dll - Deleted





Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 19:01:09
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 12 Jul 2005 54,872 A..H. --- "C:\Program Files\America Online 9.0\AOLphx.exe"
Tue 12 Jul 2005 31,832 A..H. --- "C:\Program Files\America Online 9.0\rbm.exe"
Thu 29 Aug 2002 57,344 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Sat 30 Jun 2007 1,786 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Mon 13 Jun 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 20 Feb 2008 20,992 ...H. --- "C:\Documents and Settings\me\Desktop\~WRL0003.tmp"
Tue 19 Jul 2005 997,888 ...H. --- "C:\Documents and Settings\me\My Documents\~WRL0004.tmp"
Fri 23 Sep 2005 220,160 ...H. --- "C:\Documents and Settings\me\My Documents\~WRL0005.tmp"
Fri 23 Sep 2005 221,184 ...H. --- "C:\Documents and Settings\me\My Documents\~WRL0737.tmp"
Fri 16 Jun 2006 364,032 ...H. --- "C:\Documents and Settings\me\My Documents\~WRL1526.tmp"
Fri 23 Sep 2005 222,208 ...H. --- "C:\Documents and Settings\me\My Documents\~WRL1802.tmp"
Tue 19 Jul 2005 7,303,168 ...H. --- "C:\Documents and Settings\me\My Documents\~WRL2949.tmp"
Fri 23 Sep 2005 223,232 ...H. --- "C:\Documents and Settings\me\My Documents\~WRL3799.tmp"
Tue 19 Feb 2008 38,438 ..SHR --- "C:\WINDOWS\Installer\{2ff79846-7943-4b4b-8ce7-ad8eb80a929b}\zip.dll"
Wed 20 Feb 2008 38,438 ..SHR --- "C:\WINDOWS\Installer\{3aa707a1-1250-442a-9e8f-d88609b62555}\zip.dll"
Sat 16 Feb 2008 38,438 ..SHR --- "C:\WINDOWS\Installer\{4cd1bd04-d056-4e16-8138-c233076d57c9}\zip.dll"
Tue 19 Feb 2008 38,438 ..SHR --- "C:\WINDOWS\Installer\{f56e3ef0-7754-43cc-9b9a-9e74d0c543ff}\zip.dll"
Sun 5 Jun 2005 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Sun 5 Jun 2005 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Sat 5 Aug 2000 28,738 A..H. --- "C:\Program Files\Extras\installed\office xp\MSDE2000\SQLRESLD.DLL"

Finished!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:43 AM

Posted 20 February 2008 - 09:54 PM

How is your computer running now? Are there any more signs of malware?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 elroy325

elroy325
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 21 February 2008 - 11:22 AM

the computer is running well but I still cant get rid of spyware such as abetterinternet.aurora. spybot removes it and it keeps coming back.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:43 AM

Posted 21 February 2008 - 11:59 AM

Are they actual files or just registry entries? When inquiring about Spybot scans, you should always post a complete log of the actual detections received. Lets try a more effective anti-spyware scanner than Spybot.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 elroy325

elroy325
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 21 February 2008 - 01:27 PM

OK Here is the spybot report.
I will follow your last instructions and repost asap
THANKS SO MUCH!


--- Search result list ---
DoubleClick: Tracking cookie (Internet Explorer: me) (Cookie, nothing done)


ABetterInternet.Aurora: Autorun settings (NvCplDaemon) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon

Talex.FTP.RegScan: Program directory (Directory, nothing done)
C:\WINDOWS\ftpcache\


--- Spybot - Search && Destroy version: 1.3 ---
2008-02-20 Includes\Cookies.sbi
2007-12-26 Includes\Dialer.sbi
2008-02-20 Includes\DialerC.sbi
2008-02-20 Includes\HeavyDuty.sbi
2008-02-20 Includes\Hijackers.sbi
2008-02-20 Includes\HijackersC.sbi
2008-02-20 Includes\Keyloggers.sbi
2008-02-20 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2008-02-20 Includes\Malware.sbi
2008-02-20 Includes\MalwareC.sbi
2008-02-20 Includes\PUPS.sbi
2008-02-20 Includes\PUPSC.sbi
2008-02-20 Includes\Revision.sbi
2008-01-09 Includes\Security.sbi
2008-02-20 Includes\SecurityC.sbi
2008-02-20 Includes\Spybots.sbi
2008-02-20 Includes\SpybotsC.sbi
2007-11-06 Includes\Tracks.uti
2008-02-20 Includes\Trojans.sbi
2008-02-20 Includes\TrojansC.sbi
2007-06-06 Plugins\TCPIPAddress.dll


--- System information ---
Windows XP (Build: 2600) Service Pack 1
/ Windows XP / SP2: Windows XP Hotfix - KB828756
/ Windows XP / SP2: Microsoft DirectX 9.0b - KB830363
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)


--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: 8b9145d229d4e89d15acb820d4a3a90f

Located: HK_LM:Run, BrMfcWnd
command: C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 52840
MD5: ae0f500ea5e01afef0bb9051969804b2

Located: HK_LM:Run, ControlCenter3
command: C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

Located: HK_LM:Run, HostManager
command: C:\Program Files\Common Files\AOL\1155845066\ee\AOLSoftware.exe
file: C:\Program Files\Common Files\AOL\1155845066\ee\AOLSoftware.exe
size: 45056
MD5: 200e8e1a8ec988ee40ad5ca4358d5356

Located: HK_LM:Run, IndexSearch
command: C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
file: C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
size: 40960
MD5: ee25c4a5aa0839ef66ed3af0a79eef75

Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 271672
MD5: 75e7851ce99ea8f9b74361f284666fe0

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 31744
MD5: 0fb22dd37c17f80ad71316049f725170

Located: HK_LM:Run, PaperPort PTD
command: C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
file: C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
size: 57393
MD5: 852803aaf50a785bafe788d2ad666c78

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 286720
MD5: 49ccfbe5d5225b9d3cc78c09dee147d0

Located: HK_LM:Run, RealTray
command: C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

Located: HK_LM:Run, RoxioEngineUtility
command: "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
file: C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe
size: 69632
MD5: 44f2f7d1fd010127d6c490d08eab8e89

