Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Figure This One Out...


  • This topic is locked This topic is locked
26 replies to this topic

#1 tmagner

tmagner

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 20 December 2006 - 12:54 AM

Hi!

I am at wit's end and need someone to save me from myself...or at least my machine...

I have an XP SP2 install and Winlogon.exe is constantly running at 50% CPU.

I have tried the following:

Run Symantec Antivirus, Ad-Aware, Spybot S&D, Registry Booster, WinPFind, Stinger etc.. They did find and remove as far as I can tell - ZangoSearch (NAV found it), Zlob.Cap.DX, Smitfraud-C (Spybot S&D). Multiple runs since then have all come back clean.

After I found these I did a repair install, repatched and re-service packed XP to SP2.

I have run Bootvis in both normal boot, Safe mode and Safe Mode with Networking. Winlogon.exe goes back to 'normal' when I run Safe Mode. With Networking enabled it goes back to 50% CPU. From what I can tell from my Bootvis Files once Winlogon.exe loads Mrxsmb.sys the CPU goes up to 50% and stays there. I have replaced the mrxsmb.sys file with successive previous installs all the way back to SP1 (at which point the system does a core dump...), and replaced the Winlogon.exe file as well no discernable change.

Also, often when I reboot and I logon to the system as Administrator it will immediately log me off. Logging on as a user with Admin rights doesn't seem to do this. The second try always works, but it's still unnerving.

I have run msconfig, removed all of the drivers, etc... and still no joy. Attached is the Hijack This log from the stripped down config (NOTE I renamed the C:\WINDOWS\System32\HPZipm12.exe file as a possible culprit so that's what's in O23)

Logfile of HijackThis v1.99.1
Scan saved at 12:19:46 AM, on 12/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Administrator\Desktop\BootVis.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\util\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Send to OneNote - {6EB2AA45-3F30-40e1-9864-45EB153C6EDC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Send to OneNote Settings - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://server/connectcomputer/nshelp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1122694107901
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - https://192.168.2.19/tsweb/msrdp.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft Terminal Services Client Control (redist)) - http://localhost/tsweb/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1147955B-E565-4BBF-BD2E-F463DADAEB8C}: NameServer = 192.168.2.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{126B6D07-CC46-4523-8C15-63E908F1A999}: NameServer = 192.168.2.19,68.100.16.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B402496-409E-4C68-8854-ACDB94FAC658}: NameServer = 192.168.2.19,68.100.16.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{1147955B-E565-4BBF-BD2E-F463DADAEB8C}: NameServer = 192.168.2.19
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)

Any help would be MUCH appreciated!!

Thanks in advance!

Tim

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:05 AM

Posted 20 December 2006 - 08:58 AM

Hello and Welcome to BC. :thumbsup:



Please go to Start>Run>type 'msconfig' (no quotes) and select the "Startup tab" and "Enable all" and run Hijackthis. Then post a new HijackThis log. After you run the hijackthis, then run msconfig again and disable the items BEFORE you reboot.

Edited by amateur, 20 December 2006 - 08:58 AM.


#3 tmagner

tmagner
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 20 December 2006 - 09:05 PM

Hi!

Here's the HJT log with everything running.

Thanks!!

Tim

Logfile of HijackThis v1.99.1
Scan saved at 9:01:45 PM, on 12/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\util\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Sonic RecordNow!] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bootvis.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\Bootvis_Sleep.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Send to OneNote - {6EB2AA45-3F30-40e1-9864-45EB153C6EDC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Send to OneNote Settings - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://server/connectcomputer/nshelp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1122694107901
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} -
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - https://192.168.2.19/tsweb/msrdp.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft Terminal Services Client Control (redist)) - http://localhost/tsweb/msrdp.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1147955B-E565-4BBF-BD2E-F463DADAEB8C}: NameServer = 192.168.2.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{126B6D07-CC46-4523-8C15-63E908F1A999}: NameServer = 192.168.2.19,68.100.16.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B402496-409E-4C68-8854-ACDB94FAC658}: NameServer = 192.168.2.19,68.100.16.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{1147955B-E565-4BBF-BD2E-F463DADAEB8C}: NameServer = 192.168.2.19
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:05 AM

Posted 20 December 2006 - 09:39 PM

Hi,

Can't see anything unusual. Let's try this tool and see if it can find anything.

Please download Combofix and save it to your desktop.

Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall



#5 tmagner

tmagner
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 20 December 2006 - 10:00 PM

Hi!

Here it is! I had my XP CD in the drive which is where the d:\autorun.inf entry is coming from...

Thanks again!

