Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • This topic is locked This topic is locked
1 reply to this topic

#1 jbsteeves

jbsteeves

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 23 April 2008 - 05:18 PM

My computer is infected with something, but I can't figure out what or how to fix it. I ran Spybot prior to Hijack this, and it showed 'Virtumonde' (with 3 total entries) and 'Virtumonde.dll' (with 8 total entries).


*I also pasted the Spybot report underneath the Hijackthis report*



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:58 PM, on 4/23/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\EPoX\EPTP\EPTP.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\OJWFYZI1\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4434B3FE-6F42-463E-A88B-85C4B27660D7} - C:\WINNT\system32\geBuRIXq.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: {87c5f26e-8c30-807a-f134-9fc416f9c059} - {950c9f61-4cf9-431f-a708-03c8e62f5c78} - C:\WINNT\system32\grqvbsvo.dll
O2 - BHO: (no name) - {A6C54318-5AC7-477D-B0A7-49AF5189300C} - C:\WINNT\system32\efcYSkij.dll
O2 - BHO: CPub Object - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\PROGRA~1\mcafee\mps\mcpopup.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [McAfee Privacy Service] C:\Program Files\McAfee\MPS\mps.exe -r
O4 - HKLM\..\Run: [hwmdr] "C:\Program Files\EPoX\EPTP\EPTP.EXE" "5000"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O20 - Winlogon Notify: efcYSkij - C:\WINNT\SYSTEM32\efcYSkij.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINNT\system32\FreezeScreenSaver.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

--
End of file - 6485 bytes











Spybot Log:


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-05 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-04-16 Includes\Adware.sbi
2008-04-17 Includes\AdwareC.sbi
2008-04-17 Includes\Cookies.sbi
2007-12-26 Includes\Dialer.sbi
2008-04-17 Includes\DialerC.sbi
2008-04-17 Includes\HeavyDuty.sbi
2008-03-19 Includes\Hijackers.sbi
2008-04-17 Includes\HijackersC.sbi
2008-02-27 Includes\Keyloggers.sbi
2008-04-17 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2008-03-26 Includes\Malware.sbi
2008-04-17 Includes\MalwareC.sbi
2008-03-26 Includes\PUPS.sbi
2008-04-17 Includes\PUPSC.sbi
2008-04-17 Includes\Revision.sbi
2008-01-09 Includes\Security.sbi
2008-04-17 Includes\SecurityC.sbi
2008-04-16 Includes\Spybots.sbi
2008-04-17 Includes\SpybotsC.sbi
2008-04-16 Includes\Spyware.sbi
2008-04-17 Includes\SpywareC.sbi
2007-11-06 Includes\Tracks.uti
2008-04-16 Includes\Trojans.sbi
2008-04-17 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


--- System information ---
Windows 2000 (Build: 2195) Service Pack 4 (5.0.2195)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX 9: Security Update for DirectX 9 (KB941568)
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB905495
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB938127
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB942615
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB944533
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB947864
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB948881
/ Outlook Express 5.50 / SP2: Windows 2000 Hotfix - KB897715
/ Outlook Express 6 / SP1: Windows 2000 Hotfix - KB941202
/ Windows 2000: Security Update for Windows 2000 (KB941569)
/ Windows 2000 / SP-1: Windows 2000 Hotfix (Special Release) Q816093
/ Windows 2000 / SP4: Windows 2000 Service Pack 4
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB329115
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB823182
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB823559
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824105
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB826232
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828035
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828741
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828749
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB835732
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB837001
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB840987
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB841356
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB841533
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB841872
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB841873
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB842526
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB842773
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB871250
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB873333
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB873339
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB885250
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB885835
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB885836
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB888113
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB890046
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB890859
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB891781
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB893066
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB893086
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB893756
/ Windows 2000 / SP5: Windows Installer 3.1 (KB893803)
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB894320
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896358
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896422
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896423
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB899587
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB899589
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB900725
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB901017
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB901214
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB905414
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB905749
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB908519
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB908531
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB911280
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB913580
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB914388
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB914389
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB917008
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB917537
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB918118
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB920213
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB920670
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB920683
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB920685
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB921398
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB921503
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB922582
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB923191
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB923414
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB923810
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB923980
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB924270
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB924667
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB925902
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB926122
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB926436
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB927891
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB928843
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB930178
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB931784
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB933729
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB935839
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB935840
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB936021
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB937894
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB938827
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB938829
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB941644
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB941693
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB942831
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB943055
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB943485
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB944338
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB945553
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB948590
/ Windows 2000 / SP5: Update Rollup 1 for Windows 2000 SP4
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)