Located: HK_LM:Run, SetDefPrt
command: C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
file: C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
size: 49152
MD5: 0c6dc7f88df16a6851bd11a48a03da1b

Located: HK_LM:Run, SSBkgdUpdate
command: "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
file: C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
size: 155648
MD5: 1c3ca3e7807f915933bb4e08e599ddab

Located: HK_LM:Run, SSC_UserPrompt
command: C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
file: C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
size: 212992
MD5: 87bc2a46c5ca84a6d8ee70dfefc810ab

Located: HK_LM:Run, vptray
command: C:\PROGRA~1\SYMANT~1\VPTray.exe
file: C:\PROGRA~1\SYMANT~1\VPTray.exe
size: 125632
MD5: 4279e452e99a4f044ce37f03d57fa612

Located: HK_LM:Run, ZoneAlarm Client
command: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 919016
MD5: 29ff6100b7b3d4818b61119bbfaae53a

Located: HK_CU:Run, AOL Fast Start
command: "C:\Program Files\America Online 9.0\AOL.EXE" -b
file: C:\Program Files\America Online 9.0\AOL.EXE
size: 50776
MD5: 9c4239915e23d7df1ddfb88512c08249

Located: HK_CU:Run, NBJ
command: "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
file: C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
size: 1871872
MD5: 11b320780b22eb88ceefd4bb69e44522

Located: HK_CU:Run, swg
command: C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
size: 171448
MD5: 0fa44ea8b03aba3e1d240b5a333d8e6a

Located: Startup (common), Exif Launcher 2.lnk
command: C:\Program Files\FinePixViewer\QuickDCF2.exe
file: C:\Program Files\FinePixViewer\QuickDCF2.exe
size: 294912
MD5: 7915fbf4126b18464f70b9bca191bf1d

Located: Startup (disabled), Adobe Reader Speed Launch (DISABLED)
command:



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: ACROIEHELPER.OCX
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 10/22/2006 11:08:42 PM
Date (last access): 2/21/2008 1:24:50 PM
Date (last write): 10/22/2006 11:08:42 PM
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 0.8.0.0

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDHelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 5/12/2004 12:03:00 AM
Date (last access): 2/21/2008 11:13:50 AM
Date (last write): 5/12/2004 12:03:00 AM
Filesize: 744960
Attributes: archive
MD5: ABF5BA518C6A5ED104496FF42D19AD88
CRC32: 5587736E
Version: 0.1.0.3

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.5.0_10\bin\
Long name: ssv.dll
Short name:
Date (created): 11/9/2006 3:07:34 PM
Date (last access): 2/21/2008 11:14:14 AM
Date (last write): 11/9/2006 3:21:52 PM
Filesize: 440056
Attributes: archive
MD5: BC7A3C412FE12F471603473294CEEEBE
CRC32: 40152D34
Version: 0.5.0.0

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: Googletoolbar.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 1/23/2008 6:14:18 PM
Date (last access): 2/21/2008 11:14:20 AM
Date (last write): 1/23/2008 6:14:18 PM
Filesize: 2403392
Attributes: readonly archive
MD5: 6319F2D4708DBCAE37CFA03DA10782C0
CRC32: D51D8296
Version: 0.4.0.0

{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} (ZoneAlarm Spy Blocker BHO)
BHO name: ZoneAlarm Spy Blocker BHO
CLSID name: ZoneAlarm Spy Blocker BHO
Path: C:\Program Files\ZoneAlarmSB\bar\1.bin\
Long name: SPYBLOCK.DLL
Short name:
Date (created): 1/1/2008 2:31:46 PM
Date (last access): 2/21/2008 11:14:22 AM
Date (last write): 1/1/2008 2:31:46 PM
Filesize: 262144
Attributes: archive
MD5: 6C186920871F16149331E5C911BEE931
CRC32: 0F62F9D9
Version: 0.2.0.3



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 6/29/2007 5:25:14 AM
Date (last access): 2/21/2008 11:13:50 AM
Date (last write): 6/29/2007 5:25:14 AM
Filesize: 574784
Attributes: archive
MD5: 92FCD2C6B05278FFD772AEE77D29A07C
CRC32: 3E432005
Version: 0.7.0.2

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
description: Macromedia ShockWave Flash Player 7
classification: Unknown
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 2/11/2007 12:08:40 PM
Date (last access): 2/20/2008 7:22:02 PM
Date (last write): 9/3/2006 11:10:30 PM
Filesize: 54960
Attributes: archive
MD5: EB271B21EA6104B7C6946EF32D558C91
CRC32: CEC4E0C2
Version: 0.10.0.1

{3334504D-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:

{406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia)
DPF name:
CLSID name: Snapfish Activia
Path: C:\WINDOWS\Downloaded Program Files\
Long name: SnapfishActivia1000.ocx
Short name: SNAPFI~1.OCX
Date (created): 6/3/2005 11:24:32 AM
Date (last access): 2/17/2008 10:53:04 PM
Date (last write): 6/3/2005 11:24:32 AM
Filesize: 286720
Attributes: archive
MD5: F5C79C45F1ADF877DC3AFDFF3565AE7B
CRC32: F118547A
Version: 0.1.0.0

{67DABFBF-D0AB-41FA-9C46-CC0F21721616} ()
DPF name:
CLSID name:

{7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class)
DPF name:
CLSID name: ICSScanner Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ICSScan.dll
Short name:
Date (created): 10/14/2005 12:28:38 PM
Date (last access): 2/21/2008 11:32:36 AM
Date (last write): 10/14/2005 12:28:38 PM
Filesize: 1201912
Attributes: archive
MD5: FCB84C39EBDF4DDC1D58EC64D8AE3E16
CRC32: A0E3314F
Version: 0.3.0.7

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_10
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_10\bin\
Long name: NPJPI150_10.dll
Short name: NPJPI1~1.DLL
Date (created): 11/9/2006 3:07:34 PM
Date (last access): 2/15/2008 8:44:52 PM
Date (last write): 11/9/2006 3:21:54 PM
Filesize: 75528
Attributes: archive
MD5: 635F4B3A0F1C661B5CEDE628BA85E46B
CRC32: 0C9B7145
Version: 0.5.0.0

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:

{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_10
Path: C:\Program Files\Java\jre1.5.0_10\bin\
Long name: NPJPI150_10.dll
Short name: NPJPI1~1.DLL
Date (created): 11/9/2006 3:07:34 PM
Date (last access): 2/21/2008 1:25:30 PM
Date (last write): 11/9/2006 3:21:54 PM
Filesize: 75528
Attributes: archive
MD5: 635F4B3A0F1C661B5CEDE628BA85E46B
CRC32: 0C9B7145
Version: 0.5.0.0

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_10
Path: C:\Program Files\Java\jre1.5.0_10\bin\
Long name: NPJPI150_10.dll
Short name: NPJPI1~1.DLL
Date (created): 11/9/2006 3:07:34 PM
Date (last access): 2/21/2008 1:25:30 PM
Date (last write): 11/9/2006 3:21:54 PM
Filesize: 75528
Attributes: archive
MD5: 635F4B3A0F1C661B5CEDE628BA85E46B
CRC32: 0C9B7145
Version: 0.5.0.0

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash9b.ocx
Short name:
Date (created): 11/9/2006 2:46:28 PM
Date (last access): 2/21/2008 1:24:50 PM
Date (last write): 11/9/2006 2:46:28 PM
Filesize: 2262648
Attributes: readonly archive
MD5: F3B3EE66CA76C94510555ABE9D00A353
CRC32: A51F3CB4
Version: 0.9.0.0



--- Process list ---
Spybot - Search && Destroy process list report, 2/21/2008 1:25:30 PM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 116 ( 656) C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
PID: 140 (1280) C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
PID: 264 ( 252) C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
PID: 288 (2424) C:\Program Files\America Online 9.0\waol.exe
PID: 292 (1280) C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PID: 432 (1280) C:\Program Files\Real\RealPlayer\RealPlay.exe
PID: 524 ( 656) alg.exe
PID: 536 ( 4) \SystemRoot\System32\smss.exe
PID: 576 ( 656) C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
PID: 584 ( 536) csrss.exe
PID: 612 ( 536) \??\C:\WINDOWS\system32\winlogon.exe
PID: 656 ( 612) C:\WINDOWS\system32\services.exe
PID: 672 ( 612) C:\WINDOWS\system32\lsass.exe
PID: 676 ( 656) C:\WINDOWS\system32\AvidSDMService.exe
PID: 716 ( 656) C:\Program Files\Symantec AntiVirus\DefWatch.exe
PID: 772 (1280) C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
PID: 840 ( 656) C:\WINDOWS\system32\svchost.exe
PID: 888 ( 576) aoltpspd.exe
PID: 892 ( 656) C:\WINDOWS\System32\svchost.exe
PID: 972 ( 656) svchost.exe
PID: 988 ( 656) C:\WINDOWS\system32\bgsvcgen.exe
PID: 1080 ( 656) svchost.exe
PID: 1092 ( 288) C:\Program Files\America Online 9.0\shellmon.exe
PID: 1160 ( 656) C:\WINDOWS\System32\nvsvc32.exe
PID: 1176 (1280) C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID: 1268 ( 656) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PID: 1276 (1280) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 1280 (1224) C:\WINDOWS\Explorer.EXE
PID: 1348 ( 656) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PID: 1436 ( 656) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PID: 1512 ( 656) C:\WINDOWS\system32\spoolsv.exe
PID: 1660 ( 656) C:\WINDOWS\System32\svchost.exe
PID: 1720 (1280) C:\Program Files\FinePixViewer\QuickDCF2.exe
PID: 1864 (1280) C:\Program Files\Common Files\AOL\1155845066\ee\AOLSoftware.exe
PID: 1876 (1280) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PID: 1908 (1280) C:\PROGRA~1\SYMANT~1\VPTray.exe
PID: 1932 ( 656) C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PID: 2000 (1280) C:\Program Files\iTunes\iTunesHelper.exe
PID: 2008 ( 656) wdfmgr.exe
PID: 2120 ( 656) C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PID: 2796 ( 656) C:\Program Files\iPod\bin\iPodService.exe
PID: 2936 (1280) C:\Program Files\PDMarq Audio Recorder\PDMarq Audio Recorder.exe


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 2/21/2008 1:25:30 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1AE3044B-20CA-420A-BE7C-F49D1865F7FA}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1AE3044B-20CA-420A-BE7C-F49D1865F7FA}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2C453ED9-F273-480D-8722-5B9E92C1CCE0}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2C453ED9-F273-480D-8722-5B9E92C1CCE0}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{05A16284-C9A9-4CC7-8138-3208100C24F4}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{05A16284-C9A9-4CC7-8138-3208100C24F4}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{19859576-CA2A-437A-8952-34F042EBC3D8}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{19859576-CA2A-437A-8952-34F042EBC3D8}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BB78D32A-E65B-424D-BF90-12E51D9A578A}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BB78D32A-E65B-424D-BF90-12E51D9A578A}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9BCA1F01-0917-49B3-8EDC-22B7F1DFAF16}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9BCA1F01-0917-49B3-8EDC-22B7F1DFAF16}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F3E43A3A-255E-4519-BAC8-2A896166CF3E}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F3E43A3A-255E-4519-BAC8-2A896166CF3E}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C9AC03F8-864F-4003-BA14-5CF1E854AE98}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C9AC03F8-864F-4003-BA14-5CF1E854AE98}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:43 AM

Posted 21 February 2008 - 01:46 PM

NvCplDaemon is related to nVidia based graphics cards. Appears that detection is a "false positive".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 elroy325

elroy325
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 22 February 2008 - 02:15 PM

OK I ran both SUPERantispyware pro and ATF-Cleaner as you recommended. I then ran spybot and am still infected. here are the reports

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/22/2008 at 12:21 PM

Application Version : 3.9.1008

Core Rules Database Version : 3407
Trace Rules Database Version: 1399

Scan type : Complete Scan
Total Scan Time : 01:24:13

Memory items scanned : 196
Memory threats detected : 0
Registry items scanned : 6371
Registry threats detected : 2
File items scanned : 54739
File threats detected : 0

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount



SPYBOT REPORT


--- Search result list ---
DoubleClick: Tracking cookie (Internet Explorer: me) (Cookie, nothing done)