Tim

Administrator - 06-12-20 21:45:54.87 Service Pack 2
ComboFix 06-12-01.2W-BetaE - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


d:\autorun.inf


((((((((((((((((((((((((((((((( Files Created from 2006-11-20 to 2006-12-20 ))))))))))))))))))))))))))))))))))


2006-12-20 21:49 <DIR> d-------- C:\WINDOWS\erdnt
2006-12-20 00:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-12-19 23:28 453,120 --a------ C:\WINDOWS\system32\drivers\mrxsmb.sys
2006-12-19 22:14 <DIR> dr-h----- C:\Documents and Settings\Administrator\Recent
2006-12-19 19:28 <DIR> d-------- C:\WINDOWS\Prefetch
2006-12-18 23:40 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2006-12-18 23:40 39,936 --a------ C:\WINDOWS\system32\mf3216.dll
2006-12-18 23:40 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2006-12-18 22:57 85,376 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2006-12-18 22:57 59,904 --a------ C:\WINDOWS\system32\devenum.dll
2006-12-18 22:57 562,176 --a------ C:\WINDOWS\system32\qedit.dll
2006-12-18 22:57 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2006-12-18 22:57 50,688 --a------ C:\WINDOWS\system32\wstdecod.dll
2006-12-18 22:57 385,024 --a------ C:\WINDOWS\system32\qdvd.dll
2006-12-18 22:57 363,520 --a------ C:\WINDOWS\system32\psisdecd.dll
2006-12-18 22:57 279,040 --a------ C:\WINDOWS\system32\qdv.dll
2006-12-18 22:57 266,240 --a------ C:\WINDOWS\system32\ddraw.dll
2006-12-18 22:57 204,288 --a------ C:\WINDOWS\system32\mswebdvd.dll
2006-12-18 22:57 192,512 --a------ C:\WINDOWS\system32\qcap.dll
2006-12-18 22:57 19,328 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2006-12-18 22:57 17,408 --a------ C:\WINDOWS\system32\msyuv.dll
2006-12-18 22:57 17,024 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2006-12-18 22:57 15,360 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2006-12-18 22:57 15,360 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2006-12-18 22:57 11,776 --a------ C:\WINDOWS\system32\drivers\bdasup.sys
2006-12-18 22:57 11,136 --a------ C:\WINDOWS\system32\drivers\slip.sys
2006-12-18 22:57 10,880 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2006-12-18 22:57 1,428,480 --a------ C:\WINDOWS\system32\msvidctl.dll
2006-12-18 22:57 1,298,432 --a------ C:\WINDOWS\system32\dxdiag.exe
2006-12-18 22:57 1,179,648 --a------ C:\WINDOWS\system32\d3d8.dll
2006-12-18 22:56 83,456 --a------ C:\WINDOWS\system32\dpvsetup.exe
2006-12-18 22:56 825,344 --a------ C:\WINDOWS\system32\d3dim700.dll
2006-12-18 22:56 82,432 --a------ C:\WINDOWS\system32\dmscript.dll
2006-12-18 22:56 8,192 --a------ C:\WINDOWS\system32\d3d8thk.dll
2006-12-18 22:56 733,696 --a------ C:\WINDOWS\system32\qedwipes.dll
2006-12-18 22:56 71,680 --a------ C:\WINDOWS\system32\dsdmoprp.dll
2006-12-18 22:56 70,656 --a------ C:\WINDOWS\system32\amstream.dll
2006-12-18 22:56 7,552 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2006-12-18 22:56 619,008 --a------ C:\WINDOWS\system32\dx7vb.dll
2006-12-18 22:56 61,440 --a------ C:\WINDOWS\system32\dmcompos.dll
2006-12-18 22:56 60,928 --a------ C:\WINDOWS\system32\dpnhupnp.dll
2006-12-18 22:56 590,336 --a------ C:\WINDOWS\system32\d3dramp.dll
2006-12-18 22:56 57,344 --a------ C:\WINDOWS\system32\dpwsockx.dll
2006-12-18 22:56 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2006-12-18 22:56 5,376 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2006-12-18 22:56 48,640 --a------ C:\WINDOWS\system32\drivers\stream.sys
2006-12-18 22:56 47,616 --a------ C:\WINDOWS\system32\d3dxof.dll
2006-12-18 22:56 46,592 --a------ C:\WINDOWS\system32\dxdllreg.exe
2006-12-18 22:56 44,032 --a------ C:\WINDOWS\system32\dimap.dll
2006-12-18 22:56 436,224 --a------ C:\WINDOWS\system32\d3dim.dll
2006-12-18 22:56 4,992 --a------ C:\WINDOWS\system32\drivers\mspqm.sys
2006-12-18 22:56 4,352 --a------ C:\WINDOWS\system32\drivers\swenum.sys
2006-12-18 22:56 394,240 --a------ C:\WINDOWS\system32\diactfrm.dll
2006-12-18 22:56 375,296 --a------ C:\WINDOWS\system32\dpnet.dll
2006-12-18 22:56 367,616 --a------ C:\WINDOWS\system32\dsound.dll
2006-12-18 22:56 350,208 --a------ C:\WINDOWS\system32\d3drm.dll
2006-12-18 22:56 35,840 --a------ C:\WINDOWS\system32\dmloader.dll
2006-12-18 22:56 35,328 --a------ C:\WINDOWS\system32\pid.dll
2006-12-18 22:56 35,328 --a------ C:\WINDOWS\system32\mciqtz32.dll
2006-12-18 22:56 35,328 --a------ C:\WINDOWS\system32\dpnhpast.dll
2006-12-18 22:56 34,816 --a------ C:\WINDOWS\system32\d3dpmesh.dll
2006-12-18 22:56 30,208 --a------ C:\WINDOWS\system32\dplaysvr.exe
2006-12-18 22:56 3,584 --a------ C:\WINDOWS\system32\dpnlobby.dll
2006-12-18 22:56 3,584 --a------ C:\WINDOWS\system32\dpnaddr.dll
2006-12-18 22:56 28,672 --a------ C:\WINDOWS\system32\dmband.dll
2006-12-18 22:56 23,552 --a------ C:\WINDOWS\system32\dpmodemx.dll
2006-12-18 22:56 229,888 --a------ C:\WINDOWS\system32\dplayx.dll
2006-12-18 22:56 223,232 --a------ C:\WINDOWS\system32\gcdef.dll
2006-12-18 22:56 212,480 --a------ C:\WINDOWS\system32\dpvoice.dll
2006-12-18 22:56 21,504 --a------ C:\WINDOWS\system32\dpvacm.dll
2006-12-18 22:56 20,480 --a------ C:\WINDOWS\system32\encapi.dll
2006-12-18 22:56 19,456 --a------ C:\WINDOWS\system32\dswave.dll
2006-12-18 22:56 181,760 --a------ C:\WINDOWS\system32\dsdmo.dll
2006-12-18 22:56 181,760 --a------ C:\WINDOWS\system32\dinput8.dll
2006-12-18 22:56 181,248 --a------ C:\WINDOWS\system32\dmime.dll
2006-12-18 22:56 18,432 --a------ C:\WINDOWS\system32\dpnsvr.exe
2006-12-18 22:56 159,232 --a------ C:\WINDOWS\system32\dinput.dll
