Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud, Smitfraud-c.toolbar888, And Friends...


  • This topic is locked This topic is locked
21 replies to this topic

#1 drwc

drwc

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 26 November 2006 - 04:14 PM

I executed the wrong .exe yesterday - it infected me with smitfraud and smitfraud-c.toolbar888, according to Spybot. (And the other trash they invite onto my computer). Since then I've followed the advice I could find here about things to try to remove them:

SmitfraudFix (in safe mode)
AVG Anti-Spyware (in safe mode, with updated definitions)
AdAware
Spybot

Spybot directed me to use Process Explorer to stop the process it ID'ed as Smitfraud-C.Toolbar888 (MSSMGR), but there wasn't any such process listed under winlogin.exe's threads properties (where it said to look). I did see some processes listed as ishost.exe and ismini.exe that were suspicious, and when stopped made the icons for the fake virus removal sevices disappear from the taskbar.

However the Smitfraud-c.toolbar reappears in spybot after rebooting, despite Spybot saying it has been removed each time I run it. Also, when I run IE (after removing what the above programs found, and resetting the start page) the problems just start all over again. Clearly, although the things I have tried are finding and removing some problems, I haven't gotten to the real root of the problem.

So, I've reached the limit of what I can think of, and hope that some one more smart about these things can help me.

I can keep the infected machine disconnected from the internet; I'm using another for the time being.

I also still have a copy of the .exe that did this, if examination of it would be useful.

:thumbsup: Please help!


Here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:57:24 PM, on 11/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Acer\Empowering Technology\admServ.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SMSC\Seticon.exe
C:\WINDOWS\System32\svchost.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\GraviSense\GraviSense.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Acer\VoIP Phone Charger\voip phone charger.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\DOCUME~1\dwc\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\OpenOffice 2.0\program\soffice.exe
C:\Program Files\OpenOffice 2.0\program\soffice.BIN
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Documents and Settings\dwc\Desktop\adisinfect\ProcessExplorer\procexp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe
C:\Documents and Settings\dwc\Desktop\adisinfect\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SetIcon] \Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [GraviSense] C:\Acer\GraviSense\GraviSense.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [voip phone charger] "C:\Program Files\Acer\VoIP Phone Charger\voip phone charger.exe"
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe /idle
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Program Files\ABBYY FineReader 7\AbbyyNewsReader.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvwov.dll,startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WallPaper] C:\PROGRA~1\WALLPA~1\WALLPA~1.EXE /h
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice 2.0\program\quickstart.exe
O4 - Startup: palmOne Registration.lnk = C:\Palm\register.exe
O4 - Startup: Samcal.lnk = C:\Program Files\SamCal\samcal.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:12 AM

Posted 26 November 2006 - 09:46 PM

Hello and welcome,

My name is SifuMike and I will be helping you. :thumbsup:
I am reviewing your log, and will post back shortly
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:12 AM

Posted 26 November 2006 - 10:01 PM

Hello drwc,

However the Smitfraud-c.toolbar reappears in spybot after rebooting, despite Spybot saying it has been removed each time I run it. Also, when I run IE (after removing what the above programs found, and resetting the start page) the problems just start all over again.



Is it Smitfraud-c.toolbar or Smitfraud-C.Toolbar888 Spybot is finding?

According to Spybot, Smitfraud-C.Toolbar888 is a false positive that will be fixed with the next updates.

http://forums.spybot.info/showthread.php?t=8668

http://forums.spybot.info/showthread.php?t=8823


Not sure why you have a Realtek file running from your
C:\DOCUME~1\dwc\LOCALS~1\Temp\RtkBtMnt.exe
While it is a legitimate file, it should not in a temp folder. We will be deleting everything in the temp folder.

You have a trojan on your computer. Not to worry, we will soon have it off. :thumbsup:

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvwov.dll,startup




*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\ALCMTR.EXE <==file
C:\WINDOWS\system32\drvwov.dll <==file

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot to the Normal Mode

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Notes:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.


Post a new Hijackthis log, ComboFix log and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 drwc

drwc
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 27 November 2006 - 07:36 AM

Hello SifuMike ... and thanks!

Smitfraud-C.Toolbar888 is what continues to persist in Spybot, but the (plain) Smitfraud also reappeared when I ran IE (after cleaning/fixing everything as best I could with the programs I listed)

Following your directions, I booted into safe mode, and removed the 2 line items in HijackThis.

Then deleted the two files you listed ... there was a file next to ALCMTR.EXE, with the same icon, named ALCWZRD.exe , that I left in place. Didn't know if it too should be deleted.

Then I installed and ran CCleaner, as directed (still in safe mode). Of note, there was no Java section listed in Applications Internet section. I left the cookies unchecked in IE and Opera (the browser I normally use - to avoid problems like this !!), but I had run ATF cleaner yesterday, so I think I may have deleted them when I did that.

When I boot into Windows, normal mode, I keep getting the 'trying to connect to the internet' 'Work offline' or 'Try Again' dialog box popping up.

(The machine is disconnected from the internet - I'm using my old laptop currently, and moving files to and from the infected one using a flash drive.)

I then ran Combofix. I do have Norton Antivirus (2006), but I could not find a section for script blocking in the options. It's a version that came bundled with the computer ... maybe it lacks this function? Hopefully it didn't interfere with Combofix - no warnings came up while it ran.

I rebooted before then running HijackThis; the log attached is after the reboot.

I'm still getting that 'Work Offline' or 'Try Again' dialog popping up. Computer seems to be running better, although still quite slow.

Thanks for your help, it is greatly appreciated!

The following is the Combofix log, then the HijackThis one, separated with double row of ****:



dwc - 06-11-27 7:00:37.31 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\dwc\Desktop\adisinfect"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components


((((((((((((((((((((((((((((((( Files Created from 2006-10-27 to 2006-11-27 ))))))))))))))))))))))))))))))))))