ABetterInternet.Aurora: Autorun settings (NvCplDaemon) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon

Talex.FTP.RegScan: Program directory (Directory, nothing done)
C:\WINDOWS\ftpcache\


--- Spybot - Search && Destroy version: 1.3 ---
2008-02-20 Includes\Cookies.sbi
2007-12-26 Includes\Dialer.sbi
2008-02-20 Includes\DialerC.sbi
2008-02-20 Includes\HeavyDuty.sbi
2008-02-20 Includes\Hijackers.sbi
2008-02-20 Includes\HijackersC.sbi
2008-02-20 Includes\Keyloggers.sbi
2008-02-20 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2008-02-20 Includes\Malware.sbi
2008-02-20 Includes\MalwareC.sbi
2008-02-20 Includes\PUPS.sbi
2008-02-20 Includes\PUPSC.sbi
2008-02-20 Includes\Revision.sbi
2008-01-09 Includes\Security.sbi
2008-02-20 Includes\SecurityC.sbi
2008-02-20 Includes\Spybots.sbi
2008-02-20 Includes\SpybotsC.sbi
2007-11-06 Includes\Tracks.uti
2008-02-20 Includes\Trojans.sbi
2008-02-20 Includes\TrojansC.sbi
2007-06-06 Plugins\TCPIPAddress.dll


--- System information ---
Windows XP (Build: 2600) Service Pack 1
/ Windows XP / SP2: Windows XP Hotfix - KB828756
/ Windows XP / SP2: Microsoft DirectX 9.0b - KB830363
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)


--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: 8b9145d229d4e89d15acb820d4a3a90f

Located: HK_LM:Run, BrMfcWnd
command: C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 52840
MD5: ae0f500ea5e01afef0bb9051969804b2

Located: HK_LM:Run, ControlCenter3
command: C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

Located: HK_LM:Run, HostManager
command: C:\Program Files\Common Files\AOL\1155845066\ee\AOLSoftware.exe
file: C:\Program Files\Common Files\AOL\1155845066\ee\AOLSoftware.exe
size: 45056
MD5: 200e8e1a8ec988ee40ad5ca4358d5356

Located: HK_LM:Run, IndexSearch
command: C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
file: C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
size: 40960
MD5: ee25c4a5aa0839ef66ed3af0a79eef75

Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 271672
MD5: 75e7851ce99ea8f9b74361f284666fe0

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 31744
MD5: 0fb22dd37c17f80ad71316049f725170

Located: HK_LM:Run, PaperPort PTD
command: C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
file: C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
size: 57393
MD5: 852803aaf50a785bafe788d2ad666c78

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 286720
MD5: 49ccfbe5d5225b9d3cc78c09dee147d0

Located: HK_LM:Run, RealTray
command: C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

Located: HK_LM:Run, RoxioEngineUtility
command: "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
file: C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe
size: 69632
MD5: 44f2f7d1fd010127d6c490d08eab8e89

Located: HK_LM:Run, SetDefPrt
command: C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
file: C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
size: 49152
MD5: 0c6dc7f88df16a6851bd11a48a03da1b

Located: HK_LM:Run, SSBkgdUpdate
command: "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
file: C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
size: 155648
MD5: 1c3ca3e7807f915933bb4e08e599ddab

Located: HK_LM:Run, SSC_UserPrompt
command: C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
file: C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
size: 212992
MD5: 87bc2a46c5ca84a6d8ee70dfefc810ab

Located: HK_LM:Run, vptray
command: C:\PROGRA~1\SYMANT~1\VPTray.exe
file: C:\PROGRA~1\SYMANT~1\VPTray.exe
size: 125632
MD5: 4279e452e99a4f044ce37f03d57fa612

Located: HK_LM:Run, ZoneAlarm Client
command: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 919016
MD5: 29ff6100b7b3d4818b61119bbfaae53a

Located: HK_CU:Run, AOL Fast Start
command: "C:\Program Files\America Online 9.0\AOL.EXE" -b
file: C:\Program Files\America Online 9.0\AOL.EXE
size: 50776
MD5: 9c4239915e23d7df1ddfb88512c08249

Located: HK_CU:Run, NBJ
command: "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
file: C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
size: 1871872
MD5: 11b320780b22eb88ceefd4bb69e44522

Located: HK_CU:Run, swg
command: C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
size: 171448
MD5: 0fa44ea8b03aba3e1d240b5a333d8e6a

Located: Startup (common), Exif Launcher 2.lnk
command: C:\Program Files\FinePixViewer\QuickDCF2.exe
file: C:\Program Files\FinePixViewer\QuickDCF2.exe
size: 294912
MD5: 7915fbf4126b18464f70b9bca191bf1d

Located: Startup (disabled), Adobe Reader Speed Launch (DISABLED)
command:



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: ACROIEHELPER.OCX
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 10/22/2006 11:08:42 PM
Date (last access): 2/22/2008 1:08:22 PM
Date (last write): 10/22/2006 11:08:42 PM
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 0.8.0.0

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDHelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 5/12/2004 12:03:00 AM
Date (last access): 2/22/2008 1:08:22 PM
Date (last write): 5/12/2004 12:03:00 AM
Filesize: 744960
Attributes: archive
MD5: ABF5BA518C6A5ED104496FF42D19AD88
CRC32: 5587736E
Version: 0.1.0.3

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.5.0_10\bin\
Long name: ssv.dll
Short name:
Date (created): 11/9/2006 3:07:34 PM
Date (last access): 2/22/2008 1:08:22 PM
Date (last write): 11/9/2006 3:21:52 PM
Filesize: 440056
Attributes: archive
MD5: BC7A3C412FE12F471603473294CEEEBE
CRC32: 40152D34
Version: 0.5.0.0

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: Googletoolbar.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 1/23/2008 6:14:18 PM
Date (last access): 2/22/2008 1:08:22 PM
Date (last write): 1/23/2008 6:14:18 PM
Filesize: 2403392
Attributes: readonly archive
MD5: 6319F2D4708DBCAE37CFA03DA10782C0
CRC32: D51D8296
Version: 0.4.0.0

