-- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 3 Restore Point(s) -- 3: 2008-01-28 22:12:54 UTC - RP3 - Deckard's System Scanner Restore Point 2: 2008-01-28 00:36:23 UTC - RP2 - Installed Backup Dell-Installed Programs 1: 2008-01-27 22:47:46 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as joe.exe) ------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:14:56 PM, on 1/28/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZuneBusEnum.exe C:\Program Files\Registry Clean Expert\RCHelper.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\rundll32.exe I:\dss.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\joe.exe O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {5E85C971-F9E7-4F4D-A059-14FA00220C7A} - C:\WINDOWS\system32\khfefeb.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {B25FB4B6-8BC5-4F2A-876B-12615D0DE500} - C:\WINDOWS\system32\jkklm.dll O20 - Winlogon Notify: khfefeb - C:\WINDOWS\SYSTEM32\khfefeb.dll -- End of file - 1603 bytes -- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) ----------- backup-20080127-170003-130 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url="http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com"]http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com[/url] backup-20080127-170003-219 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) backup-20080127-170003-244 O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" backup-20080127-170003-316 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.yahoo.com"]http://www.yahoo.com[/url] backup-20080127-170003-401 O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Program Files\Registry Clean Expert\RCHelper.exe" /startup backup-20080127-170003-418 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll backup-20080127-170003-468 O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html backup-20080127-170003-507 O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s backup-20080127-170003-546 O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html backup-20080127-170003-561 O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe backup-20080127-170003-642 O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe [url="http://www.symantec.com/techsupp/servlet/ProductMessages?module=2007&error=0&language=en&product=SymNRT&version=2008.0.1.19&build=Symantec&a=00000082.00000002.00000002&b=00000082.0000000f.0000001b&c=00000082.00000010.00000020&d=00000082.0000001e.0000004a&e=00000082.00000049.000000b9"]http://www.symantec.com/techsupp/servlet/P...000049.000000b9[/url] backup-20080127-170003-649 O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html backup-20080127-170003-729 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll backup-20080127-170003-739 O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html backup-20080127-170003-753 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot backup-20080127-170003-759 O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe backup-20080127-170003-764 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.yahoo.com"]http://www.yahoo.com[/url] backup-20080127-170003-767 O4 - HKLM\..\Run: [QuickTime Task] "F:\quick\quicktime pro and keygen\QTTask.exe" -atboottime backup-20080127-170003-816 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html backup-20080127-170003-847 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html"]http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html[/url] backup-20080127-170003-917 O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe backup-20080127-170003-920 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html"]http://red.clientapps.yahoo.com/customize/.../search/ie.html[/url] backup-20080127-170003-944 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll backup-20080127-170003-952 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll backup-20080127-170004-368 O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll backup-20080127-170004-689 O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll backup-20080127-170004-745 O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll backup-20080127-170005-103 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll backup-20080127-170005-323 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll backup-20080127-170005-397 O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll backup-20080127-170006-694 O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - [url="http://upload.facebook.com/controls/FacebookPhotoUploader3.cab"]http://upload.facebook.com/controls/Facebo...toUploader3.cab[/url] backup-20080127-170007-638 O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [url="http://upload.facebook.com/controls/FacebookPhotoUploader.cab"]http://upload.facebook.com/controls/Facebo...otoUploader.cab[/url] backup-20080127-170008-183 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094364674844"]http://v5.windowsupdate.microsoft.com/v5co...b?1094364674844[/url] backup-20080127-170008-451 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url="http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198873078693"]http://www.update.microsoft.com/microsoftu...b?1198873078693[/url] backup-20080127-170009-379 O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe backup-20080127-170009-631 O17 - HKLM\System\CCS\Services\Tcpip\..