2006-11-27 06:32 <DIR> dr-h----- C:\Documents and Settings\dwc\Recent
2006-11-27 06:22 <DIR> d-------- C:\Program Files\CCleaner
2006-11-26 21:01 764,533 ---hs---- C:\WINDOWS\system32\jlnmp.ini2
2006-11-26 15:17 <DIR> d-------- C:\Documents and Settings\dwc\.housecall6.6
2006-11-26 13:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-26 13:46 40,973 ---hs---- C:\WINDOWS\system32\iiffebc.dll
2006-11-26 10:54 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-26 10:54 <DIR> d-------- C:\Program Files\Grisoft
2006-11-26 08:38 756,142 ---hs---- C:\WINDOWS\system32\jlnmp.bak1
2006-11-26 08:38 708,660 ---hs---- C:\WINDOWS\system32\pmnlj.dll
2006-11-26 08:33 40,973 ---hs---- C:\WINDOWS\system32\wvuttqr.dll
2006-11-26 07:32 <DIR> d-------- C:\Program Files\Lavasoft
2006-11-26 07:32 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Lavasoft
2006-11-26 00:48 <DIR> d-------- C:\VundoFix Backups
2006-11-25 21:29 38,420 --a------ C:\WINDOWS\system32\mtufcark.dll
2006-11-25 21:29 126,996 --a------ C:\WINDOWS\system32\lrsovofh.dll
2006-11-25 21:24 40,973 ---hs---- C:\WINDOWS\system32\awtqrom.dll
2006-11-25 21:24 <DIR> d-------- C:\Program Files\StartEd
2006-11-25 21:23 17,408 --a------ C:\WINDOWS\system32\winrzf32.dll
2006-11-25 20:14 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\ABBYY
2006-11-25 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ABBYY
2006-11-25 19:45 <DIR> d-------- C:\Program Files\ABBYY FineReader 7
2006-11-25 10:25 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2006-11-25 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2006-11-25 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2006-11-24 16:12 81,920 -ra------ C:\WINDOWS\system32\equcof.dll
2006-11-24 16:12 45,056 -ra------ C:\WINDOWS\system32\uacb.dll
2006-11-24 16:12 21,276 -ra------ C:\WINDOWS\system32\drivers\uacflt.sys
2006-11-24 16:12 <DIR> d-------- C:\Program Files\PerSono
2006-11-24 15:59 <DIR> d-------- C:\Program Files\Picasa2
2006-11-24 15:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-11-24 06:58 <DIR> d-------- C:\Program Files\SpeedswitchXP
2006-11-23 22:31 <DIR> d-------- C:\WINDOWS\Minidump
2006-11-23 21:46 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Netscape
2006-11-23 21:41 <DIR> d-------- C:\Program Files\Netscape
2006-11-23 21:41 <DIR> d-------- C:\Program Files\Common Files\Scanner
2006-11-23 20:51 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2006-11-23 20:51 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2006-11-23 20:51 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2006-11-23 20:40 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Nikon
2006-11-23 20:32 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2006-11-23 20:32 76,800 -ra------ C:\WINDOWS\system32\RedEye.dll
2006-11-23 20:32 495,616 -ra------ C:\WINDOWS\system32\DRAGNKL1.dll
2006-11-23 20:32 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2006-11-23 20:32 48,128 -ra------ C:\WINDOWS\system32\picn20.dll
2006-11-23 20:32 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2006-11-23 20:32 3,579,904 --a------ C:\WINDOWS\system32\NkNEFPlugin.dll
2006-11-23 20:32 180,224 -ra------ C:\WINDOWS\system32\Strato5.dll
2006-11-23 20:32 180,224 -ra------ C:\WINDOWS\system32\picn1120.dll
2006-11-23 20:32 155,648 -ra------ C:\WINDOWS\system32\picn1020.dll
2006-11-23 20:32 110,592 -ra------ C:\WINDOWS\system32\RCSigProc.dll
2006-11-23 20:32 <DIR> d-------- C:\Program Files\Nikon
2006-11-23 20:32 <DIR> d-------- C:\Program Files\Common Files\Nikon
2006-11-23 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ultima_T15
2006-11-23 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EnterNHelp
2006-11-23 08:19 <DIR> d--hs---- C:\RECYCLER
2006-11-22 22:29 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2006-11-22 22:24 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\EPSON
2006-11-22 22:13 887,296 --a------ C:\WINDOWS\system32\libeay32.dll
2006-11-22 22:13 626,688 --a------ C:\WINDOWS\system32\libcurl.dll
2006-11-22 22:13 233,557 --a------ C:\WINDOWS\system32\esint54.dll
2006-11-22 22:13 196,608 --a------ C:\WINDOWS\system32\esdice63.dll
2006-11-22 22:13 172,032 --a------ C:\WINDOWS\system32\libssl32.dll
2006-11-22 22:13 167,936 --a------ C:\WINDOWS\system32\DICELibSF1.dll
2006-11-22 22:13 151,552 --a------ C:\WINDOWS\system32\DICELibSF2.dll
2006-11-22 21:45 <DIR> d-------- C:\WINDOWS\system32\Color
2006-11-22 21:45 <DIR> d-------- C:\Program Files\LaserSoft
2006-11-22 21:01 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Lasersoft Imaging
2006-11-22 20:55 43,136 --a------ C:\WINDOWS\system32\drivers\sbp2port.sys
2006-11-22 20:55 10,880 --a------ C:\WINDOWS\system32\drivers\scsiscan.sys
2006-11-22 20:54 33,280 --a------ C:\WINDOWS\system32\esccm.dll
2006-11-22 20:54 32,256 --a------ C:\WINDOWS\system32\escwiab.dll
2006-11-22 20:54 27,648 --a------ C:\WINDOWS\system32\escimg.dll
2006-11-22 20:54 <DIR> d-------- C:\Program Files\EPSON
2006-11-21 23:05 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2006-11-19 23:23 <DIR> d-------- C:\Program Files\SlySoft
2006-11-19 22:29 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-11-19 22:29 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-11-19 22:29 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2006-11-19 22:29 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-11-19 22:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2006-11-19 22:28 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Logitech
2006-11-19 22:25 94,208 --a------ C:\WINDOWS\KHALMNPR.Exe
2006-11-19 22:25 71,936 --a------ C:\WINDOWS\system32\drivers\LMOUKE.sys
2006-11-19 22:25 69,632 --a------ C:\WINDOWS\system32\KemXML.dll
2006-11-19 22:25 55,936 --a------ C:\WINDOWS\system32\drivers\L8042MOU.SYS
2006-11-19 22:25 3,712 --a------ C:\WINDOWS\system32\drivers\LBeepKE.sys
2006-11-19 22:25 27,136 --a------ C:\WINDOWS\system32\drivers\LHidKE.Sys
2006-11-19 22:25 155,648 --a------ C:\WINDOWS\system32\kemutb.dll
2006-11-19 22:25 131,072 --a------ C:\WINDOWS\system32\KemUtil.dll
2006-11-19 22:25 13,568 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.sys
2006-11-19 22:25 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2006-11-19 22:25 <DIR> d-------- C:\Program Files\Logitech
2006-11-19 22:09 <DIR> d-------- C:\Program Files\Epocrates
2006-11-19 22:09 <DIR> d-------- C:\Program Files\Common Files\Epocrates
2006-11-19 22:01 66,048 --a------ C:\WINDOWS\system32\agcmn.dll
2006-11-19 22:01 50,880 --a------ C:\WINDOWS\system32\agproxy.dll
2006-11-19 22:01 47,936 --a------ C:\WINDOWS\system32\wgrs.dll
2006-11-19 22:01 43,824 --a------ C:\WINDOWS\system32\agprtcl.dll
2006-11-19 22:01 42,368 --a------ C:\WINDOWS\system32\agconnct.dll
2006-11-19 22:01 416,000 --a------ C:\WINDOWS\system32\agsnet.dll
2006-11-19 22:01 40,712 --a------ C:\WINDOWS\system32\agcrypto.dll
2006-11-19 22:01 34,592 --a------ C:\WINDOWS\system32\agnet.dll
2006-11-19 22:01 34,464 --a------ C:\WINDOWS\system32\agcehdlr.dll
2006-11-19 22:01 25,152 --a------ C:\WINDOWS\system32\agcncmn.dll
2006-11-19 22:01 146,736 --a------ C:\WINDOWS\system32\agclcmn.dll
2006-11-19 22:01 111,376 --a------ C:\WINDOWS\system32\expat.dll
2006-11-19 22:01 <DIR> d-------- C:\Program Files\AvantGo
2006-11-19 21:38 <DIR> d-------- C:\Program Files\SplashData
2006-11-19 21:16 <DIR> d-------- C:\Program Files\Beyond Contacts
2006-11-19 21:03 <DIR> d-------- C:\Program Files\Documents To Go
2006-11-19 21:03 <DIR> d-------- C:\Program Files\Common Files\DataViz
2006-11-19 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DataViz
2006-11-19 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HotSync
2006-11-19 20:56 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\HotSync
2006-11-19 20:53 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Leadertech
2006-11-19 20:38 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2006-11-19 20:35 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2006-11-19 20:27 53,248 --a------ C:\WINDOWS\PalmDevC.dll
2006-11-19 20:26 <DIR> d-------- C:\Palm
2006-11-19 17:54 <DIR> d-------- C:\Program Files\TreePad Lite
2006-11-19 17:44 67,472 --a------ C:\WINDOWS\UnDeploy.exe
2006-11-19 17:44 <DIR> d-------- C:\Program Files\JGsoft
2006-11-19 17:44 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\JGsoft
2006-11-19 10:54 <DIR> d-------- C:\Apps
2006-11-18 20:54 <DIR> d-------- C:\Program Files\Spybot
2006-11-18 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-18 20:23 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\ScanSoft
2006-11-18 20:22 <DIR> d-------- C:\WINDOWS\PIXTRAN
2006-11-18 20:22 <DIR> d-------- C:\Program Files\ScanSoft
2006-11-18 20:22 <DIR> d-------- C:\Program Files\Common Files\Scansoft Shared
2006-11-18 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2006-11-18 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2006-11-18 09:28 299,520 --a------ C:\WINDOWS\uninst.exe
2006-11-18 09:28 15,360 --a------ C:\WINDOWS\system32\ATMsrvc.exe
2006-11-18 09:28 <DIR> d-------- C:\PSFONTS
2006-11-18 09:28 <DIR> d-------- C:\Program Files\Adobe Type Manager
2006-11-18 09:27 65,536 --a------ C:\WINDOWS\system32\adistres.dll
2006-11-18 09:27 20,584 --a------ C:\WINDOWS\system32\PdfPorts.dll
2006-11-18 09:27 <DIR> d-------- C:\Documents and Settings\dwc\WINDOWS
2006-11-18 09:26 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\InterTrust
2006-11-18 09:25 94,285 --a------ C:\WINDOWS\system32\Msvcirtd.dll
2006-11-18 09:25 6,144 --a------ C:\WINDOWS\system32\W95fiber.dll
2006-11-18 09:25 5,632 --a------ C:\WINDOWS\system32\Mfcuia32.dll
2006-11-18 09:25 33,424 --a------ C:\WINDOWS\system32\Urlcache.dll
2006-11-18 09:25 322,832 --a------ C:\WINDOWS\system32\Mfc30.dll
2006-11-18 09:25 32,792 --a------ C:\WINDOWS\Spwhpt.dll
2006-11-18 09:25 212,480 --a------ C:\WINDOWS\Pcdlib32.dll
2006-11-18 09:25 210,944 --a------ C:\WINDOWS\system32\Msvcrt10.dll
2006-11-18 09:25 133,904 --a------ C:\WINDOWS\system32\Mfcans32.dll
2006-11-18 09:25 133,392 --a------ C:\WINDOWS\system32\Mfco30.dll
2006-11-18 08:47 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-11-18 08:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2006-11-18 08:37 16,384 --a------ C:\WINDOWS\system32\FileOps.exe
2006-11-18 08:37 <DIR> d-------- C:\WINDOWS\system32\Adobe
2006-11-18 08:35 <DIR> d-------- C:\Program Files\Common Files\Adobe
2006-11-18 08:24 <DIR> d--hs---- C:\WINDOWS\CSC
2006-11-18 08:23 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2006-11-17 21:13 34,308 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-11-17 20:53 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\InterVideo
2006-11-17 20:50 <DIR> d-------- C:\Program Files\InterActual
2006-11-17 20:50 <DIR> d-------- C:\Program Files\DivX
2006-11-17 20:49 204,800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2006-11-17 20:49 200,704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2006-11-17 20:49 20,480 --a------ C:\WINDOWS\system32\IVIresize.dll
2006-11-17 20:49 192,512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2006-11-17 20:49 192,512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2006-11-17 20:49 188,416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2006-11-17 20:49 <DIR> d-------- C:\Program Files\InterVideo Information Service
2006-11-17 20:49 <DIR> d-------- C:\Program Files\InterVideo
2006-11-17 20:49 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2006-11-17 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2006-11-17 07:17 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-17 06:50 167,936 --a------ C:\WINDOWS\system32\LexLog.dll
2006-11-17 06:50 <DIR> d-------- C:\Program Files\Dell
2006-11-17 06:49 <DIR> d-------- C:\dell
2006-11-16 23:23 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\AdobeUM
2006-11-16 23:13 <DIR> d---s---- C:\Documents and Settings\dwc\UserData
2006-11-16 23:02 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\OfficeUpdate12
2006-11-16 22:56 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2006-11-16 22:56 <DIR> d-------- C:\Program Files\Common Files\Designer
2006-11-16 22:55 <DIR> d-------- C:\WINDOWS\ShellNew
2006-11-16 22:55 <DIR> d-------- C:\Program Files\Microsoft Office
2006-11-16 22:55 <DIR> d-------- C:\Program Files\Common Files\L&H
2006-11-16 21:41 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Adobe
2006-11-15 22:28 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\U3
2006-11-15 21:58 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Help
2006-11-15 21:54 <DIR> d-------- C:\Program Files\WinRAR
2006-11-15 21:54 <DIR> d-------- C:\Program Files\WallpaperChanger
2006-11-15 21:54 <DIR> d-------- C:\Program Files\SamCal
2006-11-15 21:54 <DIR> d-------- C:\Program Files\LexarMedia
2006-11-15 21:54 <DIR> d-------- C:\Program Files\IrfanView
2006-11-15 21:54 <DIR> d-------- C:\Program Files\IconsExtract
2006-11-15 21:54 <DIR> d-------- C:\Program Files\Icon Extracter
2006-11-15 21:54 <DIR> d-------- C:\Program Files\EditPadLite
2006-11-15 21:54 <DIR> d-------- C:\Program Files\dnoter
2006-11-15 20:44 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Qualcomm
2006-11-15 20:39 48,640 -ra------ C:\WINDOWS\system32\INETWH32.DLL
2006-11-15 20:39 1,056,768 --a------ C:\WINDOWS\system32\Roboex32.dll
2006-11-15 20:39 <DIR> d-------- C:\Program Files\Qualcomm
2006-11-13 22:17 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-11-13 22:14 <DIR> d-------- C:\Program Files\Nero
2006-11-13 22:14 <DIR> d-------- C:\Program Files\Common Files\Ahead
2006-11-13 22:14 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Ahead
2006-11-13 22:10 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\OpenOffice.org2
2006-11-13 22:03 <DIR> d-------- C:\Program Files\OpenOffice 2.0
2006-11-13 21:44 <DIR> d-------- C:\Program Files\WinZip
2006-11-13 21:42 <DIR> d-------- C:\WINDOWS\Flight over sea
2006-11-13 21:36 <DIR> d-------- C:\Program Files\JetAudio
2006-11-13 21:36 <DIR> d-------- C:\Program Files\Common Files\COWON
2006-11-13 21:36 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\COWON
2006-11-12 21:54 21,275 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-11-12 21:38 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Intel
2006-11-12 21:33 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2006-11-10 22:06 <DIR> d--hs---- C:\Recycled
2006-11-10 21:45 <DIR> d-------- C:\Program Files\Opera
2006-11-10 21:45 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Opera
2006-11-10 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2006-11-10 21:19 <DIR> d-------- C:\Program Files\Yahoo!
2006-11-10 21:16 258,048 --a------ C:\WINDOWS\system32\Uninstall_eRecovery.exe
2006-11-10 21:14 81,920 --a------ C:\WINDOWS\system32\packet.dll
2006-11-10 21:14 78,208 --a------ C:\WINDOWS\system32\drivers\epm-shd.sys
2006-11-10 21:14 61,440 --a------ C:\WINDOWS\system32\WanPacket.dll
2006-11-10 21:14 53,299 --a------ C:\WINDOWS\system32\pthreadVC.dll
2006-11-10 21:14 4,096 --a------ C:\WINDOWS\system32\drivers\epm-psd.sys
2006-11-10 21:14 32,512 --a------ C:\WINDOWS\system32\drivers\npf.sys
2006-11-10 21:14 233,472 --a------ C:\WINDOWS\system32\wpcap.dll
2006-11-10 21:14 <DIR> d-------- C:\Program Files\WinPCap
2006-11-10 21:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intel
2006-11-10 21:07 <DIR> d--h----- C:\WINDOWS\PIF
2006-11-10 20:57 5,120 --a------ C:\WINDOWS\system32\FILTRCOI.DLL
2006-11-10 20:57 49,152 --a------ C:\WINDOWS\system32\QtBtLib.dll
2006-11-10 20:57 16,896 --a------ C:\WINDOWS\system32\drivers\DKbFltr.SYS
2006-11-10 20:57 <DIR> d-------- C:\Program Files\Launch Manager
2006-11-10 20:57 <DIR> d-------- C:\Documents and Settings\dwc\Bluetooth Software
2006-11-10 20:54 <DIR> d-------- C:\Program Files\WIDCOMM
2006-11-10 20:52 <DIR> dr-h----- C:\Documents and Settings\dwc\SendTo
2006-11-10 20:52 <DIR> dr-h----- C:\Documents and Settings\dwc\Application Data\.
2006-11-10 20:52 <DIR> dr-h----- C:\Documents and Settings\dwc\Application Data
2006-11-10 20:52 <DIR> dr------- C:\Documents and Settings\dwc\Start Menu
2006-11-10 20:52 <DIR> dr------- C:\Documents and Settings\dwc\My Documents
2006-11-10 20:52 <DIR> dr------- C:\Documents and Settings\dwc\Favorites
2006-11-10 20:52 <DIR> d--h----- C:\Documents and Settings\dwc\Templates
2006-11-10 20:52 <DIR> d--h----- C:\Documents and Settings\dwc\PrintHood
2006-11-10 20:52 <DIR> d--h----- C:\Documents and Settings\dwc\NetHood
2006-11-10 20:52 <DIR> d--h----- C:\Documents and Settings\dwc\Local Settings
2006-11-10 20:52 <DIR> d---s---- C:\Documents and Settings\dwc\Cookies
2006-11-10 20:52 <DIR> d---s---- C:\Documents and Settings\dwc\Application Data\Microsoft
2006-11-10 20:52 <DIR> d-------- C:\WINDOWS\Acer
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\Desktop
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Symantec
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Macromedia
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Identities
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\ATI
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Acer
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\..
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\..
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\.
2006-11-10 20:51 <DIR> d--hs---- C:\System Volume Information
2006-11-10 20:40 261,627 --a------ C:\WINDOWS\EMEAWG.EXE
2006-11-10 20:40 1,154,584 --a------ C:\WINDOWS\YTB.EXE
2006-11-10 17:48 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-26 14:39 -------- d-------- C:\Program Files\Symantec
2006-11-26 14:39 -------- d-------- C:\Program Files\SMSC
2006-11-26 14:35 -------- d-------- C:\Program Files\Messenger
2006-11-26 14:34 -------- d-------- C:\Program Files\Internet Explorer
2006-11-26 14:33 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-26 14:33 -------- d-------- C:\Program Files\Common Files\LightScribe
2006-11-25 11:37 -------- d-------- C:\Program Files\Windows Media Player
2006-11-25 10:25 -------- d-------- C:\Program Files\Common Files
2006-11-25 10:10 -------- d-------- C:\Program Files\Adobe
2006-11-24 16:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-23 22:10 -------- d-------- C:\Program Files\Norton AntiVirus
2006-11-23 21:35 48768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-11-23 21:35 110952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-11-19 20:56 16694 --a------ C:\WINDOWS\system32\drivers\PalmUSBD.sys
2006-11-10 20:40 701 --a------ C:\WINDOWS\CLEANUP.CMD
2006-11-10 20:39 1158 --a------ C:\WINDOWS\HotFix.bat
2006-10-13 07:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 07:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 05:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-09-30 09:18 524288 --a------ C:\WINDOWS\opuc.dll
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 17:24 46345 --a------ C:\WINDOWS\NSSetDefaultBrowser.EXE