{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} (ZoneAlarm Spy Blocker BHO)
BHO name: ZoneAlarm Spy Blocker BHO
CLSID name: ZoneAlarm Spy Blocker BHO
Path: C:\Program Files\ZoneAlarmSB\bar\1.bin\
Long name: SPYBLOCK.DLL
Short name:
Date (created): 1/1/2008 2:31:46 PM
Date (last access): 2/22/2008 1:08:22 PM
Date (last write): 1/1/2008 2:31:46 PM
Filesize: 262144
Attributes: archive
MD5: 6C186920871F16149331E5C911BEE931
CRC32: 0F62F9D9
Version: 0.2.0.3



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 6/29/2007 5:25:14 AM
Date (last access): 2/22/2008 11:59:34 AM
Date (last write): 6/29/2007 5:25:14 AM
Filesize: 574784
Attributes: archive
MD5: 92FCD2C6B05278FFD772AEE77D29A07C
CRC32: 3E432005
Version: 0.7.0.2

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
description: Macromedia ShockWave Flash Player 7
classification: Unknown
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 2/11/2007 12:08:40 PM
Date (last access): 2/22/2008 12:17:20 PM
Date (last write): 9/3/2006 11:10:30 PM
Filesize: 54960
Attributes: archive
MD5: EB271B21EA6104B7C6946EF32D558C91
CRC32: CEC4E0C2
Version: 0.10.0.1

{3334504D-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:

{406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia)
DPF name:
CLSID name: Snapfish Activia
Path: C:\WINDOWS\Downloaded Program Files\
Long name: SnapfishActivia1000.ocx
Short name: SNAPFI~1.OCX
Date (created): 6/3/2005 11:24:32 AM
Date (last access): 2/22/2008 12:07:30 PM
Date (last write): 6/3/2005 11:24:32 AM
Filesize: 286720
Attributes: archive
MD5: F5C79C45F1ADF877DC3AFDFF3565AE7B
CRC32: F118547A
Version: 0.1.0.0

{67DABFBF-D0AB-41FA-9C46-CC0F21721616} ()
DPF name:
CLSID name:

{7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class)
DPF name:
CLSID name: ICSScanner Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ICSScan.dll
Short name:
Date (created): 10/14/2005 12:28:38 PM
Date (last access): 2/22/2008 1:17:44 PM
Date (last write): 10/14/2005 12:28:38 PM
Filesize: 1201912
Attributes: archive
MD5: FCB84C39EBDF4DDC1D58EC64D8AE3E16
CRC32: A0E3314F
Version: 0.3.0.7

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_10
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_10\bin\
Long name: NPJPI150_10.dll
Short name: NPJPI1~1.DLL
Date (created): 11/9/2006 3:07:34 PM
Date (last access): 2/22/2008 10:59:30 AM
Date (last write): 11/9/2006 3:21:54 PM
Filesize: 75528
Attributes: archive
MD5: 635F4B3A0F1C661B5CEDE628BA85E46B
CRC32: 0C9B7145
Version: 0.5.0.0

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:

{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_10
Path: C:\Program Files\Java\jre1.5.0_10\bin\
Long name: NPJPI150_10.dll
Short name: NPJPI1~1.DLL
Date (created): 11/9/2006 3:07:34 PM
Date (last access): 2/22/2008 2:09:18 PM
Date (last write): 11/9/2006 3:21:54 PM
Filesize: 75528
Attributes: archive
MD5: 635F4B3A0F1C661B5CEDE628BA85E46B
CRC32: 0C9B7145
Version: 0.5.0.0

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_10
Path: C:\Program Files\Java\jre1.5.0_10\bin\
Long name: NPJPI150_10.dll
Short name: NPJPI1~1.DLL
Date (created): 11/9/2006 3:07:34 PM
Date (last access): 2/22/2008 2:09:18 PM
Date (last write): 11/9/2006 3:21:54 PM
Filesize: 75528
Attributes: archive
MD5: 635F4B3A0F1C661B5CEDE628BA85E46B
CRC32: 0C9B7145
Version: 0.5.0.0

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash9b.ocx
Short name:
Date (created): 11/9/2006 2:46:28 PM
Date (last access): 2/22/2008 1:40:24 PM
Date (last write): 11/9/2006 2:46:28 PM
Filesize: 2262648
Attributes: readonly archive
MD5: F3B3EE66CA76C94510555ABE9D00A353
CRC32: A51F3CB4
Version: 0.9.0.0



--- Process list ---
Spybot - Search && Destroy process list report, 2/22/2008 2:09:17 PM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 132 (1780) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PID: 188 ( 648) C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
PID: 220 ( 188) aoltpspd.exe
PID: 244 ( 648) C:\WINDOWS\system32\AvidSDMService.exe
PID: 292 (1780) C:\PROGRA~1\SYMANT~1\VPTray.exe
PID: 344 (1780) C:\Program Files\iTunes\iTunesHelper.exe
PID: 364 (1780) C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
PID: 436 ( 648) C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PID: 484 ( 648) C:\WINDOWS\system32\bgsvcgen.exe
PID: 524 ( 4) \SystemRoot\System32\smss.exe
PID: 576 ( 524) csrss.exe
PID: 580 ( 648) C:\Program Files\Symantec AntiVirus\DefWatch.exe
PID: 604 ( 524) \??\C:\WINDOWS\system32\winlogon.exe
PID: 648 ( 604) C:\WINDOWS\system32\services.exe
PID: 660 ( 604) C:\WINDOWS\system32\lsass.exe
PID: 848 ( 648) C:\WINDOWS\system32\svchost.exe
PID: 900 ( 648) C:\WINDOWS\System32\svchost.exe
PID: 920 (1780) C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PID: 948 ( 648) wdfmgr.exe
PID: 964 ( 464) C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
PID: 976 (1780) C:\Program Files\Real\RealPlayer\RealPlay.exe
PID: 1000 ( 648) svchost.exe
PID: 1044 ( 648) svchost.exe
PID: 1196 (1780) C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
PID: 1228 (1212) C:\Program Files\America Online 9.0\waol.exe
PID: 1292 (1228) C:\Program Files\America Online 9.0\shellmon.exe
PID: 1320 ( 648) C:\WINDOWS\System32\nvsvc32.exe
PID: 1368 (1780) C:\Program Files\FinePixViewer\QuickDCF2.exe
PID: 1400 ( 648) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PID: 1436 ( 648) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PID: 1540 ( 648) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PID: 1596 ( 648) C:\WINDOWS\System32\svchost.exe
PID: 1740 ( 648) C:\WINDOWS\system32\spoolsv.exe
PID: 1780 (1692) C:\WINDOWS\Explorer.EXE
PID: 1972 ( 648) alg.exe
PID: 2012 ( 648) C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
PID: 2044 (1780) C:\Program Files\Common Files\AOL\1155845066\ee\AOLSoftware.exe
PID: 2108 (1780) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 2380 ( 648) C:\Program Files\iPod\bin\iPodService.exe
PID: 2404 ( 648) C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 2/22/2008 2:09:17 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1AE3044B-20CA-420A-BE7C-F49D1865F7FA}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1AE3044B-20CA-420A-BE7C-F49D1865F7FA}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2C453ED9-F273-480D-8722-5B9E92C1CCE0}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2C453ED9-F273-480D-8722-5B9E92C1CCE0}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{05A16284-C9A9-4CC7-8138-3208100C24F4}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{05A16284-C9A9-4CC7-8138-3208100C24F4}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{19859576-CA2A-437A-8952-34F042EBC3D8}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{19859576-CA2A-437A-8952-34F042EBC3D8}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BB78D32A-E65B-424D-BF90-12E51D9A578A}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BB78D32A-E65B-424D-BF90-12E51D9A578A}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9BCA1F01-0917-49B3-8EDC-22B7F1DFAF16}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9BCA1F01-0917-49B3-8EDC-22B7F1DFAF16}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F3E43A3A-255E-4519-BAC8-2A896166CF3E}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F3E43A3A-255E-4519-BAC8-2A896166CF3E}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C9AC03F8-864F-4003-BA14-5CF1E854AE98}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C9AC03F8-864F-4003-BA14-5CF1E854AE98}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:43 AM