--- Startup entries list ---
Located: HK_LM:Run, hwmdr
command: "C:\Program Files\EPoX\EPTP\EPTP.EXE" "5000"
file: C:\Program Files\EPoX\EPTP\EPTP.EXE
size: 984576
MD5: A03E9AB2D4B34CFBD6F67B89B6A0BA38

Located: HK_LM:Run, McAfee Privacy Service
command: C:\Program Files\McAfee\MPS\mps.exe -r
file: C:\Program Files\McAfee\MPS\mps.exe
size: 906792
MD5: A59C48001BF02AD6306019D1C4F58050

Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINNT\system32\mobsync.exe
size: 111376
MD5: 9B2F5B9E745DEAAA57FB78329ED03061

Located: HK_LM:RunOnce, SpybotDeletingA4629
command: command /c del "C:\WINNT\SchedLgU.Txt"
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:RunOnce, SpybotDeletingA5790
command: command /c del "C:\WINNT\system32\geBuRIXq.dll"
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:RunOnce, SpybotDeletingA7538
command: command /c del "C:\WINNT\system32\grqvbsvo.dll_old"
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:RunOnce, SpybotDeletingC1892
command: cmd /c del "C:\WINNT\system32\grqvbsvo.dll_old"
file: C:\WINNT\system32\cmd.exe
size: 236816
MD5: 6E6B078275E583496EDE4512DF3036ED

Located: HK_LM:RunOnce, SpybotDeletingC3944
command: cmd /c del "C:\WINNT\SchedLgU.Txt"
file: C:\WINNT\system32\cmd.exe
size: 236816
MD5: 6E6B078275E583496EDE4512DF3036ED

Located: HK_LM:RunOnce, SpybotDeletingC8037
command: cmd /c del "C:\WINNT\system32\geBuRIXq.dll"
file: C:\WINNT\system32\cmd.exe
size: 236816
MD5: 6E6B078275E583496EDE4512DF3036ED

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-1757981266-1606980848-839522115-1001...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2097488
MD5: A9A5DB6AC3721BE698B996913693D73F

Located: HK_CU:RunOnce, SpybotDeletingB1461
where: S-1-5-21-1757981266-1606980848-839522115-1001...
command: command /c del "C:\WINNT\system32\geBuRIXq.dll"
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, SpybotDeletingB2934
where: S-1-5-21-1757981266-1606980848-839522115-1001...
command: command /c del "C:\WINNT\system32\grqvbsvo.dll_old"
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, SpybotDeletingB6740
where: S-1-5-21-1757981266-1606980848-839522115-1001...
command: command /c del "C:\WINNT\SchedLgU.Txt"
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, SpybotDeletingD3752
where: S-1-5-21-1757981266-1606980848-839522115-1001...
command: cmd /c del "C:\WINNT\SchedLgU.Txt"
file: C:\WINNT\system32\cmd.exe
size: 236816
MD5: 6E6B078275E583496EDE4512DF3036ED

Located: HK_CU:RunOnce, SpybotDeletingD6969
where: S-1-5-21-1757981266-1606980848-839522115-1001...
command: cmd /c del "C:\WINNT\system32\grqvbsvo.dll_old"
file: C:\WINNT\system32\cmd.exe
size: 236816
MD5: 6E6B078275E583496EDE4512DF3036ED

Located: HK_CU:RunOnce, SpybotDeletingD8619
where: S-1-5-21-1757981266-1606980848-839522115-1001...
command: cmd /c del "C:\WINNT\system32\geBuRIXq.dll"
file: C:\WINNT\system32\cmd.exe
size: 236816
MD5: 6E6B078275E583496EDE4512DF3036ED

Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, efcYSkij
command: efcYSkij.dll
file: efcYSkij.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wzcnotif
command: wzcdlg.dll
file: wzcdlg.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 10/23/2006 12:08:42 AM
Date (last access): 4/23/2008 5:29:06 PM
Date (last write): 10/23/2006 12:08:42 AM
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 2/5/2008 4:03:16 PM
Date (last access): 4/23/2008 5:33:02 PM
Date (last write): 1/28/2008 12:43:28 PM
Filesize: 1554256
Attributes: archive
MD5: 5248E02EFBCB64D328647CD00E384B85
CRC32: C1B426A9
Version: 1.5.0.11