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"WallPaper"="C:\\PROGRA~1\\WALLPA~1\\WALLPA~1.EXE /h"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"LaunchApp"="Alaunch"
"AGRSMMSG"="AGRSMMSG.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SetIcon"="\\Program Files\\SMSC\\Seticon.exe"
"ntiMUI"="C:\\Program Files\\NewTech Infosystems\\NTI CD & DVD-Maker 7\\ntiMUI.exe"
@=""
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"ADMTray.exe"="\"C:\\Acer\\Empowering Technology\\admtray.exe\""
"eDataSecurity Loader"="C:\\Acer\\Empowering Technology\\eDataSecurity\\eDSloader.exe"
"GraviSense"="C:\\Acer\\GraviSense\\GraviSense.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechCameraAssistant"="C:\\Program Files\\Acer\\OrbiCam\\CameraAssistant.exe"
"LogitechVideo[inspector]"="C:\\Program Files\\Acer\\OrbiCam\\InstallHelper.exe /inspect"
"LogitechCameraService(E)"="C:\\WINDOWS\\system32\\ElkCtrl.exe /automation"
"RTHDCPL"="RTHDCPL.EXE"
"LManager"="C:\\PROGRA~1\\LAUNCH~1\\QtZgAcer.EXE"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"voip phone charger"="\"C:\\Program Files\\Acer\\VoIP Phone Charger\\voip phone charger.exe\""
"WarReg_PopUp"="C:\\Acer\\WR_PopUp\\WarReg_PopUp.exe /idle"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"EOUApp"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\EOUWiz.exe\""
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"AdobeVersionCue"="C:\\Program Files\\Adobe\\Adobe Version Cue\\ControlPanel\\VersionCueTray.exe"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"PaperPort PTD"="\"C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe\""
"IndexSearch"="\"C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe\""
"Logitech Hardware Abstraction Layer"="\"C:\\Program Files\\Common Files\\Logitech\\khalshared\\KHALMNPR.EXE\""
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"Acrobat Assistant 8.0"="\"C:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe\""
"FineReader7NewsReaderPro"="C:\\Program Files\\ABBYY FineReader 7\\AbbyyNewsReader.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
@=""
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{9B0C7A02-A17A-4C81-BD7D-30A622701C36}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffebc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlj
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrzf32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - dwc.job

Completion time: 06-11-27 7:03:05.28
C:\ComboFix.txt ... 06-11-27 07:03

**********************************
**********************************
Logfile of HijackThis v1.99.1
Scan saved at 7:17:59 AM, on 11/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Acer\Empowering Technology\admServ.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SMSC\Seticon.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\GraviSense\GraviSense.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Acer\VoIP Phone Charger\voip phone charger.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\DOCUME~1\dwc\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ABBYY FineReader 7\AbbyyNewsReader.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\OpenOffice 2.0\program\soffice.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\OpenOffice 2.0\program\soffice.BIN
C:\Documents and Settings\dwc\Desktop\adisinfect\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SetIcon] \Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [GraviSense] C:\Acer\GraviSense\GraviSense.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [voip phone charger] "C:\Program Files\Acer\VoIP Phone Charger\voip phone charger.exe"
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe /idle
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Program Files\ABBYY FineReader 7\AbbyyNewsReader.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WallPaper] C:\PROGRA~1\WALLPA~1\WALLPA~1.EXE /h
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice 2.0\program\quickstart.exe
O4 - Startup: palmOne Registration.lnk = C:\Palm\register.exe
O4 - Startup: Samcal.lnk = C:\Program Files\SamCal\samcal.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:12 AM

Posted 27 November 2006 - 01:35 PM

Hello drwc,

Then deleted the two files you listed ... there was a file next to ALCMTR.EXE, with the same icon, named ALCWZRD.exe , that I left in place. Didn't know if it too should be deleted.