2006-12-18 22:56 140,928 --a------ C:\WINDOWS\system32\drivers\ks.sys
2006-12-18 22:56 116,736 --a------ C:\WINDOWS\system32\dpvvox.dll
2006-12-18 22:56 105,984 --a------ C:\WINDOWS\system32\dmstyle.dll
2006-12-18 22:56 104,448 --a------ C:\WINDOWS\system32\dmusic.dll
2006-12-18 22:56 103,424 --a------ C:\WINDOWS\system32\dmsynth.dll
2006-12-18 22:56 10,496 --a------ C:\WINDOWS\system32\drivers\dxapi.sys
2006-12-18 22:56 1,294,336 --a------ C:\WINDOWS\system32\dsound3d.dll
2006-12-18 22:56 1,227,264 --a------ C:\WINDOWS\system32\dx8vb.dll
2006-12-18 22:49 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2006-12-18 22:34 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2006-12-18 22:34 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-12-18 22:12 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2006-12-18 22:12 81,920 --a------ C:\WINDOWS\system32\ils.dll
2006-12-18 22:12 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2006-12-18 22:12 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2006-12-18 22:12 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2006-12-18 22:12 679,424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-12-18 22:12 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2006-12-18 22:12 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2006-12-18 22:12 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2006-12-18 22:12 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2006-12-18 22:12 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2006-12-18 22:12 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2006-12-18 22:12 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2006-12-18 22:12 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2006-12-18 22:12 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-12-18 22:12 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2006-12-18 22:12 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2006-12-18 22:12 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2006-12-18 22:12 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2006-12-18 22:12 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2006-12-18 22:12 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2006-12-18 22:12 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2006-12-18 22:12 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2006-12-18 22:12 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2006-12-18 22:12 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2006-12-18 22:12 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2006-12-18 22:10 97,792 --a------ C:\WINDOWS\system32\comrepl.dll
2006-12-18 22:10 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-12-18 22:10 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2006-12-18 22:10 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2006-12-18 22:10 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2006-12-18 22:10 8,704 --a------ C:\WINDOWS\system32\infoctrs.dll
2006-12-18 22:10 8,704 --a------ C:\WINDOWS\system32\fxsperf.dll
2006-12-18 22:10 8,192 --a------ C:\WINDOWS\system32\staxmem.dll
2006-12-18 22:10 72,192 --a------ C:\WINDOWS\system32\fxscom.dll
2006-12-18 22:10 7,168 --a------ C:\WINDOWS\system32\wamregps.dll
2006-12-18 22:10 68,608 --a------ C:\WINDOWS\system32\iisext.dll
2006-12-18 22:10 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2006-12-18 22:10 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2006-12-18 22:10 64,512 --a------ C:\WINDOWS\system32\iismap.dll
2006-12-18 22:10 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-12-18 22:10 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2006-12-18 22:10 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2006-12-18 22:10 6,656 --a------ C:\WINDOWS\system32\fxsres.dll
2006-12-18 22:10 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2006-12-18 22:10 6,144 --a------ C:\WINDOWS\system32\ftpsapi2.dll
2006-12-18 22:10 6,144 --a------ C:\WINDOWS\system32\admxprox.dll
2006-12-18 22:10 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2006-12-18 22:10 562,176 --a------ C:\WINDOWS\system32\fxsst.dll
2006-12-18 22:10 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2006-12-18 22:10 56,320 --a------ C:\WINDOWS\system32\convlog.exe
2006-12-18 22:10 55,296 --a------ C:\WINDOWS\system32\fxsevent.dll
2006-12-18 22:10 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2006-12-18 22:10 538,624 --a------ C:\WINDOWS\system32\spider.exe
2006-12-18 22:10 5,632 --a------ C:\WINDOWS\system32\w3svapi.dll
2006-12-18 22:10 5,632 --a------ C:\WINDOWS\system32\iisrstap.dll
2006-12-18 22:10 452,096 --a------ C:\WINDOWS\system32\fxsapi.dll
2006-12-18 22:10 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-12-18 22:10 43,520 --a------ C:\WINDOWS\system32\admwprox.dll
2006-12-18 22:10 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-12-18 22:10 407,552 --a------ C:\WINDOWS\system32\mstsc.exe
2006-12-18 22:10 400,384 --a------ C:\WINDOWS\system32\fxsxp32.dll
2006-12-18 22:10 4,608 --a------ C:\WINDOWS\system32\w3ctrs.dll
2006-12-18 22:10 397,312 --a------ C:\WINDOWS\system32\fxstiff.dll
2006-12-18 22:10 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2006-12-18 22:10 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2006-12-18 22:10 3,584 --a------ C:\WINDOWS\system32\iismui.dll
2006-12-18 22:10 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2006-12-18 22:10 290,816 --a------ C:\WINDOWS\system32\adsiis.dll