{5CE8BF43-E878-4BB6-96A4-EA7AA40544C2} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINNT\system32\
Long name: geBuRIXq.dll
Short name:
Date (created): 4/23/2008 6:45:40 AM
Date (last access): 4/23/2008 6:03:40 PM
Date (last write): 4/23/2008 6:45:44 AM
Filesize: 272384
Attributes:
MD5: B39DC260EB79BA048ABFBA63E94927BF
CRC32: E67CA775

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_03\bin\
Long name: ssv.dll
Short name:
Date (created): 2/5/2008 1:58:30 PM
Date (last access): 4/23/2008 5:29:06 PM
Date (last write): 9/25/2007 2:11:34 AM
Filesize: 501136
Attributes: archive
MD5: D787E3123FAD2BD58AB45B9A5C360ACD
CRC32: DDC625C2
Version: 6.0.30.5

{7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: scriptproxy
Path: c:\PROGRA~1\mcafee\VIRUSS~1\
Long name: scriptcl.dll
Short name:
Date (created): 2/25/2008 11:49:38 PM
Date (last access): 4/23/2008 5:33:02 PM
Date (last write): 1/9/2008 10:09:38 AM
Filesize: 58688
Attributes: archive
MD5: D1B5F027C606321823E79D8178930C7C
CRC32: B5A93209
Version: 13.3.2.126

{A6C54318-5AC7-477D-B0A7-49AF5189300C} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINNT\system32\
Long name: efcYSkij.dll
Short name:
Date (created): 4/23/2008 5:33:12 AM
Date (last access): 4/23/2008 5:33:02 PM
Date (last write): 4/23/2008 5:33:12 AM
Filesize: 37888
Attributes: archive
MD5: FA4356974A67FFDC905ACD16A65978F8
CRC32: 3AFDA5FF

{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} (CPub Object)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: CPub Object
description: Popup XP, Popup XP
classification: Legitimate
known filename: BHOPXP.dll
info link: http://www.codeproject.com/atl/popupblocker.asp
info source: TonyKlein
Path: c:\PROGRA~1\mcafee\mps\
Long name: McPopup.dll
Short name:
Date (created): 2/5/2008 1:33:00 PM
Date (last access): 4/23/2008 5:29:06 PM
Date (last write): 4/18/2007 3:07:40 PM
Filesize: 174120
Attributes: archive
MD5: AC157CEF038BF4E2F7650861A34326E9
CRC32: B16F6593
Version: 9.2.134.0



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINNT\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://go.microsoft.com/fwlink/?linkid=39204
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\system32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 10/11/2007 3:12:48 PM
Date (last access): 4/23/2008 5:58:18 PM
Date (last write): 10/11/2007 3:12:48 PM
Filesize: 1468968
Attributes: archive
MD5: FC6680B6D4812D017109518AC07DED0E
CRC32: 4DC7C79C
Version: 1.7.59.1

{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class)
DPF name:
CLSID name: YInstStarter Class
Installer: C:\Program Files\Yahoo!\Common\yinst.inf
Codebase: C:\Program Files\Yahoo!\Common\yinsthelper.dll
description: Yahoo! Installation helper
classification: Legitimate
known filename: %SystemRoot%\Downloaded Program Files\yinsthelper.dll
info link:
info source: Patrick M. Kolla
Path: C:\PROGRA~1\Yahoo!\Common\
Long name: yinsthelper.dll
Short name: YINSTH~1.DLL
Date (created): 3/31/2008 9:51:10 PM
Date (last access): 4/23/2008 6:15:26 AM
Date (last write): 7/30/2006 2:25:34 PM
Filesize: 188968
Attributes: archive
MD5: 18B54B53CEE0E7204495BAB864EBBF03
CRC32: 6D72BB93
Version: 2006.4.14.2