That is OK, so dont delete it.

I then ran Combofix. I do have Norton Antivirus (2006), but I could not find a section for script blocking in the options. It's a version that came bundled with the computer ... maybe it lacks this function? Hopefully it didn't interfere with Combofix - no warnings came up while it ran.


Combofix worked OK. :thumbsup:


I'm still getting that 'Work Offline' or 'Try Again' dialog popping up. Computer seems to be running better, although still quite slow.


It is still infected, so it will be slow till the malware is gone.


I did see some processes listed as ishost.exe and ismini.exe that were suspicious, and when stopped made the icons for the fake virus removal sevices disappear from the taskbar.


Did you only stop ishost.exe and ismini.exe? If you stopped them then they will not appear in your Hijakcthis log.



Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt
Most probably you are dealing with the latest version of Vundo, which targets HijackThis so HijackThis doesn't show its related entries in a log.

Please navigate to your HijackThis folder. Rename your hijackthis.exe to analyse.exe

Reboot.

Then doubleclick analyse.exe and post the log (this will be a HijackThis log of course).


1. Open Hijackthis and select: Open the Misc Tools section.
2. Then choose: Open Uninstall Manager and click Save List.
3. Save the list to your computer.
4. Then copy the contents of the list back to this thread in your next reply.

Edited by SifuMike, 27 November 2006 - 01:45 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 drwc

drwc
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 27 November 2006 - 09:30 PM

Hello SifuMike-

I deleted the Ishost.exe and Ismini.exe. Hopefully, that is OK. If not, I did a complete backup last Wednesday night - prior to the infection by several days - so if they are not part of the problem, they could be restored.

I followed your directions:

Search with SmitfraudFix
Scan and then Remove with VundoFix
Reboot
Rename HijackThis.exe to Analyse.exe
Reboot
Scan with Analyse
Listing of Uninstall Manager using Analyse

After doing these, I'm still having the 'Work Offline' dialog popping up every few minutes. (Although it's kind of enjoyable seeing a piece of malevolent code being frustrated, I will be happier to see it go away altogether!)

Here are the logfiles, separated with double rows of **'s:

**********************
SmitfraudFix
**********************

SmitFraudFix v2.125

Scan done at 20:28:34.70, Mon 11/27/2006
Run from C:\Documents and Settings\dwc\Desktop\adisinfect\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\dwc


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\dwc\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\dwc\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


********************************
VundoFix log
********************************

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 8:30:39 PM 11/27/2006

Listing files found while scanning....

C:\WINDOWS\system32\winrzf32.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\jlnmp.bak1
C:\WINDOWS\system32\jlnmp.ini2
C:\WINDOWS\system32\jlnmp.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winrzf32.dll
C:\WINDOWS\system32\winrzf32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\pmnlj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\jlnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jlnmp.bak1
C:\WINDOWS\system32\jlnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jlnmp.ini2
C:\WINDOWS\system32\jlnmp.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jlnmp.tmp
C:\WINDOWS\system32\jlnmp.tmp Has been deleted!

Performing Repairs to the registry.
Done!

*************************
Analyse (HijackThis) log
************************

Logfile of HijackThis v1.99.1
Scan saved at 8:57:31 PM, on 11/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Acer\Empowering Technology\admServ.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SMSC\Seticon.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\GraviSense\GraviSense.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Acer\VoIP Phone Charger\voip phone charger.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\DOCUME~1\dwc\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ABBYY FineReader 7\AbbyyNewsReader.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\OpenOffice 2.0\program\soffice.exe
C:\Program Files\OpenOffice 2.0\program\soffice.BIN
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Documents and Settings\dwc\Desktop\adisinfect\hijackthis\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\mtufcark.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {109F0F48-C964-4E5A-A336-F0DB7A02E38A} - C:\WINDOWS\system32\mljjg.dll (file missing)
O2 - BHO: (no name) - {20E2B0CD-D38C-41A6-B444-280E930B1C86} - C:\WINDOWS\system32\pmnlj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt1.dll (file missing)
O2 - BHO: (no name) - {9B0C7A02-A17A-4C81-BD7D-30A622701C36} - C:\WINDOWS\system32\iiffebc.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SetIcon] \Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [GraviSense] C:\Acer\GraviSense\GraviSense.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [voip phone charger] "C:\Program Files\Acer\VoIP Phone Charger\voip phone charger.exe"
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe /idle
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Program Files\ABBYY FineReader 7\AbbyyNewsReader.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WallPaper] C:\PROGRA~1\WALLPA~1\WALLPA~1.EXE /h
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice 2.0\program\quickstart.exe
O4 - Startup: palmOne Registration.lnk = C:\Palm\register.exe
O4 - Startup: Samcal.lnk = C:\Program Files\SamCal\samcal.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O20 - Winlogon Notify: iiffebc - C:\WINDOWS\SYSTEM32\iiffebc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

***************************
Uninstall Manager listing
***************************

5 IN 1 Card Reader
ABBYY FineReader 7.0 Professional Edition
Acer eDataSecurity Management 1.00.26
Acer eLock Management
Acer Empowering Technology framework
Acer ePerformance Management
Acer eSettings Management
Acer GraviSense
Acer GridVista
Acer OrbiCam Driver
Acer OrbiCam Software
Acer Screensaver
Acer USB Card Reader x86 Software
Acer VCM
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Acrobat 8 Professional - English, Franηais, Deutsch
Adobe Creative Suite
Adobe Flash Player 9 ActiveX
Adobe PageMaker 7.0
Adobe SVG Viewer 3.0
Adobe Type Manager 4.1
Agere Systems AC'97 Modem
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AvantGo Client
AVG Anti-Spyware 7.5
BackupBuddy for Windows
Beyond Contacts
ccCommon
CCleaner (remove only)
CloneCD
Dell Printer Software Uninstall
DivX
Documents To Go
Epocrates Essentials
EPSON Perf 4870 Reference Guide
EPSON Scan
Eudora
Flight over sea 1.8
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB918005)
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
InterActual Player
Internet Worm Protection
InterVideo WinDVD 7
jetAudio Plus VX
JGsoft EditPad Lite 6.1.2
KhalSetup
Launch Manager
LiveUpdate 3.0 (Symantec Corporation)
Logitech SetPoint
Macromedia Flash Player 8
mCore
mDriver
mDrWiFi
mEoU
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Office XP Small Business
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB927978)
mToolkit
mWlsSafe
mXML
mZConfig
NAVShortcut
Nero 7 Ultra Edition
Netscape Browser (remove only)
Nikon Message Center
NikonCapture
Norton AntiVirus 2006
Norton AntiVirus 2006 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
Norton WMI Update
NTI Backup NOW! 4
NTI CD & DVD-Maker
O2Micro Smartcard Driver
OpenOffice.org 2.0
Opera 9.02
palmOne
Panda ActiveScan
PerSono
Picasa 2
PowerDVD
Realtek High Definition Audio Driver
Safety Alert 2006
Safety Bar
ScanSoft PaperPort 10.0
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
SilverFast Epson (SE, Photoshop Plugin)
SilverFast Epson-SE
SPBBC
SpeedswitchXP V1.5
SplashWallet
Spybot - Search & Destroy 1.4
Symantec
Synaptics Pointing Device Driver
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VoIP Phone Charger
WIDCOMM Bluetooth Software
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip
Yahoo! Toolbar

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:12 AM

Posted 27 November 2006 - 11:44 PM

Hello drwc,

You have a suspicious file we need to check.

You will need to configure Windows to show Hidden files.

Go to Jotti Online File Scanner copy and paste C:\DOCUME~1\dwc\LOCALS~1\Temp\RtkBtMnt.exe to the upload and scan it.

Let me know the results.
Copy and paste the output to this thread

It should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken)



You are not clean yet. You still have some malware on your computer.

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\mtufcark.dll
O2 - BHO: (no name) - {109F0F48-C964-4E5A-A336-F0DB7A02E38A} - C:\WINDOWS\system32\mljjg.dll (file missing)
O2 - BHO: (no name) - {20E2B0CD-D38C-41A6-B444-280E930B1C86} - C:\WINDOWS\system32\pmnlj.dll (file missing)
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt1.dll (file missing)
O2 - BHO: (no name) - {9B0C7A02-A17A-4C81-BD7D-30A622701C36} - C:\WINDOWS\system32\iiffebc.dll
O20 - Winlogon Notify: iiffebc - C:\WINDOWS\SYSTEM32\iiffebc.dll
 

*******************************************

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\system32\iiffebc.dll <==file
C:\WINDOWS\system32\mtufcark.dll <==file


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot to the Normal Mode.

Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.
Be patient, as it can take many hours for this to run (depends on the number of files). :thumbsup:

When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.

Post the Jotti Scan log, BitDefender log, a fresh Hijackthis log and tell me how your computer is running.

When I boot into Windows, normal mode, I keep getting the 'trying to connect to the internet' 'Work offline' or 'Try Again' dialog box popping up.
(The machine is disconnected from the internet -


Try connecing it to the Internet and booting up. I bet one of your programs is trying to dial home. Do you have a firewall installed on this computer? If so, it should tell you if you have program sending outgoing messages.

Edited by SifuMike, 28 November 2006 - 12:15 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 drwc

drwc
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 28 November 2006 - 06:58 AM

Hello SifuMike-

Thanks for all your help. I have a couple of questions about the next set of steps:

The infected computer is not online; so can I copy the infected file to a flash drive and upload it to Jotti online scanner using another computer? (Also, would it be helpful to upload the program that created this problem to the sandbox?)

CCleaner is installed - we used it earlier in the removal process. The machine has been offline since the last time we ran ccleaner, so is running it again going to remove anything more?