Posted 22 February 2008 - 02:36 PM

NvCplDaemon is related to nVidia based graphics cards. As I said, it appears that detection is a "false positive" and not an infection. Confirm this by asking someone at Spybot S&D Support.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 elroy325

elroy325
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 22 February 2008 - 08:10 PM

Ok but what about the other spyware that spybot found:


--- Search result list ---
DoubleClick: Tracking cookie (Internet Explorer: me) (Cookie, nothing done)


ABetterInternet.Aurora: Autorun settings (NvCplDaemon) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon

FastClick: Tracking cookie (Internet Explorer: me) (Cookie, nothing done)


Talex.FTP.RegScan: Program directory (Directory, nothing done)
C:\WINDOWS\ftpcache\

Zedo: Tracking cookie (Internet Explorer: me) (Cookie, nothing done)



--- Spybot - Search && Destroy version: 1.3 ---
2008-02-20 Includes\Cookies.sbi
2007-12-26 Includes\Dialer.sbi
2008-02-20 Includes\DialerC.sbi
2008-02-20 Includes\HeavyDuty.sbi
2008-02-20 Includes\Hijackers.sbi
2008-02-20 Includes\HijackersC.sbi
2008-02-20 Includes\Keyloggers.sbi
2008-02-20 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2008-02-20 Includes\Malware.sbi
2008-02-20 Includes\MalwareC.sbi
2008-02-20 Includes\PUPS.sbi
2008-02-20 Includes\PUPSC.sbi
2008-02-20 Includes\Revision.sbi
2008-01-09 Includes\Security.sbi
2008-02-20 Includes\SecurityC.sbi
2008-02-20 Includes\Spybots.sbi
2008-02-20 Includes\SpybotsC.sbi
2007-11-06 Includes\Tracks.uti
2008-02-20 Includes\Trojans.sbi
2008-02-20 Includes\TrojansC.sbi
2007-06-06 Plugins\TCPIPAddress.dll


--- System information ---
Windows XP (Build: 2600) Service Pack 1
/ Windows XP / SP2: Windows XP Hotfix - KB828756
/ Windows XP / SP2: Microsoft DirectX 9.0b - KB830363
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)


--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: 8b9145d229d4e89d15acb820d4a3a90f

Located: HK_LM:Run, BrMfcWnd
command: C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 52840
MD5: ae0f500ea5e01afef0bb9051969804b2

Located: HK_LM:Run, ControlCenter3
command: C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

Located: HK_LM:Run, HostManager
command: C:\Program Files\Common Files\AOL\1155845066\ee\AOLSoftware.exe
file: C:\Program Files\Common Files\AOL\1155845066\ee\AOLSoftware.exe
size: 45056
MD5: 200e8e1a8ec988ee40ad5ca4358d5356

Located: HK_LM:Run, IndexSearch
command: C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
file: C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
size: 40960
MD5: ee25c4a5aa0839ef66ed3af0a79eef75

Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 271672
MD5: 75e7851ce99ea8f9b74361f284666fe0

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 31744
MD5: 0fb22dd37c17f80ad71316049f725170

Located: HK_LM:Run, PaperPort PTD
command: C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
file: C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
size: 57393
MD5: 852803aaf50a785bafe788d2ad666c78

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 286720
MD5: 49ccfbe5d5225b9d3cc78c09dee147d0

Located: HK_LM:Run, RealTray
command: C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

Located: HK_LM:Run, RoxioEngineUtility
command: "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
file: C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe
size: 69632
MD5: 44f2f7d1fd010127d6c490d08eab8e89

Located: HK_LM:Run, SetDefPrt
command: C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
file: C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
size: 49152
MD5: 0c6dc7f88df16a6851bd11a48a03da1b

Located: HK_LM:Run, SSBkgdUpdate
command: "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
file: C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
size: 155648
MD5: 1c3ca3e7807f915933bb4e08e599ddab

Located: HK_LM:Run, SSC_UserPrompt
command: C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
file: C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
size: 212992
MD5: 87bc2a46c5ca84a6d8ee70dfefc810ab

Located: HK_LM:Run, vptray
command: C:\PROGRA~1\SYMANT~1\VPTray.exe
file: C:\PROGRA~1\SYMANT~1\VPTray.exe
size: 125632
MD5: 4279e452e99a4f044ce37f03d57fa612