{4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class)
DPF name:
CLSID name: EPUImageControl Class
Installer: C:\WINNT\Downloaded Program Files\EPUWALcontrol.inf
Codebase: http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
description:
classification: Legitimate
known filename: EPUWalcontrol.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\Downloaded Program Files\
Long name: EPUWALcontrol.dll
Short name: EPUWAL~1.DLL
Date (created): 6/15/2006 7:33:54 PM
Date (last access): 4/23/2008 5:51:04 PM
Date (last write): 6/15/2006 7:33:54 PM
Filesize: 1132192
Attributes: archive
MD5: 6C378170CBEC45E5DBBE6B5A17BB3C90
CRC32: 679C2B95
Version: 1.0.3.48

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer: C:\WINNT\Downloaded Program Files\jinstall-6u3.inf
Codebase: http://java.sun.com/update/1.6.0/jinstall-...ows-i586-jc.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_03\bin\
Long name: npjpi160_03.dll
Short name: NPJPI1~1.DLL
Date (created): 9/25/2007 12:31:44 AM
Date (last access): 4/23/2008 6:14:38 AM
Date (last write): 9/25/2007 2:11:34 AM
Filesize: 132496
Attributes: archive
MD5: D6A4682A6FF41832A3F1A7AB9AE08199
CRC32: 9080B537
Version: 6.0.30.5

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class)
DPF name:
CLSID name: InetDownload Class
Installer: C:\WINNT\Downloaded Program Files\WMDL.inf
Codebase: https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
description:
classification: Legitimate
known filename: WMDownload.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\Downloaded Program Files\
Long name: WMDownload.dll
Short name: WMDOWN~1.DLL
Date (created): 5/21/2001 3:18:54 PM
Date (last access): 4/23/2008 5:51:04 PM
Date (last write): 5/21/2001 3:18:54 PM
Filesize: 147456
Attributes: archive
MD5: A9DDDC823ABF874B7F7940912C540224
CRC32: E1321F78
Version: 2.0.0.4

{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_03\bin\
Long name: npjpi160_03.dll
Short name: NPJPI1~1.DLL
Date (created): 9/25/2007 12:31:44 AM
Date (last access): 4/23/2008 6:14:00 PM
Date (last write): 9/25/2007 2:11:34 AM
Filesize: 132496
Attributes: archive
MD5: D6A4682A6FF41832A3F1A7AB9AE08199
CRC32: 9080B537
Version: 6.0.30.5

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_03\bin\
Long name: npjpi160_03.dll
Short name: NPJPI1~1.DLL
Date (created): 9/25/2007 12:31:44 AM
Date (last access): 4/23/2008 6:14:00 PM
Date (last write): 9/25/2007 2:11:34 AM
Filesize: 132496
Attributes: archive
MD5: D6A4682A6FF41832A3F1A7AB9AE08199
CRC32: 9080B537
Version: 6.0.30.5