I'm very nervous about reconnecting to the internet to run a bitdefender scan. My experience before was that this allowed for a lot of malware, etc to reappear, which had previous been removed, and I don't want to undo what we have already accomplished. It also was difficult to do, as my IE windows were being resized, closed, new ones popping up with fake(?) warnings of infections and refusing to be dismissed, etc. I had to lower the internet security settings to medium, in order to download the activeX components to run the scan, and that seemed to be when all h*ll broke loose. Basically, I don't want to undo what we have accomplished so far...

Perhaps related to this last point, I don't have firewall (other than Windows own wimpy one) running. I do have a copy of Norton Systemworks Premier which I haven't installed yet (I'm migrating from one laptop to a new one - the infected one!), but I don't know if there's a firewall component to this Norton bundle.

Would it be a good idea to install a firewall prior to connecting to the internet again? If so, would you recommend any free ones? Sygate Personal Firewall or ZoneLabs Zone Alarm are recommended on the Bleepingcomputer site; do they both have free versions, are the free versions good enough, and would either one be preferable to the other?

Also, AVS Antispyware is installed on the computer. Would running it be a reasonable alternative to Bitdefender?

Sorry about all these questions, but reconnecting to the internet to run Pandascan and Housecall was not a good experience when I did it on Sunday, and I'm trying not to make the same mistakes again... As you said, it's likely some program is trying to dial home, and I'm sure allowing it to succeed will not be good for my computer.

Thanks,
drwc

Edited by drwc, 28 November 2006 - 08:13 AM.


#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:12 AM

Posted 28 November 2006 - 03:23 PM

I have a couple of questions about the next set of steps:

The infected computer is not online; so can I copy the infected file to a flash drive and upload it to Jotti online scanner using another computer? (Also, would it be helpful to upload the program that created this problem to the sandbox?)


Yes, that should work. :thumbsup: No, dont load it to the sandbox.

CCleaner is installed - we used it earlier in the removal process. The machine has been offline since the last time we ran ccleaner, so is running it again going to remove anything more?


I may will not find anything, but it cant hurt anything to run it and takes seconds to run.

I'm very nervous about reconnecting to the internet to run a bitdefender scan. My experience before was that this allowed for a lot of malware, etc to reappear, which had previous been removed, and I don't want to undo what we have already accomplished. It also was difficult to do, as my IE windows were being resized, closed, new ones popping up with fake(?) warnings of infections and refusing to be dismissed, etc. I had to lower the internet security settings to medium, in order to download the activeX components to run the scan, and that seemed to be when all h*ll broke loose. Basically, I don't want to undo what we have accomplished so far...


Many million of people use activeX all the time, and do not problem. It is mandatory for running an online antivirus program, and many online programs.
As long as you have IE updated, a freefirewall, an antivirus program I would not worry about it.

Perhaps related to this last point, I don't have firewall (other than Windows own wimpy one) running. I do have a copy of Norton Systemworks Premier which I haven't installed yet (I'm migrating from one laptop to a new one - the infected one!), but I don't know if there's a firewall component to this Norton bundle.




Norton Systemworks Premier does not include a firewall.



Would it be a good idea to install a firewall prior to connecting to the internet again? If so, would you recommend any free ones? Sygate Personal Firewall or ZoneLabs Zone Alarm are recommended on the Bleepingcomputer site; do they both have free versions, are the free versions good enough, and would either one be preferable to the other?



Yes, definitely install a software firewall, as that is your first defense against malware.
Sygate firewall has been bought by Symantec, and Symantec immediately eliminated support for it (but many people still use it).

Free versions are good enough. :flowers: The paid verisons offer more bells and whistle.

Here are four free firewalls available for personal use. If one conflicts with your system, try another. All are good, it is a matter of which one you like better.

You Need a (Properly Configured) Firewall
Understanding and Using Firewalls

Kerio Personal Firewall

Outpost Firewall Free

Jetico Personal Firewall

ZoneAlarm
ZoneAlarm Manual
http://download.zonelabs.com/bin/media/pdf/ZAP40_manual.pdf

Also, AVS Antispyware is installed on the computer. Would running it be a reasonable alternative to Bitdefender?


No. AVG Antispyware is for spyware. BitDefender is for viruses and trojans.
You need to have an active antivirus running at all times, and use the antispwuare weekly.


Sorry about all these questions, but reconnecting to the internet to run Pandascan and Housecall was not a good experience when I did it on Sunday, and I'm trying not to make the same mistakes again... As you said, it's likely some program is trying to dial home, and I'm sure allowing it to succeed will not be good for my computer.


Good questions. :huh:
A little paranoia is good, as it keeps you on you vigilent.
If you install a free firewall, then you will be notified of any program phoning home.

I would not worry about going online, as if you have a firewall, antivirus, run antispyware programs, you will not have a problem. :huh:

Also, when you install Norton Systemworks Premier, you will need to register and update it, so that requires you to get online. All the virus updates are done online several times a week, so online access is mandatory.


Please read and follow Groovicus' Guide to Simple PC Security to help keep yourself from becoming infected again, as well as
[color="darkblue"]How did I get infected?, With steps so it does not happen again!

Edited by SifuMike, 28 November 2006 - 03:26 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 drwc

drwc
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 28 November 2006 - 09:17 PM

Hello SifuMike-

Thanks for your reply to my various questions.

I've installed Zone Alarm now, and when the Work Offline dialog appeared, Zone Alarm told me Windows Explorer was trying to access the internet and listed an IP address in the pop-up (82.98.235.63). I assume this is the address that was trying to be contacted (It is not the IP address assigned to me by my ISP). Curiously, after I booted up (after installing Zone Alarm), Zone Alarm's pop-up told me that eDSloader, CLI Application, and Logitech Setpoint Event Manager all tried to access the internet, and listed that same IP address for each!

I uploaded RtkBtMnt.exe to Jotti Scanner and the following is the listing. (I think the file is used by my audio hardware - as it's properties list 'Realtech HD Audio Data Rerouter' and my laptop has Realtech HD Audio listed in Device Manager)

File: RtkBtMnt.exe
Status: OK
MD5 f39e2e46db5ed35668189407b9050e79
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing


One of the two files to delete in system32 wasn't there (mtufcark.dll); iiffebc.dll did not want to be deleted, so I tried using Killbox to delete it. It still wouldn't be deleted... even with the delete on reboot option. When I chose this, Killbox showed a timer counting down a few seconds till reboot, but then abruptly showed a dialog saying "PendingFileRenameOperations Registry Data has been removed by external process!" It appears this file is being defended..!

Also, the two lines referencing iiffebc.dll that I checked (fixed) in HijackThis are still there. :thumbsup:

I ran CCleaner with the settings you listed - BTW, there was no Java listed in the internet section.

Should I proceed with running Bitdefender, or would it be prudent to deal with the iiffebc.dll file first?

Thanks

#11 drwc

drwc
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 30 November 2006 - 06:51 AM

Hello SifuMike,

Some additional info that might be helpful...

I scanned the executable that started this problem with Jotti; the following is the result:

File: temp.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 5cd7cc7c6c379f592b26eb64b2f29c77
Packers detected: -
Scanner results
AntiVir Found Dropper/Shelled.Gen dropper
ArcaVir Found Trojan.Dropper.Agent.Azn
Avast Found Win32:Agent-CJJ
AVG Antivirus Found nothing
BitDefender Found Trojan.Mezzia.N
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Dropper.Win32.Agent.azn
Fortinet Found W32/Agent.AZN!tr
Kaspersky Anti-Virus Found Trojan-Dropper.Win32.Agent.azn
NOD32 Found nothing
Norman Virus Control Found W32/Agent.ATFP
VirusBuster Found nothing
VBA32 Found Trojan-Dropper.Win32.Agent.azn

A Jotti scan of IIffebc.dll gave the following:

File: iiffebc.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 79176bc815f90ee7e00a5160940bcd03
Packers detected: -
Scanner results
AntiVir Found Trojan/Vundo.Gen
ArcaVir Found Trojan.Agent.Nv
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Virtumod.DF
ClamAV Found nothing
Dr.Web Found Trojan.Virtumod
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.Virtumod

Any suggestions on how to delete iiffebc.dll?

Thanks,
drwc

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:12 AM

Posted 30 November 2006 - 01:46 PM

Hi drwc,

Should I proceed with running Bitdefender, or would it be prudent to deal with the iiffebc.dll file first?


Run BitDefender and post the BitDefender log.

When I chose this, Killbox showed a timer counting down a few seconds till reboot, but then abruptly showed a dialog saying "PendingFileRenameOperations Registry Data has been removed by external process!" It appears this file is being defended..!


If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually. :thumbsup:

What is the file path on File: temp.exe ? I dont see it in you Hijackthis log.


There might be more files to delete besides iffebc.dll, so
let's run ComboFix


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Notes:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Edited by SifuMike, 30 November 2006 - 02:02 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 drwc

drwc
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 30 November 2006 - 08:55 PM

Hi SifuMike-

You asked about the path to temp.exe. That is the program which I ran that installed whatever started these problems. It's off my computer now, on a flash drive. I saved it in case examining it with something like the Jotti scanner would help determine what happened, and how to fix/remove it.

I'm not sure if you understood what I was saying about deleting the iiffebc.dll file. I can't delete it, even with Killbox. (I do know how to reboot manually :thumbsup: )

The problem isn't that the computer doesn't reboot when killbox tries to reboot it (although that is happening), it is that iiffebc.dll isn't going away. The dialog box that killbox displays seems to indicate that iiffebc.dll is being removed from the list of files to delete on reboot by an external process. When I reboot after getting this message, the file is still present.

Also, the entries in the HijackThis log that refer to this file (which you told me to fix/remove) are not going away when I select them, and "fix" them in HijackThis.

Given that it is malware, and something has been trying to dial home from my computer, my instict would be to get it removed before reconnecting to the internet and scanning for additional problems with Bitdefender.

Should I just ignore it for the time being, and run Bitdefender?