2006-12-18 22:10 285,184 --a------ C:\WINDOWS\system32\fxscomex.dll
2006-12-18 22:10 27,136 --a------ C:\WINDOWS\system32\fxsdrv.dll
2006-12-18 22:10 267,776 --a------ C:\WINDOWS\system32\fxssvc.exe
2006-12-18 22:10 246,272 --a------ C:\WINDOWS\system32\fxst30.dll
2006-12-18 22:10 23,552 --a------ C:\WINDOWS\system32\fxsmon.dll
2006-12-18 22:10 23,552 --a------ C:\WINDOWS\system32\fxsext32.dll
2006-12-18 22:10 229,376 --a------ C:\WINDOWS\system32\fxscover.exe
2006-12-18 22:10 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2006-12-18 22:10 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2006-12-18 22:10 192,512 --a------ C:\WINDOWS\system32\fxswzrd.dll
2006-12-18 22:10 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2006-12-18 22:10 19,968 --a------ C:\WINDOWS\system32\inetsloc.dll
2006-12-18 22:10 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2006-12-18 22:10 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2006-12-18 22:10 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2006-12-18 22:10 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-12-18 22:10 154,112 --a------ C:\WINDOWS\system32\fxsui.dll
2006-12-18 22:10 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2006-12-18 22:10 143,360 --a------ C:\WINDOWS\system32\fxsclnt.exe
2006-12-18 22:10 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-12-18 22:10 14,336 --a------ C:\WINDOWS\system32\iisreset.exe
2006-12-18 22:10 14,336 --a------ C:\WINDOWS\system32\exstrace.dll
2006-12-18 22:10 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2006-12-18 22:10 133,632 --a------ C:\WINDOWS\system32\iisrtl.dll
2006-12-18 22:10 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-12-18 22:10 13,824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-12-18 22:10 13,312 --a------ C:\WINDOWS\system32\infoadmn.dll
2006-12-18 22:10 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-12-18 22:10 123,392 --a------ C:\WINDOWS\system32\mplay32.exe
2006-12-18 22:10 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2006-12-18 22:10 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-12-18 22:10 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2006-12-18 22:10 11,264 --a------ C:\WINDOWS\system32\icaapi.dll
2006-12-18 22:10 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-12-18 22:10 10,240 --a------ C:\WINDOWS\system32\aspperf.dll
2006-12-18 22:10 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-12-18 22:09 58,880 --a------ C:\WINDOWS\system32\licwmi.dll
2006-12-18 22:07 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2006-12-18 22:07 65,795 --a------ C:\WINDOWS\system32\HPZipm12_old.exe
2006-12-18 22:07 61,699 --a------ C:\WINDOWS\system32\HPZinw12.exe
2006-12-18 22:07 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-12-18 22:07 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2006-12-18 22:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2006-12-18 22:07 51,056 --a------ C:\WINDOWS\system32\drivers\hpzid412.sys
2006-12-18 22:07 266,296 --a------ C:\WINDOWS\system32\HPZidr12.dll
2006-12-18 22:07 196,608 --a------ C:\WINDOWS\system32\HPZipr12.dll
2006-12-18 22:07 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2006-12-18 22:06 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-12-18 22:06 262,144 --a------ C:\WINDOWS\system32\HPZc3212.dll
2006-12-18 22:06 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2006-12-18 22:06 21,488 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys
2006-12-18 22:05 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2006-12-18 22:04 78,976 --a------ C:\WINDOWS\system32\drivers\MarvinBus.sys
2006-12-18 22:04 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2006-12-18 22:04 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2006-12-18 22:03 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2006-12-18 22:03 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-12-18 22:03 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-12-18 22:03 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2006-12-17 20:38 <DIR> d-------- C:\Program Files\Microsoft Bootvis
2006-12-17 12:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2006-12-17 08:55 <DIR> d-------- C:\WINDOWS\system32\DRM
2006-12-17 08:44 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2006-12-17 08:38 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2006-12-17 08:38 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2006-12-17 08:38 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2006-12-17 08:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TextPad
2006-12-17 01:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Google
2006-12-17 00:09 502,272 --a------ C:\winlogon.exe
2006-12-16 21:00 <DIR> d-------- C:\util
2006-12-16 18:17 <DIR> d-------- C:\WINDOWS\pss
2006-12-16 14:23 <DIR> d-------- C:\Program Files\Uniblue
2006-12-09 22:34 <DIR> d-------- C:\Program Files\Security Task Manager
2006-12-09 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2006-12-01 23:31 <DIR> d-------- C:\Program Files\Zinio
2006-12-01 23:31 <DIR> d-------- C:\Program Files\Common Files\Zinio
2006-11-28 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2006-11-21 06:57 <DIR> d-------- C:\Program Files\ItsDeductible2006
2006-11-21 06:57 <DIR> d-------- C:\Program Files\Educated Investor
2006-11-21 06:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{5F56EA1A-FD11-4FAE-90B5-B8008C1B377D}