--- Process list ---
PID: 0 ( 0) [System]
PID: 164 ( 8) \SystemRoot\System32\smss.exe
size: 45840
PID: 188 ( 164) \??\C:\WINNT\system32\csrss.exe
size: 5392
PID: 184 ( 164) \??\C:\WINNT\system32\winlogon.exe
size: 186640
PID: 240 ( 184) C:\WINNT\system32\services.exe
size: 92944
MD5: B861B4E6E9637EB76A40C10C552E0229
PID: 252 ( 184) C:\WINNT\system32\lsass.exe
size: 33552
MD5: F19D0A319AB4BF5496F08807CB9B8651
PID: 380 ( 240) C:\WINNT\system32\Ati2evxx.exe
size: 405504
MD5: C2576358EB08AE7889D2CBB8389FFA6A
PID: 468 ( 240) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 492 ( 240) C:\WINNT\system32\spoolsv.exe
size: 47376
MD5: FACFB75ECC070103619FA044E0B210D3
PID: 520 ( 240) C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
size: 587096
MD5: 0629361FAC4576BA48AB39F4903DCE9E
PID: 548 ( 240) C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
size: 312880
MD5: 5DCD235C061022BCDA9AA48670B64211
PID: 564 ( 240) C:\WINNT\System32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 620 ( 240) C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
size: 540776
MD5: 38BCCF016B694A745E1CDBC0B080A59C
PID: 676 ( 240) C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
size: 361560
MD5: BB8A45E65BE310996A201F8A75646A8D
PID: 692 ( 240) c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
size: 2213416
MD5: 39621D46D16AF1FCF6063BCED5CA60FC
PID: 740 ( 240) C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
size: 362064
MD5: D984FAF698966AA360C1702EF623C3F9
PID: 764 ( 240) C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
size: 493144
MD5: 14313FF5203DF7CB53E8D2F18F59D4D2
PID: 884 ( 240) c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
size: 353368
MD5: 7BC413411A8A0E58ECB6868FFC2180D9
PID: 924 ( 240) c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
size: 256096
MD5: DAF486036F2F6EE9DBA390D3CF2E5C29
PID: 940 ( 240) C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
size: 144960
MD5: 6611420C3CC970126C86ADCDC376AE39
PID: 1044 ( 240) C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
size: 643664
MD5: 9770A8706BBA3C4CBEA998D2A6BF2D08
PID: 1080 ( 240) C:\Program Files\McAfee\MPF\MPFSrv.exe
size: 841256
MD5: 1CAD000C45ED402F9C61F90CF8D208C2
PID: 1144 ( 240) C:\PROGRA~1\McAfee\MPS\mps.exe
size: 906792
MD5: A59C48001BF02AD6306019D1C4F58050
PID: 372 ( 240) C:\WINNT\system32\regsvc.exe
size: 68368
MD5: 250C4CE389783FA2398E3AFA4317008C
PID: 1288 ( 240) C:\WINNT\system32\MSTask.exe
size: 122128
MD5: B00529EAE5D0CE97010B69CC677128C8
PID: 1332 ( 240) C:\WINNT\System32\tcpsvcs.exe
size: 25360
MD5: AFF80A02D36896473184A0654CC3E505
PID: 1380 ( 240) C:\WINNT\System32\WBEM\WinMgmt.exe
size: 196706
MD5: 05B2001E1BC653FD6091E741B46F71B4
PID: 1472 ( 240) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 1488 ( 240) C:\WINNT\System32\inetsrv\inetinfo.exe
size: 14608
MD5: 7AD491F77E79CCD16D7CEC9784446B0A
PID: 1704 ( 184) C:\WINNT\system32\Ati2evxx.exe
size: 405504
MD5: C2576358EB08AE7889D2CBB8389FFA6A
PID: 1776 (1740) C:\WINNT\Explorer.EXE
size: 243472
MD5: 59CF2B7DCED9111F48F51B4B570E672D
PID: 1804 ( 468) C:\Program Files\McAfee\MPS\mpsevh.exe
size: 304680
MD5: 6510D5303CC0D1CF1908B8BD21063420
PID: 1948 ( 468) c:\PROGRA~1\mcafee.com\agent\mcagent.exe
size: 566872
MD5: 4C4F3DE9CF6E0F8B7A4AE639FF981BFF
PID: 2020 (1776) C:\Program Files\EPoX\EPTP\EPTP.EXE
size: 984576
MD5: A03E9AB2D4B34CFBD6F67B89B6A0BA38
PID: 1988 (1776) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2097488
MD5: A9A5DB6AC3721BE698B996913693D73F
PID: 1232 (1776) C:\Program Files\Internet Explorer\IEXPLORE.EXE
size: 91136
MD5: EB9EAF627F705525D01DE5FA07EA1818
PID: 1496 (1776) C:\WINNT\system32\NOTEPAD.EXE
size: 50960
MD5: CF8C98E8B3979F15DF77A7DE2E51BCC1
PID: 1720 (1776) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 8 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 4/23/2008 6:14:00 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINNT\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.yahoo.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9000CE63-69AA-4554-B104-4E7905864609}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9000CE63-69AA-4554-B104-4E7905864609}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A68FE6B0-E955-401C-93E5-917204B05FE8}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A68FE6B0-E955-401C-93E5-917204B05FE8}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B4AA5303-BCA8-4296-BDE1-BA2199F6B7C2}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B4AA5303-BCA8-4296-BDE1-BA2199F6B7C2}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\rnr20.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 10 May 2008 - 02:36 PM

I apologise for the wait, there are just more logs that the volunteers can get to as fast as they would like. If your issues is not resolved, post a new HJT log using Add Reply and I will take a look. If I do not hear from you in a couple of days, I will assume you no longer need help and close the topic.

Thanks for your patience.
pskelley
BleepingComputer

Before you post, delete this unsafe copy of HJT:
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\OJWFYZI1\HiJackThis[1].exe

and follow these directions:
Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijac.../HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users