#14 drwc

drwc
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 30 November 2006 - 10:41 PM

SifuMike-

I installed a program called SuperAnitiSpyware, since it seems to be used by some other members of the HJT team, and I was curious what it might pick up.

I reconnected to the internet to update it's database, and ran a scan. It flagged Safety Alert 2006 and Safety Bar, which were listed in the uninstall files, and something else related to Smitfraud.

I removed them, and rebooted. After the reboot, I started getting IE popups for bogus virus removal products and something from amaena. I disconnected from the internet, ran SuperAntispyware again, and a number of new things had appeared.

Despite having a firewall up now, it seems that reconnecting to the net is not a good idea. Whatever is on the computer is not being blocked by ZoneAlarm. I haven't given permission to anything (other than Superantispyware) to access the internet, but it looks like IE is not blocked, and is a problem.

This is feeling like trying to bail out a boat that still has a hole in it!

The following are logs from both runs of SuperAntispyware, and a new HijackThis log:

SUPERAntiSpyware Scan Log
Generated 11/30/2006 at 09:32 PM

Application Version : 3.3.1020

Core Rules Database Version : 3140
Trace Rules Database Version: 1157

Scan type : Complete Scan
Total Scan Time : 00:09:25

Memory items scanned : 857
Memory threats detected : 0
Registry items scanned : 6594
Registry threats detected : 13
File items scanned : 6718
File threats detected : 0

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST

Malware.Safety Bar
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafetyBar
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafetyBar#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafetyBar#UninstallString

*****************************************

SUPERAntiSpyware Scan Log
Generated 11/30/2006 at 10:06 PM

Application Version : 3.3.1020

Core Rules Database Version : 3140
Trace Rules Database Version: 1157

Scan type : Complete Scan
Total Scan Time : 00:08:47

Memory items scanned : 821
Memory threats detected : 1
Registry items scanned : 6598
Registry threats detected : 9
File items scanned : 6852
File threats detected : 5

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\AWTQO.DLL
C:\WINDOWS\SYSTEM32\AWTQO.DLL
HKLM\Software\Classes\CLSID\{7FB94CF6-E7F9-48C0-AE3F-62849EE88AEF}
HKCR\CLSID\{7FB94CF6-E7F9-48C0-AE3F-62849EE88AEF}
HKCR\CLSID\{7FB94CF6-E7F9-48C0-AE3F-62849EE88AEF}\InprocServer32
HKCR\CLSID\{7FB94CF6-E7F9-48C0-AE3F-62849EE88AEF}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FB94CF6-E7F9-48C0-AE3F-62849EE88AEF}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\awtqo

Adware.Tracking Cookie
C:\Documents and Settings\dwc\Cookies\dwc@stats1.reliablestats[2].txt
C:\Documents and Settings\dwc\Cookies\dwc@mediaplex[1].txt
C:\Documents and Settings\dwc\Cookies\dwc@indexstats[2].txt
C:\Documents and Settings\dwc\Cookies\dwc@www.amaena[2].txt

Unclassified.Unknown Origin
HKCR\CLSID\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}
HKCR\CLSID\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}\InprocServer32
HKCR\CLSID\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}\InprocServer32#ThreadingModel

**************************

Logfile of HijackThis v1.99.1
Scan saved at 10:30:10 PM, on 11/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Acer\Empowering Technology\admServ.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SMSC\Seticon.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\GraviSense\GraviSense.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Acer\VoIP Phone Charger\voip phone charger.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ABBYY FineReader 7\AbbyyNewsReader.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\DOCUME~1\dwc\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\OpenOffice 2.0\program\soffice.exe
C:\Program Files\OpenOffice 2.0\program\soffice.BIN
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe
C:\Documents and Settings\dwc\Desktop\adisinfect\hijackthis\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
O2 - BHO: (no name) - {7FB94CF6-E7F9-48C0-AE3F-62849EE88AEF} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SetIcon] \Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [GraviSense] C:\Acer\GraviSense\GraviSense.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [voip phone charger] "C:\Program Files\Acer\VoIP Phone Charger\voip phone charger.exe"
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe /idle
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Program Files\ABBYY FineReader 7\AbbyyNewsReader.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WallPaper] C:\PROGRA~1\WALLPA~1\WALLPA~1.EXE /h
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice 2.0\program\quickstart.exe
O4 - Startup: palmOne Registration.lnk = C:\Palm\register.exe
O4 - Startup: Samcal.lnk = C:\Program Files\SamCal\samcal.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#15 drwc

drwc
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 30 November 2006 - 11:16 PM

Hi SifuMike-

Looking at the log files I just sent, I realized the references to iiffebc.dll were gone from the HijackThis log.

So, I tried Killbox again, and this time it could delete the file.

I also ran Combofix, rebooted and ran HijackThis again for an updated log.

(Sorry about all these logs, but given our apparent difference in schedules, I figured it would be better to cue up as much information as possible)

Thanks-

Combofix, **************, then HijackThis logs

dwc - 06-11-30 22:39:38.56 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\dwc\Desktop\adisinfect"

((((((((((((((((((((((((((((((( Files Created from 2006-10-30 to 2006-11-30 ))))))))))))))))))))))))))))))))))