Located: HK_LM:Run, ZoneAlarm Client
command: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 919016
MD5: 29ff6100b7b3d4818b61119bbfaae53a

Located: HK_CU:Run, AOL Fast Start
command: "C:\Program Files\America Online 9.0\AOL.EXE" -b
file: C:\Program Files\America Online 9.0\AOL.EXE
size: 50776
MD5: 9c4239915e23d7df1ddfb88512c08249

Located: HK_CU:Run, NBJ
command: "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
file: C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
size: 1871872
MD5: 11b320780b22eb88ceefd4bb69e44522

Located: HK_CU:Run, swg
command: C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
size: 171448
MD5: 0fa44ea8b03aba3e1d240b5a333d8e6a

Located: Startup (common), Exif Launcher 2.lnk
command: C:\Program Files\FinePixViewer\QuickDCF2.exe
file: C:\Program Files\FinePixViewer\QuickDCF2.exe
size: 294912
MD5: 7915fbf4126b18464f70b9bca191bf1d

Located: Startup (disabled), Adobe Reader Speed Launch (DISABLED)
command:



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: ACROIEHELPER.OCX
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 10/22/2006 11:08:42 PM
Date (last access): 2/22/2008 7:37:44 PM
Date (last write): 10/22/2006 11:08:42 PM
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 0.8.0.0

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDHelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 5/12/2004 12:03:00 AM
Date (last access): 2/22/2008 7:37:44 PM
Date (last write): 5/12/2004 12:03:00 AM
Filesize: 744960
Attributes: archive
MD5: ABF5BA518C6A5ED104496FF42D19AD88
CRC32: 5587736E
Version: 0.1.0.3

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.5.0_10\bin\
Long name: ssv.dll
Short name:
Date (created): 11/9/2006 3:07:34 PM
Date (last access): 2/22/2008 7:37:44 PM
Date (last write): 11/9/2006 3:21:52 PM
Filesize: 440056
Attributes: archive
MD5: BC7A3C412FE12F471603473294CEEEBE
CRC32: 40152D34
Version: 0.5.0.0

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: Googletoolbar.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 1/23/2008 6:14:18 PM
Date (last access): 2/22/2008 7:37:44 PM
Date (last write): 1/23/2008 6:14:18 PM
Filesize: 2403392
Attributes: readonly archive
MD5: 6319F2D4708DBCAE37CFA03DA10782C0
CRC32: D51D8296
Version: 0.4.0.0

{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} (ZoneAlarm Spy Blocker BHO)
BHO name: ZoneAlarm Spy Blocker BHO
CLSID name: ZoneAlarm Spy Blocker BHO
Path: C:\Program Files\ZoneAlarmSB\bar\1.bin\
Long name: SPYBLOCK.DLL
Short name:
Date (created): 1/1/2008 2:31:46 PM
Date (last access): 2/22/2008 7:37:44 PM
Date (last write): 1/1/2008 2:31:46 PM
Filesize: 262144
Attributes: archive
MD5: 6C186920871F16149331E5C911BEE931
CRC32: 0F62F9D9
Version: 0.2.0.3



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 6/29/2007 5:25:14 AM
Date (last access): 2/22/2008 2:09:18 PM
Date (last write): 6/29/2007 5:25:14 AM
Filesize: 574784
Attributes: archive
MD5: 92FCD2C6B05278FFD772AEE77D29A07C
CRC32: 3E432005
Version: 0.7.0.2

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
description: Macromedia ShockWave Flash Player 7
classification: Unknown
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 2/11/2007 12:08:40 PM
Date (last access): 2/22/2008 2:09:18 PM
Date (last write): 9/3/2006 11:10:30 PM
Filesize: 54960
Attributes: archive
MD5: EB271B21EA6104B7C6946EF32D558C91
CRC32: CEC4E0C2
Version: 0.10.0.1

{3334504D-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:

{406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia)
DPF name:
CLSID name: Snapfish Activia
Path: C:\WINDOWS\Downloaded Program Files\
Long name: SnapfishActivia1000.ocx
Short name: SNAPFI~1.OCX
Date (created): 6/3/2005 11:24:32 AM
Date (last access): 2/22/2008 2:09:18 PM
Date (last write): 6/3/2005 11:24:32 AM
Filesize: 286720
Attributes: archive
MD5: F5C79C45F1ADF877DC3AFDFF3565AE7B
CRC32: F118547A
Version: 0.1.0.0

{67DABFBF-D0AB-41FA-9C46-CC0F21721616} ()
DPF name:
CLSID name:

{7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class)
DPF name:
CLSID name: ICSScanner Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ICSScan.dll
Short name:
Date (created): 10/14/2005 12:28:38 PM
Date (last access): 2/22/2008 7:46:30 PM
Date (last write): 10/14/2005 12:28:38 PM
Filesize: 1201912
Attributes: archive
MD5: FCB84C39EBDF4DDC1D58EC64D8AE3E16
CRC32: A0E3314F
Version: 0.3.0.7

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_10
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_10\bin\
Long name: NPJPI150_10.dll
Short name: NPJPI1~1.DLL
Date (created): 11/9/2006 3:07:34 PM
Date (last access): 2/22/2008 4:26:48 PM
Date (last write): 11/9/2006 3:21:54 PM
Filesize: 75528
Attributes: archive
MD5: 635F4B3A0F1C661B5CEDE628BA85E46B
CRC32: 0C9B7145
Version: 0.5.0.0

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:

{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_10
Path: C:\Program Files\Java\jre1.5.0_10\bin\
Long name: NPJPI150_10.dll
Short name: NPJPI1~1.DLL
Date (created): 11/9/2006 3:07:34 PM
Date (last access): 2/22/2008 8:08:32 PM
Date (last write): 11/9/2006 3:21:54 PM
Filesize: 75528
Attributes: archive
MD5: 635F4B3A0F1C661B5CEDE628BA85E46B
CRC32: 0C9B7145
Version: 0.5.0.0

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_10
Path: C:\Program Files\Java\jre1.5.0_10\bin\
Long name: NPJPI150_10.dll
Short name: NPJPI1~1.DLL
Date (created): 11/9/2006 3:07:34 PM
Date (last access): 2/22/2008 8:08:32 PM
Date (last write): 11/9/2006 3:21:54 PM
Filesize: 75528
Attributes: archive
MD5: 635F4B3A0F1C661B5CEDE628BA85E46B
CRC32: 0C9B7145
Version: 0.5.0.0