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-20 21:52 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-12-19 20:19 -------- d-------- C:\Program Files\Internet Explorer
2006-12-19 19:57 -------- d-------- C:\Program Files\Outlook Express
2006-12-19 19:57 -------- d-------- C:\Program Files\Common Files\System
2006-12-19 07:36 -------- d-------- C:\Program Files\Windows Media Player
2006-12-19 07:29 -------- d-------- C:\Program Files\Windows NT
2006-12-19 07:29 -------- d-------- C:\Program Files\NetMeeting
2006-12-19 07:29 -------- d-------- C:\Program Files\Movie Maker
2006-12-18 22:29 -------- d--h----- C:\Program Files\WindowsUpdate
2006-12-17 20:26 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-12-17 20:26 -------- d-------- C:\Program Files\Windows Media Connect
2006-12-17 20:26 -------- d-------- C:\Program Files\TDK_LabelCreator
2006-12-17 20:26 -------- d-------- C:\Program Files\Quicken
2006-12-17 20:26 -------- d-------- C:\Program Files\Pinnacle
2006-12-17 20:26 -------- d-------- C:\Program Files\MagicISO
2006-12-17 20:26 -------- d-------- C:\Program Files\Flash Saver
2006-12-17 20:26 -------- d-------- C:\Program Files\exPressit S.E. 2.2
2006-12-17 20:26 -------- d-------- C:\Program Files\Dr. Hardware 2005 6.0.0e
2006-12-17 20:26 -------- d-------- C:\Program Files\CollectAsst
2006-12-17 20:26 -------- d-------- C:\Program Files\AIM
2006-12-17 20:26 -------- d-------- C:\Program Files\AdorageI-SAL
2006-12-17 12:14 -------- d-------- C:\Program Files\Google
2006-12-17 12:10 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-17 12:10 -------- d-------- C:\Program Files\Common Files
2006-12-17 12:07 -------- d-------- C:\Program Files\Kodak
2006-12-17 08:36 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-12-16 22:18 -------- d-------- C:\Program Files\Ubi Soft
2006-12-08 11:09 -------- d-------- C:\Program Files\Common Files\Adobe
2006-12-07 00:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-01 21:53 -------- d-------- C:\Program Files\Java
2006-11-21 06:54 -------- d-------- C:\Program Files\TurboTax
2006-11-19 03:04 -------- d-------- C:\Program Files\MSXML 4.0
2006-11-12 19:26 -------- d-------- C:\Program Files\Common Files\Canon
2006-11-07 21:03 6049280 --a------ C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --a------ C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --a------ C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --a------ C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-06 11:35 531568 --a------ C:\WINDOWS\system32\RmActivate_isv.exe
2006-11-06 11:35 523376 --a------ C:\WINDOWS\system32\RmActivate.exe
2006-11-06 11:35 519280 --a------ C:\WINDOWS\system32\SecProc_isv.dll
2006-11-06 11:35 518768 --a------ C:\WINDOWS\system32\SecProc.dll
2006-11-06 11:35 358000 --a------ C:\WINDOWS\system32\RmActivate_ssp.exe
2006-11-06 11:35 354416 --a------ C:\WINDOWS\system32\RmActivate_ssp_isv.exe
2006-11-06 11:35 323696 --a------ C:\WINDOWS\system32\msdrm.dll
2006-11-06 11:35 192624 --a------ C:\WINDOWS\system32\SecProc_ssp_isv.dll
2006-11-06 11:35 192624 --a------ C:\WINDOWS\system32\SecProc_ssp.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-01 08:42 -------- d-------- C:\Program Files\iTunes
2006-11-01 08:42 -------- d-------- C:\Program Files\iPod
2006-11-01 08:40 -------- d-------- C:\Program Files\QuickTime
2006-10-20 17:23 -------- d-------- C:\Program Files\Apple Software Update
2006-10-19 08:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-18 21:47 767488 --------- C:\WINDOWS\system32\WMVSENCD.dll
2006-10-18 21:47 656896 --------- C:\WINDOWS\system32\WMVXENCD.dll
2006-10-18 21:47 613376 --------- C:\WINDOWS\system32\wmpmde.dll
2006-10-18 21:47 535040 --------- C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\MP4SDMOD.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\MP43DMOD.dll
2006-10-18 21:47 38400 --------- C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 21:47 317440 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-10-18 21:47 295936 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 21:47 284160 --------- C:\WINDOWS\system32\PortableDeviceApi.dll
2006-10-18 21:47 2603008 --------- C:\WINDOWS\system32\WpdShext.dll
2006-10-18 21:47 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-10-18 21:47 259072 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-10-18 21:47 212992 --------- C:\WINDOWS\system32\MFPLAT.dll
2006-10-18 21:47 199168 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-10-18 21:47 166912 --------- C:\WINDOWS\system32\PortableDeviceTypes.dll
2006-10-18 21:47 1574912 --------- C:\WINDOWS\system32\WMVENCOD.dll
2006-10-18 21:47 1543680 --------- C:\WINDOWS\system32\WMVDECOD.dll
2006-10-18 21:47 1382912 --------- C:\WINDOWS\system32\WMVSDECD.dll
2006-10-18 21:47 133632 --------- C:\WINDOWS\system32\WPDShServiceObj.dll
2006-10-18 21:47 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-10-18 21:47 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-10-18 21:47 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-10-18 20:00 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 07:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 07:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-05 20:43 6656 --a------ C:\WINDOWS\system32\haspvdd.dll
2006-10-05 20:43 383 --a------ C:\WINDOWS\system32\haspdos.sys
2006-10-02 15:28 312128 --------- C:\WINDOWS\system32\msdelta.dll
2006-09-28 20:13 95344 --------- C:\WINDOWS\system32\WUDFCoinstaller.dll
2006-09-28 18:56 55808 --------- C:\WINDOWS\system32\WudfSvc.dll
2006-09-28 18:56 316416 --------- C:\WINDOWS\system32\WUDFx.dll
2006-09-28 18:56 165376 --------- C:\WINDOWS\system32\WudfPlatform.dll
2006-09-28 18:56 146432 --------- C:\WINDOWS\system32\WudfHost.exe
2006-09-25 17:58 23856 --a------ C:\WINDOWS\system32\spupdsvc.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Launchpad"="\"C:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Zinio DLM"="C:\\Program Files\\Zinio\\ZinioDeliveryManager.exe /autostart"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"Sonic RecordNow!"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"ATI Scheduler"="C:\\Program Files\\ATI Multimedia\\main\\ATISched.EXE"
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIRW.exe"
"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"Synchronization Manager"="%SystemRoot%\\system32\\mobsync.exe /logon"
"SoundMan"="SOUNDMAN.EXE"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMTray.exe"
"PRONoMgr.exe"="C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"HPHUPD05"="C:\\Program Files\\Hewlett-Packard\\\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,ea,00,00,00,00,00,00,00,16,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableCAD"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
"NoWelcomeScreen"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"Mouse Suite 98 Daemon"="PELMICED.EXE"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061217-001516-682
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?322
backup-20061217-001516-603
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
backup-20061216-211503-760
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
backup-20061216-210427-771
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Battle B-Daman.job
C:\WINDOWS\tasks\HP Usg Daily.job
C:\WINDOWS\tasks\Spider-Man.job
C:\WINDOWS\tasks\Starting Over.job
C:\WINDOWS\tasks\Teen Titans.job