2006-11-30 21:53 88,340 --a------ C:\WINDOWS\system32\ydmfwqij.exe
2006-11-30 21:53 791,882 ---hs---- C:\WINDOWS\system32\oqtwa.bak1
2006-11-30 21:53 42,516 --a------ C:\WINDOWS\system32\bsrfvwsq.dll
2006-11-30 21:53 126,996 --a------ C:\WINDOWS\system32\jugxxoyi.dll
2006-11-30 21:53 <DIR> d-------- C:\Program Files\VSAdd-in
2006-11-30 21:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2006-11-30 21:15 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\SUPERAntiSpyware.com
2006-11-28 20:24 <DIR> dr-h----- C:\Documents and Settings\dwc\Recent
2006-11-28 20:11 <DIR> d-------- C:\!KillBox
2006-11-28 17:49 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-11-28 17:49 <DIR> d-------- C:\Program Files\Zone Labs
2006-11-28 17:48 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-11-27 20:28 6,960 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-27 06:22 <DIR> d-------- C:\Program Files\CCleaner
2006-11-26 15:17 <DIR> d-------- C:\Documents and Settings\dwc\.housecall6.6
2006-11-26 13:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-26 13:46 40,973 --------- C:\WINDOWS\system32\iiffebc.dll
2006-11-26 10:54 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-26 10:54 <DIR> d-------- C:\Program Files\Grisoft
2006-11-26 08:33 40,973 ---hs---- C:\WINDOWS\system32\wvuttqr.dll
2006-11-26 07:32 <DIR> d-------- C:\Program Files\Lavasoft
2006-11-26 07:32 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Lavasoft
2006-11-26 00:48 <DIR> d-------- C:\VundoFix Backups
2006-11-25 21:29 126,996 --a------ C:\WINDOWS\system32\lrsovofh.dll
2006-11-25 21:24 40,973 ---hs---- C:\WINDOWS\system32\awtqrom.dll
2006-11-25 21:24 <DIR> d-------- C:\Program Files\StartEd
2006-11-25 20:14 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\ABBYY
2006-11-25 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ABBYY
2006-11-25 19:45 <DIR> d-------- C:\Program Files\ABBYY FineReader 7
2006-11-25 10:25 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2006-11-25 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2006-11-25 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2006-11-24 16:12 81,920 -ra------ C:\WINDOWS\system32\equcof.dll
2006-11-24 16:12 45,056 -ra------ C:\WINDOWS\system32\uacb.dll
2006-11-24 16:12 21,276 -ra------ C:\WINDOWS\system32\drivers\uacflt.sys
2006-11-24 16:12 <DIR> d-------- C:\Program Files\PerSono
2006-11-24 15:59 <DIR> d-------- C:\Program Files\Picasa2
2006-11-24 15:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-11-24 06:58 <DIR> d-------- C:\Program Files\SpeedswitchXP
2006-11-23 22:31 <DIR> d-------- C:\WINDOWS\Minidump
2006-11-23 21:46 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Netscape
2006-11-23 21:41 <DIR> d-------- C:\Program Files\Netscape
2006-11-23 21:41 <DIR> d-------- C:\Program Files\Common Files\Scanner
2006-11-23 20:51 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2006-11-23 20:51 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2006-11-23 20:51 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2006-11-23 20:40 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Nikon
2006-11-23 20:32 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2006-11-23 20:32 76,800 -ra------ C:\WINDOWS\system32\RedEye.dll
2006-11-23 20:32 495,616 -ra------ C:\WINDOWS\system32\DRAGNKL1.dll
2006-11-23 20:32 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2006-11-23 20:32 48,128 -ra------ C:\WINDOWS\system32\picn20.dll
2006-11-23 20:32 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2006-11-23 20:32 3,579,904 --a------ C:\WINDOWS\system32\NkNEFPlugin.dll
2006-11-23 20:32 180,224 -ra------ C:\WINDOWS\system32\Strato5.dll
2006-11-23 20:32 180,224 -ra------ C:\WINDOWS\system32\picn1120.dll
2006-11-23 20:32 155,648 -ra------ C:\WINDOWS\system32\picn1020.dll
2006-11-23 20:32 110,592 -ra------ C:\WINDOWS\system32\RCSigProc.dll
2006-11-23 20:32 <DIR> d-------- C:\Program Files\Nikon
2006-11-23 20:32 <DIR> d-------- C:\Program Files\Common Files\Nikon
2006-11-23 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ultima_T15
2006-11-23 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EnterNHelp
2006-11-23 08:19 <DIR> d--hs---- C:\RECYCLER
2006-11-22 22:29 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2006-11-22 22:24 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\EPSON
2006-11-22 22:13 887,296 --a------ C:\WINDOWS\system32\libeay32.dll
2006-11-22 22:13 626,688 --a------ C:\WINDOWS\system32\libcurl.dll
2006-11-22 22:13 233,557 --a------ C:\WINDOWS\system32\esint54.dll
2006-11-22 22:13 196,608 --a------ C:\WINDOWS\system32\esdice63.dll
2006-11-22 22:13 172,032 --a------ C:\WINDOWS\system32\libssl32.dll
2006-11-22 22:13 167,936 --a------ C:\WINDOWS\system32\DICELibSF1.dll
2006-11-22 22:13 151,552 --a------ C:\WINDOWS\system32\DICELibSF2.dll
2006-11-22 21:45 <DIR> d-------- C:\WINDOWS\system32\Color
2006-11-22 21:45 <DIR> d-------- C:\Program Files\LaserSoft
2006-11-22 21:01 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Lasersoft Imaging
2006-11-22 20:55 43,136 --a------ C:\WINDOWS\system32\drivers\sbp2port.sys
2006-11-22 20:55 10,880 --a------ C:\WINDOWS\system32\drivers\scsiscan.sys
2006-11-22 20:54 33,280 --a------ C:\WINDOWS\system32\esccm.dll
2006-11-22 20:54 32,256 --a------ C:\WINDOWS\system32\escwiab.dll
2006-11-22 20:54 27,648 --a------ C:\WINDOWS\system32\escimg.dll
2006-11-22 20:54 <DIR> d-------- C:\Program Files\EPSON
2006-11-21 23:05 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2006-11-19 23:23 <DIR> d-------- C:\Program Files\SlySoft
2006-11-19 22:29 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-11-19 22:29 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-11-19 22:29 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2006-11-19 22:29 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-11-19 22:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2006-11-19 22:28 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Logitech
2006-11-19 22:25 94,208 --a------ C:\WINDOWS\KHALMNPR.Exe
2006-11-19 22:25 71,936 --a------ C:\WINDOWS\system32\drivers\LMOUKE.sys
2006-11-19 22:25 69,632 --a------ C:\WINDOWS\system32\KemXML.dll
2006-11-19 22:25 55,936 --a------ C:\WINDOWS\system32\drivers\L8042MOU.SYS
2006-11-19 22:25 3,712 --a------ C:\WINDOWS\system32\drivers\LBeepKE.sys
2006-11-19 22:25 27,136 --a------ C:\WINDOWS\system32\drivers\LHidKE.Sys
2006-11-19 22:25 155,648 --a------ C:\WINDOWS\system32\kemutb.dll
2006-11-19 22:25 131,072 --a------ C:\WINDOWS\system32\KemUtil.dll
2006-11-19 22:25 13,568 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.sys
2006-11-19 22:25 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2006-11-19 22:25 <DIR> d-------- C:\Program Files\Logitech
2006-11-19 22:09 <DIR> d-------- C:\Program Files\Epocrates
2006-11-19 22:09 <DIR> d-------- C:\Program Files\Common Files\Epocrates
2006-11-19 22:01 66,048 --a------ C:\WINDOWS\system32\agcmn.dll
2006-11-19 22:01 50,880 --a------ C:\WINDOWS\system32\agproxy.dll
2006-11-19 22:01 47,936 --a------ C:\WINDOWS\system32\wgrs.dll
2006-11-19 22:01 43,824 --a------ C:\WINDOWS\system32\agprtcl.dll
2006-11-19 22:01 42,368 --a------ C:\WINDOWS\system32\agconnct.dll
2006-11-19 22:01 416,000 --a------ C:\WINDOWS\system32\agsnet.dll
2006-11-19 22:01 40,712 --a------ C:\WINDOWS\system32\agcrypto.dll
2006-11-19 22:01 34,592 --a------ C:\WINDOWS\system32\agnet.dll
2006-11-19 22:01 34,464 --a------ C:\WINDOWS\system32\agcehdlr.dll
2006-11-19 22:01 25,152 --a------ C:\WINDOWS\system32\agcncmn.dll
2006-11-19 22:01 146,736 --a------ C:\WINDOWS\system32\agclcmn.dll
2006-11-19 22:01 111,376 --a------ C:\WINDOWS\system32\expat.dll
2006-11-19 22:01 <DIR> d-------- C:\Program Files\AvantGo
2006-11-19 21:38 <DIR> d-------- C:\Program Files\SplashData
2006-11-19 21:16 <DIR> d-------- C:\Program Files\Beyond Contacts
2006-11-19 21:03 <DIR> d-------- C:\Program Files\Documents To Go
2006-11-19 21:03 <DIR> d-------- C:\Program Files\Common Files\DataViz
2006-11-19 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DataViz
2006-11-19 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HotSync
2006-11-19 20:56 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\HotSync
2006-11-19 20:53 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Leadertech
2006-11-19 20:38 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2006-11-19 20:35 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2006-11-19 20:27 53,248 --a------ C:\WINDOWS\PalmDevC.dll
2006-11-19 20:26 <DIR> d-------- C:\Palm
2006-11-19 17:54 <DIR> d-------- C:\Program Files\TreePad Lite
2006-11-19 17:44 67,472 --a------ C:\WINDOWS\UnDeploy.exe
2006-11-19 17:44 <DIR> d-------- C:\Program Files\JGsoft
2006-11-19 17:44 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\JGsoft
2006-11-19 10:54 <DIR> d-------- C:\Apps
2006-11-18 20:54 <DIR> d-------- C:\Program Files\Spybot
2006-11-18 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-18 20:23 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\ScanSoft
2006-11-18 20:22 <DIR> d-------- C:\WINDOWS\PIXTRAN
2006-11-18 20:22 <DIR> d-------- C:\Program Files\ScanSoft
2006-11-18 20:22 <DIR> d-------- C:\Program Files\Common Files\Scansoft Shared
2006-11-18 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2006-11-18 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2006-11-18 09:28 299,520 --a------ C:\WINDOWS\uninst.exe
2006-11-18 09:28 15,360 --a------ C:\WINDOWS\system32\ATMsrvc.exe
2006-11-18 09:28 <DIR> d-------- C:\PSFONTS
2006-11-18 09:28 <DIR> d-------- C:\Program Files\Adobe Type Manager
2006-11-18 09:27 65,536 --a------ C:\WINDOWS\system32\adistres.dll
2006-11-18 09:27 20,584 --a------ C:\WINDOWS\system32\PdfPorts.dll
2006-11-18 09:27 <DIR> d-------- C:\Documents and Settings\dwc\WINDOWS
2006-11-18 09:26 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\InterTrust
2006-11-18 09:25 94,285 --a------ C:\WINDOWS\system32\Msvcirtd.dll
2006-11-18 09:25 6,144 --a------ C:\WINDOWS\system32\W95fiber.dll
2006-11-18 09:25 5,632 --a------ C:\WINDOWS\system32\Mfcuia32.dll
2006-11-18 09:25 33,424 --a------ C:\WINDOWS\system32\Urlcache.dll
2006-11-18 09:25 322,832 --a------ C:\WINDOWS\system32\Mfc30.dll
2006-11-18 09:25 32,792 --a------ C:\WINDOWS\Spwhpt.dll
2006-11-18 09:25 212,480 --a------ C:\WINDOWS\Pcdlib32.dll
2006-11-18 09:25 210,944 --a------ C:\WINDOWS\system32\Msvcrt10.dll
2006-11-18 09:25 133,904 --a------ C:\WINDOWS\system32\Mfcans32.dll
2006-11-18 09:25 133,392 --a------ C:\WINDOWS\system32\Mfco30.dll
2006-11-18 08:47 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-11-18 08:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2006-11-18 08:37 16,384 --a------ C:\WINDOWS\system32\FileOps.exe
2006-11-18 08:37 <DIR> d-------- C:\WINDOWS\system32\Adobe
2006-11-18 08:35 <DIR> d-------- C:\Program Files\Common Files\Adobe
2006-11-18 08:24 <DIR> d--hs---- C:\WINDOWS\CSC
2006-11-18 08:23 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2006-11-17 21:13 34,308 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-11-17 20:53 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\InterVideo
2006-11-17 20:50 <DIR> d-------- C:\Program Files\InterActual
2006-11-17 20:50 <DIR> d-------- C:\Program Files\DivX
2006-11-17 20:49 204,800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2006-11-17 20:49 200,704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2006-11-17 20:49 20,480 --a------ C:\WINDOWS\system32\IVIresize.dll
2006-11-17 20:49 192,512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2006-11-17 20:49 192,512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2006-11-17 20:49 188,416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2006-11-17 20:49 <DIR> d-------- C:\Program Files\InterVideo Information Service
2006-11-17 20:49 <DIR> d-------- C:\Program Files\InterVideo
2006-11-17 20:49 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2006-11-17 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2006-11-17 07:17 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-17 06:50 167,936 --a------ C:\WINDOWS\system32\LexLog.dll
2006-11-17 06:50 <DIR> d-------- C:\Program Files\Dell
2006-11-17 06:49 <DIR> d-------- C:\dell
2006-11-16 23:23 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\AdobeUM
2006-11-16 23:13 <DIR> d---s---- C:\Documents and Settings\dwc\UserData
2006-11-16 23:02 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\OfficeUpdate12
2006-11-16 22:56 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2006-11-16 22:56 <DIR> d-------- C:\Program Files\Common Files\Designer
2006-11-16 22:55 <DIR> d-------- C:\WINDOWS\ShellNew
2006-11-16 22:55 <DIR> d-------- C:\Program Files\Microsoft Office
2006-11-16 22:55 <DIR> d-------- C:\Program Files\Common Files\L&H
2006-11-16 21:41 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Adobe
2006-11-15 22:28 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\U3
2006-11-15 21:58 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Help
2006-11-15 21:54 <DIR> d-------- C:\Program Files\WinRAR
2006-11-15 21:54 <DIR> d-------- C:\Program Files\WallpaperChanger
2006-11-15 21:54 <DIR> d-------- C:\Program Files\SamCal
2006-11-15 21:54 <DIR> d-------- C:\Program Files\LexarMedia
2006-11-15 21:54 <DIR> d-------- C:\Program Files\IrfanView
2006-11-15 21:54 <DIR> d-------- C:\Program Files\IconsExtract
2006-11-15 21:54 <DIR> d-------- C:\Program Files\Icon Extracter
2006-11-15 21:54 <DIR> d-------- C:\Program Files\EditPadLite
2006-11-15 21:54 <DIR> d-------- C:\Program Files\dnoter
2006-11-15 20:44 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Qualcomm
2006-11-15 20:39 48,640 -ra------ C:\WINDOWS\system32\INETWH32.DLL
2006-11-15 20:39 1,056,768 --a------ C:\WINDOWS\system32\Roboex32.dll
2006-11-15 20:39 <DIR> d-------- C:\Program Files\Qualcomm
2006-11-13 22:17 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-11-13 22:14 <DIR> d-------- C:\Program Files\Nero
2006-11-13 22:14 <DIR> d-------- C:\Program Files\Common Files\Ahead
2006-11-13 22:14 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Ahead
2006-11-13 22:10 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\OpenOffice.org2
2006-11-13 22:03 <DIR> d-------- C:\Program Files\OpenOffice 2.0
2006-11-13 21:44 <DIR> d-------- C:\Program Files\WinZip
2006-11-13 21:42 <DIR> d-------- C:\WINDOWS\Flight over sea
2006-11-13 21:36 <DIR> d-------- C:\Program Files\JetAudio
2006-11-13 21:36 <DIR> d-------- C:\Program Files\Common Files\COWON
2006-11-13 21:36 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\COWON
2006-11-12 21:54 21,275 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-11-12 21:38 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Intel
2006-11-12 21:33 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2006-11-10 22:06 <DIR> d--hs---- C:\Recycled
2006-11-10 21:45 <DIR> d-------- C:\Program Files\Opera
2006-11-10 21:45 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Opera
2006-11-10 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2006-11-10 21:19 <DIR> d-------- C:\Program Files\Yahoo!
2006-11-10 21:16 258,048 --a------ C:\WINDOWS\system32\Uninstall_eRecovery.exe
2006-11-10 21:14 81,920 --a------ C:\WINDOWS\system32\packet.dll
2006-11-10 21:14 78,208 --a------ C:\WINDOWS\system32\drivers\epm-shd.sys
2006-11-10 21:14 61,440 --a------ C:\WINDOWS\system32\WanPacket.dll
2006-11-10 21:14 53,299 --a------ C:\WINDOWS\system32\pthreadVC.dll
2006-11-10 21:14 4,096 --a------ C:\WINDOWS\system32\drivers\epm-psd.sys
2006-11-10 21:14 32,512 --a------ C:\WINDOWS\system32\drivers\npf.sys
2006-11-10 21:14 233,472 --a------ C:\WINDOWS\system32\wpcap.dll
2006-11-10 21:14 <DIR> d-------- C:\Program Files\WinPCap
2006-11-10 21:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intel
2006-11-10 21:07 <DIR> d--h----- C:\WINDOWS\PIF
2006-11-10 20:57 5,120 --a------ C:\WINDOWS\system32\FILTRCOI.DLL
2006-11-10 20:57 49,152 --a------ C:\WINDOWS\system32\QtBtLib.dll
2006-11-10 20:57 16,896 --a------ C:\WINDOWS\system32\drivers\DKbFltr.SYS
2006-11-10 20:57 <DIR> d-------- C:\Program Files\Launch Manager
2006-11-10 20:57 <DIR> d-------- C:\Documents and Settings\dwc\Bluetooth Software
2006-11-10 20:54 <DIR> d-------- C:\Program Files\WIDCOMM
2006-11-10 20:52 <DIR> dr-h----- C:\Documents and Settings\dwc\SendTo
2006-11-10 20:52 <DIR> dr-h----- C:\Documents and Settings\dwc\Application Data\.
2006-11-10 20:52 <DIR> dr-h----- C:\Documents and Settings\dwc\Application Data
2006-11-10 20:52 <DIR> dr------- C:\Documents and Settings\dwc\Start Menu
2006-11-10 20:52 <DIR> dr------- C:\Documents and Settings\dwc\My Documents
2006-11-10 20:52 <DIR> dr------- C:\Documents and Settings\dwc\Favorites
2006-11-10 20:52 <DIR> d--h----- C:\Documents and Settings\dwc\Templates
2006-11-10 20:52 <DIR> d--h----- C:\Documents and Settings\dwc\PrintHood
2006-11-10 20:52 <DIR> d--h----- C:\Documents and Settings\dwc\NetHood
2006-11-10 20:52 <DIR> d--h----- C:\Documents and Settings\dwc\Local Settings
2006-11-10 20:52 <DIR> d---s---- C:\Documents and Settings\dwc\Cookies
2006-11-10 20:52 <DIR> d---s---- C:\Documents and Settings\dwc\Application Data\Microsoft
2006-11-10 20:52 <DIR> d-------- C:\WINDOWS\Acer
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\Desktop
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Symantec
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Macromedia
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Identities
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\ATI
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\Acer
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\Application Data\..
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\..
2006-11-10 20:52 <DIR> d-------- C:\Documents and Settings\dwc\.
2006-11-10 20:51 <DIR> d--hs---- C:\System Volume Information
2006-11-10 20:40 261,627 --a------ C:\WINDOWS\EMEAWG.EXE
2006-11-10 20:40 1,154,584 --a------ C:\WINDOWS\YTB.EXE
2006-11-10 17:48 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-30 21:15 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-11-26 14:39 -------- d-------- C:\Program Files\Symantec
2006-11-26 14:39 -------- d-------- C:\Program Files\SMSC
2006-11-26 14:35 -------- d-------- C:\Program Files\Messenger
2006-11-26 14:34 -------- d-------- C:\Program Files\Internet Explorer
2006-11-26 14:33 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-26 14:33 -------- d-------- C:\Program Files\Common Files\LightScribe
2006-11-25 11:37 -------- d-------- C:\Program Files\Windows Media Player
2006-11-25 10:25 -------- d-------- C:\Program Files\Common Files
2006-11-25 10:10 -------- d-------- C:\Program Files\Adobe
2006-11-24 16:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-23 22:10 -------- d-------- C:\Program Files\Norton AntiVirus
2006-11-23 21:35 48768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-11-23 21:35 110952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-11-19 20:56 16694 --a------ C:\WINDOWS\system32\drivers\PalmUSBD.sys
2006-11-10 20:40 701 --a------ C:\WINDOWS\CLEANUP.CMD
2006-11-10 20:39 1158 --a------ C:\WINDOWS\HotFix.bat
2006-10-13 07:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 07:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 05:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-09-30 09:18 524288 --a------ C:\WINDOWS\opuc.dll
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 17:24 46345 --a------ C:\WINDOWS\NSSetDefaultBrowser.EXE