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash9b.ocx
Short name:
Date (created): 11/9/2006 2:46:28 PM
Date (last access): 2/22/2008 7:37:18 PM
Date (last write): 11/9/2006 2:46:28 PM
Filesize: 2262648
Attributes: readonly archive
MD5: F3B3EE66CA76C94510555ABE9D00A353
CRC32: A51F3CB4
Version: 0.9.0.0



--- Process list ---
Spybot - Search && Destroy process list report, 2/22/2008 8:08:32 PM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 132 (1780) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PID: 188 ( 648) C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
PID: 220 ( 188) aoltpspd.exe
PID: 244 ( 648) C:\WINDOWS\system32\AvidSDMService.exe
PID: 292 (1780) C:\PROGRA~1\SYMANT~1\VPTray.exe
PID: 344 (1780) C:\Program Files\iTunes\iTunesHelper.exe
PID: 364 (1780) C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
PID: 436 ( 648) C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PID: 484 ( 648) C:\WINDOWS\system32\bgsvcgen.exe
PID: 524 ( 4) \SystemRoot\System32\smss.exe
PID: 576 ( 524) csrss.exe
PID: 580 ( 648) C:\Program Files\Symantec AntiVirus\DefWatch.exe
PID: 604 ( 524) \??\C:\WINDOWS\system32\winlogon.exe
PID: 648 ( 604) C:\WINDOWS\system32\services.exe
PID: 660 ( 604) C:\WINDOWS\system32\lsass.exe
PID: 848 ( 648) C:\WINDOWS\system32\svchost.exe
PID: 900 ( 648) C:\WINDOWS\System32\svchost.exe
PID: 920 (1780) C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PID: 948 ( 648) wdfmgr.exe
PID: 964 ( 464) C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
PID: 976 (1780) C:\Program Files\Real\RealPlayer\RealPlay.exe
PID: 1000 ( 648) svchost.exe
PID: 1044 ( 648) svchost.exe
PID: 1196 (1780) C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
PID: 1320 ( 648) C:\WINDOWS\System32\nvsvc32.exe
PID: 1352 (1780) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 1368 (1780) C:\Program Files\FinePixViewer\QuickDCF2.exe
PID: 1400 ( 648) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PID: 1436 ( 648) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PID: 1540 ( 648) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PID: 1596 ( 648) C:\WINDOWS\System32\svchost.exe
PID: 1740 ( 648) C:\WINDOWS\system32\spoolsv.exe
PID: 1780 (1692) C:\WINDOWS\Explorer.EXE
PID: 1972 ( 648) alg.exe
PID: 2012 ( 648) C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
PID: 2044 (1780) C:\Program Files\Common Files\AOL\1155845066\ee\AOLSoftware.exe
PID: 2380 ( 648) C:\Program Files\iPod\bin\iPodService.exe
PID: 2404 ( 648) C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PID: 2740 (3944) C:\Program Files\America Online 9.0\shellmon.exe
PID: 3944 (3660) C:\Program Files\America Online 9.0\waol.exe


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 2/22/2008 8:08:32 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1AE3044B-20CA-420A-BE7C-F49D1865F7FA}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1AE3044B-20CA-420A-BE7C-F49D1865F7FA}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2C453ED9-F273-480D-8722-5B9E92C1CCE0}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2C453ED9-F273-480D-8722-5B9E92C1CCE0}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{05A16284-C9A9-4CC7-8138-3208100C24F4}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{05A16284-C9A9-4CC7-8138-3208100C24F4}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{19859576-CA2A-437A-8952-34F042EBC3D8}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{19859576-CA2A-437A-8952-34F042EBC3D8}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BB78D32A-E65B-424D-BF90-12E51D9A578A}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BB78D32A-E65B-424D-BF90-12E51D9A578A}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9BCA1F01-0917-49B3-8EDC-22B7F1DFAF16}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9BCA1F01-0917-49B3-8EDC-22B7F1DFAF16}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F3E43A3A-255E-4519-BAC8-2A896166CF3E}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F3E43A3A-255E-4519-BAC8-2A896166CF3E}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C9AC03F8-864F-4003-BA14-5CF1E854AE98}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C9AC03F8-864F-4003-BA14-5CF1E854AE98}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:43 AM

Posted 22 February 2008 - 10:38 PM

The Talex.FTP.RegScan alert on the C:\WINDOWS\ftpcache\ folder, is a false detection according to this discussion thread due to the fact that you are using an outdated version (1.3) of Spybot. v1.5.2.20 was released on 1/29/08 and you should update.

Cookies are text string messages given to a Web browser by a Web server. Whenever you visit a web page or navigate different pages with your browser, the web site generates a unique ID number which your browser stores in a text (cookie) file that is sent back to the server each time the browser requests a page from that server. Cookies allow third-party providers such as ad serving networks, spyware or adware providers to track personal information. The main purpose of cookies is to identify users and prepare customized Web pages for them.

The type of cookie that is a cause for some concern are "tracking cookies" because they can be considered a privacy risk. These types of cookies are used to track your Web browsing habits (your movement from site to site). Ad companies use them to record your activity on all sites where they have placed ads. They can keep count of how many times you visited a web page, store your username and password so you don't have to log in and retain your custom settings. When you visit one of these sites, a cookie is placed on your computer. Each time you visit another site that hosts one of their ads, that same cookie is read, and soon they have assembled a list of which of their sites you have visited and which of their ads that you have clicked on. They are used all over the Internet and advertisement companies often plant them whenever your browser loads one of their banners. Cookies are NOT a "threat". As text files they cannot be executed to cause any damage. Cookies do not cause any pop ups nor do they install malware.

As long as you surf the Internet, you are going to get cookies and some of your security programs will flag them for removal. However, you can minimize this by reading "Blocking & Managing Unwanted Cookies" and "Block Third-Party Cookies in IE7".

Edited by quietman7, 22 February 2008 - 10:40 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:43 AM

Posted 22 February 2008 - 10:42 PM

Forgot to mention.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users