Completion time: 06-12-20 21:54:08.29

#6 tmagner

tmagner
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 20 December 2006 - 10:16 PM

Hi!

Don't know if this makes a difference or not, but after I ran Combofix and rebooted, my system clock switched from a 12hr to 24 hr time and the date was reformatted too...

Tim

#7 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:05 AM

Posted 20 December 2006 - 10:38 PM

Don't know if this makes a difference or not, but after I ran Combofix and rebooted, my system clock switched from a 12hr to 24 hr time and the date was reformatted too...

Yes, ComboFix does that. We can sort that out later.

#8 tmagner

tmagner
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 20 December 2006 - 10:46 PM

Ok. Another data point is that I can't launch Adobe Photoshop 5.5 anymore. I get the crash and notify screens.

Thanks!

Tim

#9 tmagner

tmagner
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 20 December 2006 - 10:52 PM

And, while we're at it...I have a Pentium 4 HT processor and my task manager indicates that I have 2 processors (Bootvis did too) - it's done this from the start I think (I built the PC myself...ASUS motherboard if it matters).

Now, while it'd be great if I got one of the first ever Core Duo processors...ever...as a undocumented upgrade...I think that's unlikely.

I don't know if what I'm seeing is the HT in action or something else.

As a result, in my task manager one of the CPU histories has the usage at like 1% and the other has it at 100% - averaging out to the 50% that is being chewed up by winlogon.

Throwing it all into the mix...

Thanks!!

Tim

#10 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:05 AM

Posted 21 December 2006 - 11:08 AM

Hi,

Another data point is that I can't launch Adobe Photoshop 5.5 anymore. I get the crash and notify screens.

I have no idea why that would happen. We have done nothing to cause that. You may try uninstall/reinstall of the program.

There is an entry in the HijackThis backup section of the Combofix:

20061217-001516-682 : O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll . I don't know why you had that fixed, it's a legitimate entry, intell graphics control. You might like to restore that.

Run hijackthis, click 'Open the Misc Tools Section'

Click the Backups button at the top, then put a checkmark next to the above entry and click 'restore'.

Make sure you are in normal mode and not Safe mode.

Now, while it'd be great if I got one of the first ever Core Duo processors...ever...as a undocumented upgrade...I think that's unlikely.