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"WallPaper"="C:\\PROGRA~1\\WALLPA~1\\WALLPA~1.EXE /h"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"LaunchApp"="Alaunch"
"AGRSMMSG"="AGRSMMSG.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SetIcon"="\\Program Files\\SMSC\\Seticon.exe"
"ntiMUI"="C:\\Program Files\\NewTech Infosystems\\NTI CD & DVD-Maker 7\\ntiMUI.exe"
@=""
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"ADMTray.exe"="\"C:\\Acer\\Empowering Technology\\admtray.exe\""
"eDataSecurity Loader"="C:\\Acer\\Empowering Technology\\eDataSecurity\\eDSloader.exe"
"GraviSense"="C:\\Acer\\GraviSense\\GraviSense.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechCameraAssistant"="C:\\Program Files\\Acer\\OrbiCam\\CameraAssistant.exe"
"LogitechVideo[inspector]"="C:\\Program Files\\Acer\\OrbiCam\\InstallHelper.exe /inspect"
"LogitechCameraService(E)"="C:\\WINDOWS\\system32\\ElkCtrl.exe /automation"
"RTHDCPL"="RTHDCPL.EXE"
"LManager"="C:\\PROGRA~1\\LAUNCH~1\\QtZgAcer.EXE"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"voip phone charger"="\"C:\\Program Files\\Acer\\VoIP Phone Charger\\voip phone charger.exe\""
"WarReg_PopUp"="C:\\Acer\\WR_PopUp\\WarReg_PopUp.exe /idle"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"EOUApp"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\EOUWiz.exe\""
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"AdobeVersionCue"="C:\\Program Files\\Adobe\\Adobe Version Cue\\ControlPanel\\VersionCueTray.exe"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"PaperPort PTD"="\"C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe\""
"IndexSearch"="\"C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe\""
"Logitech Hardware Abstraction Layer"="\"C:\\Program Files\\Common Files\\Logitech\\khalshared\\KHALMNPR.EXE\""
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"Acrobat Assistant 8.0"="\"C:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe\""
"FineReader7NewsReaderPro"="C:\\Program Files\\ABBYY FineReader 7\\AbbyyNewsReader.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
@=""
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - dwc.job

Completion time: 06-11-30 22:40:30.84
C:\ComboFix.txt ... 06-11-30 22:40
C:\ComboFix2.txt ... 06-11-27 07:03

****************************************

Logfile of HijackThis v1.99.1
Scan saved at 11:03:32 PM, on 11/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Acer\Empowering Technology\admServ.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SMSC\Seticon.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\GraviSense\GraviSense.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Acer\VoIP Phone Charger\voip phone charger.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ABBYY FineReader 7\AbbyyNewsReader.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\DOCUME~1\dwc\LOCALS~1\Temp\RtkBtMnt.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\OpenOffice 2.0\program\soffice.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\OpenOffice 2.0\program\soffice.BIN
C:\Documents and Settings\dwc\Desktop\adisinfect\hijackthis\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
O2 - BHO: (no name) - {7FB94CF6-E7F9-48C0-AE3F-62849EE88AEF} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SetIcon] \Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [GraviSense] C:\Acer\GraviSense\GraviSense.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [voip phone charger] "C:\Program Files\Acer\VoIP Phone Charger\voip phone charger.exe"
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe /idle
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Program Files\ABBYY FineReader 7\AbbyyNewsReader.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WallPaper] C:\PROGRA~1\WALLPA~1\WALLPA~1.EXE /h
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice 2.0\program\quickstart.exe
O4 - Startup: palmOne Registration.lnk = C:\Palm\register.exe
O4 - Startup: Samcal.lnk = C:\Program Files\SamCal\samcal.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users