:thumbsup:

You might also like to read this info on Bootvis: http://www.microsoft.com/whdc/system/syspe...ot/default.mspx

I noticed that you have some scheduled tasks for games listed below, are they updates?:

Battle B-Daman.
Spider-Man
Starting Over
Teen Titans

==============================

Please download Ccleaner and save it to your desktop.
Tutorial for CCleaner
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it Do not use it yet.

==============================

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

Posted Image
  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

================================

Please print these instructions so that you can have access to them while you're in Safe Mode from here on.

================================

Make sure that you can see hidden files
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

==============================

Reboot your computer in Safe Mode using the F8 method below.
a. If the computer is running, shut down Windows, and then turn off the power.
b. Wait 30 seconds, and then turn the computer on.
c. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
d. Ensure that the Safe Mode option is selected.
e. Press Enter. The computer then begins to start in Safe mode.

==============================

Using Windows Explorer, navigate to and delete the following:

C:\winlogon.exe Make sure that you don't delete the legitimate winlogon.exe which resides in C:\WINDOWS\system32\winlogon.exe.
C:\Documents and Settings\All Users\Application Data\{5F56EA1A-FD11-4FAE-90B5-B8008C1B377D}

==============================

From Safe Mode run Ccleaner
  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
  • Make sure the Cleaner block on the left is selected.
  • Do not use the "Issues" block . It's meant for professionals.
  • Choose the Windows tab.
  • Check everything EXCEPT Advanced part of the Menu.
  • Click on "Analyze". This process could take a while.
  • If you don't want to loose your login passwords to certain sites, click on Options
  • Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccleaner for every user

==============================

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware.
**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

==============================

Reboot in Normal Mode

==============================

Perform an online scan with Internet Explorer with Panda ActiveScan
  • Click on Posted Image located at the bottom of the page.
  • A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  • Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting Posted Image
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on Posted Image then click Posted Image and post back the contents please.
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


==============================

Post back

AVG Anti Spyware log
Panda results
a fresh HijackThis log please.

Edited by amateur, 21 December 2006 - 09:17 PM.


#11 tmagner

tmagner
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 22 December 2006 - 03:27 PM

Hi!

Here's the AVG log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:00:33 AM 12/22/2006

+ Scan result:



C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@CAYJY75I.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Harrison\Cookies\harrison@ad.admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@ad.admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\tmagner_profile\Cookies\tmagner@ad.admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned.
:mozilla.37:C:\tmagner_profile\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.26:C:\tmagner_profile\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@news.com[1].txt -> TrackingCookie.Com : Cleaned.
C:\tmagner_profile\Cookies\tmagner@com[1].txt -> TrackingCookie.Com : Cleaned.
:mozilla.13:C:\tmagner_profile\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.12:C:\tmagner_profile\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.14:C:\tmagner_profile\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.15:C:\tmagner_profile\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.16:C:\tmagner_profile\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.18:C:\tmagner_profile\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.22:C:\tmagner_profile\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.30:C:\Documents and Settings\tmagner.HOME\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.31:C:\Documents and Settings\tmagner.HOME\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.32:C:\Documents and Settings\tmagner.HOME\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.33:C:\Documents and Settings\tmagner.HOME\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.34:C:\Documents and Settings\tmagner.HOME\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.6:C:\Documents and Settings\tmagner.HOME\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ehg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Harrison\Cookies\harrison@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Harrison\Cookies\harrison@ehg-dig.hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Harrison\Cookies\harrison@ehg-hasbro.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Harrison\Cookies\harrison@ehg-hasbro.hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@ivwbox[2].txt -> TrackingCookie.Ivwbox : Cleaned.
C:\tmagner_profile\Cookies\tmagner@ivwbox[2].txt -> TrackingCookie.Ivwbox : Cleaned.
C:\Documents and Settings\Sheryl\Cookies\sheryl@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Sheryl\Cookies\sheryl@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Sheryl\Cookies\sheryl@sec1.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@sales.liveperson[3].txt -> TrackingCookie.Liveperson : Cleaned.
C:\tmagner_profile\Cookies\tmagner@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.23:C:\tmagner_profile\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.27:C:\tmagner_profile\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.24:C:\tmagner_profile\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.25:C:\Documents and Settings\tmagner.HOME\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.25:C:\tmagner_profile\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.26:C:\Documents and Settings\tmagner.HOME\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@tfag[2].txt -> TrackingCookie.Tfag : Cleaned.
C:\tmagner_profile\Cookies\tmagner@tfag[2].txt -> TrackingCookie.Tfag : Cleaned.
C:\Documents and Settings\Harrison\Cookies\harrison@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\Sheryl\Cookies\sheryl@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.28:C:\tmagner_profile\Application Data\Mozilla\Firefox\Profiles\5u6oktb5.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned.
C:\tmagner_profile\Cookies\tmagner@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned.


::Report end

#12 tmagner

tmagner
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 22 December 2006 - 03:29 PM

Here's the Panda Report:


Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Harrison\Cookies\harrison@cgi-bin[3].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Harrison\Cookies\harrison@searchportal.information[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Harrison\Cookies\harrison@searchportal.information[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Harrison\Cookies\harrison@searchportal.information[3].txt
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Harrison\Start Menu\Programs\Startup\PowerReg Scheduler.exe
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Sheryl\Cookies\sheryl@searchportal.information[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@cgi-bin[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@cgi-bin[3].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@cgi-bin[4].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@cgi-bin[5].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@cgi-bin[7].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@errorsafe[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@searchportal.information[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@searchportal.information[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@searchportal.information[3].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@target[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@target[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@target[3].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@tucows[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\tmagner.HOME\Cookies\tmagner@www.errorsafe[1].txt
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\tmagner.HOME\Start Menu\Programs\Startup\PowerReg Scheduler.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\TEMP\smit\SmitfraudFix\Process.exe
Spyware:Cookie/Belnk Not disinfected C:\tmagner_profile\Cookies\tmagner@belnk[1].txt
Spyware:Cookie/did-it Not disinfected C:\tmagner_profile\Cookies\tmagner@did-it[2].txt
Spyware:Cookie/Belnk Not disinfected C:\tmagner_profile\Cookies\tmagner@dist.belnk[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\tmagner_profile\Cookies\tmagner@searchportal.information[1].txt
Spyware:Cookie/seeqA Not disinfected C:\tmagner_profile\Cookies\tmagner@www.seeq[1].txt


Here's the latest HJT report:

Logfile of HijackThis v1.99.1
Scan saved at 15:26, on 06-12-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\taskmgr.exe
C:\util\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Sonic RecordNow!] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Send to OneNote - {6EB2AA45-3F30-40e1-9864-45EB153C6EDC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Send to OneNote Settings - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://server/connectcomputer/nshelp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1122694107901
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} -
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - https://192.168.2.19/tsweb/msrdp.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft Terminal Services Client Control (redist)) - http://localhost/tsweb/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1147955B-E565-4BBF-BD2E-F463DADAEB8C}: NameServer = 192.168.2.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{126B6D07-CC46-4523-8C15-63E908F1A999}: NameServer = 192.168.2.19,68.100.16.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B402496-409E-4C68-8854-ACDB94FAC658}: NameServer = 192.168.2.19,68.100.16.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{1147955B-E565-4BBF-BD2E-F463DADAEB8C}: NameServer = 192.168.2.19
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

#13 tmagner

tmagner
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 22 December 2006 - 04:00 PM

I noticed that you have some scheduled tasks for games listed below, are they updates?:

Battle B-Daman.
Spider-Man
Starting Over
Teen Titans


These were TV shows I was recording for my kids... I already deleted the entries.

Thanks!

#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:05 AM

Posted 22 December 2006 - 04:25 PM

Hi again,


Thanks for the logs and the info. It's looking much better from my end. How is it there?

Disable AVG Anti Spyware shield (change status to inactive).

Scan with HijackThis and put a checkmark against the following entries:

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)


Close all other windows except HijackThis and click on "fix checked".

==========================
Using Windows Explorer (right click on Start, click on Explore) navigate to and delete the following folders:

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.zip
C:\TEMP\smit If you are not keeping anything else in TEMP folder, you can delete that instead.
C:\tmagner_profile\Cookies<======= delete the contents of this folder

==========================

Run Ccleaner from each of the following accounts:

Harrison\
Sheryl\
tmagner.HOME\

==============================

Your Java is out of date.

Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
  • Scroll down to where it says " Java Runtime Environment (JRE) 5.0 Update 9
    The J2SE Runtime Environment (JRE) allows end-users to run Java applications.".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
=============================

Post a fresh HijackThis log and let me know how things are.

#15 tmagner

tmagner
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 22 December 2006 - 05:36 PM

Hi!

Included below is the latest log (run from my logon rather than Admin...don't know if that makes any dif...)

So far no discernable difference in the computer. Winlogon still runs at 50%...

Thanks!!


Logfile of HijackThis v1.99.1
Scan saved at 5:34:57 PM, on 12/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\util\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType

Pro\type32.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe

/logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program

Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program

Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI

Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.6.0\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program

Files\Microsoft Outlook\OFFICE11\ONENOTEM.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL

Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver -

C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} -

C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver -

{09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} -

C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Send to OneNote - {6EB2AA45-3F30-40e1-9864-45EB153C6EDC} -

C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} -

C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} -

C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Send to OneNote Settings -

{F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -

http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) -

http://server/connectcomputer/nshelp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...86/client/muweb

_site.cab?1122694107901
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} -
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal

Services Client Control (redist)) - https://192.168.2.19/tsweb/msrdp.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft Terminal

Services Client Control (redist)) - http://localhost/tsweb/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} -
O17 -

HKLM\System\CCS\Services\Tcpip\..\{1147955B-E565-4BBF-BD2E-F463DADAEB8C}:

NameServer = 192.168.2.19
O17 -

HKLM\System\CCS\Services\Tcpip\..\{126B6D07-CC46-4523-8C15-63E908F1A999}:

NameServer = 192.168.2.19,68.100.16.25
O17 -

HKLM\System\CCS\Services\Tcpip\..\{4B402496-409E-4C68-8854-ACDB94FAC658}:

NameServer = 192.168.2.19,68.100.16.25
O17 -

HKLM\System\CS1\Services\Tcpip\..\{1147955B-E565-4BBF-BD2E-F463DADAEB8C}:

NameServer = 192.168.2.19
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. -

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation -

C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) -

Pinnacle Systems - c:\program files\pinnacle\shared

files\programs\mediaserver\pmshost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec

AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -

Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users