\{1035D0A4-E17C-4375-95EA-3DB5CD877506}: NameServer = 68.94.156.1,68.94.157.1 backup-20080127-170009-749 O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing) backup-20080127-170009-959 O16 - DPF: {99252AF5-C8A6-9028-8D6B-993FACB5EACA} - [url="http://performanceoptimizer.com/files/PerformanceOptimizerPre_Installer.cab"]http://performanceoptimizer.com/files/Perf...e_Installer.cab[/url] backup-20080127-170009-992 O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 HPZid4122 - c:\windows\system32\drivers\hpzid4122.sys R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys R2 ousbehci (OrangeWare USB Enhanced Host Controller Service) - c:\windows\system32\drivers\ousbehci.sys R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys R3 ousb2hub (OrangeWare USB 2.0 Root Hub Support) - c:\windows\system32\drivers\ousb2hub.sys R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys S3 MR97310_USB_DUAL_CAMERA (CIF Dual-Mode Camera) - c:\windows\system32\drivers\mr97310c.sys S3 RioS30 (RioS30S driver) - c:\windows\system32\drivers\rios30.sys -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" (file missing) S4 YPCService - c:\windows\system32\ypcser~1.exe -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: IntelŪ PRO/100 VE Network Connection Device ID: PCI\VEN_8086&DEV_2449&SUBSYS_30138086&REV_01\4&22656C78&0&40F0 Manufacturer: Intel Name: IntelŪ PRO/100 VE Network Connection PNP Device ID: PCI\VEN_8086&DEV_2449&SUBSYS_30138086&REV_01\4&22656C78&0&40F0 Service: E100B Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318} Description: Microsoft PS/2 Mouse Device ID: ACPI\PNP0F03\4&F29DB88&0 Manufacturer: Microsoft Name: Microsoft PS/2 Mouse PNP Device ID: ACPI\PNP0F03\4&F29DB88&0 Service: i8042prt -- Scheduled Tasks ------------------------------------------------------------- 2008-01-28 17:00:08 444 --a------ C:\WINDOWS\Tasks\XoftSpySE 2.job 2008-01-26 09:55:01 358 --a------ C:\WINDOWS\Tasks\XoftSpySE.job 2008-01-21 11:48:07 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2007-12-28 and 2008-01-28 ----------------------------- 2008-01-28 17:11:35 0 d-------- C:\!KillBox 2008-01-27 19:36:30 0 d-------- C:\Program Files\Dell 2008-01-27 16:57:56 0 d-------- C:\Program Files\Trend Micro 2008-01-27 13:49:12 0 dr-h----- C:\Documents and Settings\joe\Recent 2008-01-26 15:45:02 0 d--h----- C:\Documents and Settings\Administrator\Templates 2008-01-26 15:45:02 0 dr------- C:\Documents and Settings\Administrator\Start Menu 2008-01-26 15:45:02 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2008-01-26 15:45:02 0 d--h----- C:\Documents and Settings\Administrator\Recent 2008-01-26 15:45:02 0 d--h----- C:\Documents and Settings\Administrator\PrintHood 2008-01-26 15:45:02 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT 2008-01-26 15:45:02 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2008-01-26 15:45:02 0 d-------- C:\Documents and Settings\Administrator\My Documents 2008-01-26 15:45:02 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2008-01-26 15:45:02 0 d-------- C:\Documents and Settings\Administrator\Favorites 2008-01-26 15:45:02 0 d-------- C:\Documents and Settings\Administrator\Desktop 2008-01-26 15:45:02 0 d---s---- C:\Documents and Settings\Administrator\Cookies 2008-01-26 15:45:02 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2008-01-26 15:45:02 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2008-01-26 15:44:11 0 d-------- C:\WINDOWS\CSC 2008-01-26 13:05:33 665 --ahs---- C:\WINDOWS\system32\mlkkj.ini2 2008-01-26 13:05:25 331776 -----n--- C:\WINDOWS\system32\jkklm.dll 2008-01-26 13:02:28 36864 --a------ C:\WINDOWS\system32\qomkihe.dll 2008-01-26 13:01:31 86144 --a------ C:\WINDOWS\system32\drivers\HPZid4122.sys 2008-01-26 13:01:20 36864 --a------ C:\WINDOWS\system32\gebaayy.dll 2008-01-26 13:00:13 36864 --a------ C:\WINDOWS\system32\khfefeb.dll 2008-01-20 16:59:41 0 d-------- C:\Documents and Settings\joe\Application Data\GetRightToGo 2008-01-18 17:27:52 0 d-------- C:\Documents and Settings\joe\Application Data\Viewpoint 2008-01-18 08:17:21 0 d-------- C:\Program Files\AOL Search 2008-01-16 17:15:58 0 d-------- C:\Program Files\Nero 2008-01-16 16:21:40 0 d-------- C:\Documents and Settings\All Users\Application Data\vsosdk 2008-01-15 16:07:59 0 d-------- C:\Program Files\DVDFab Platinum 4 2008-01-13 06:05:57 0 d-------- C:\Program Files\Performanceoptimizer (Free) 2008-01-10 19:44:58 0 d-------- C:\Documents and Settings\joe\Application Data\ImgBurn 2008-01-01 09:02:18 0 d-------- C:\Documents and Settings\joe\Application Data\U3 2007-12-30 14:03:51 0 d-------- C:\ConverterOutput 2007-12-30 14:03:41 262144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll 2007-12-30 14:03:41 395776 --a------ C:\WINDOWS\system32\libmplayer.dll 2007-12-30 14:03:41 112640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll 2007-12-30 14:03:41 34820 --a------ C:\WINDOWS\system32\ffdshow.reg 2007-12-30 14:03:40 2255360 --a------ C:\WINDOWS\system32\libavcodec.dll 2007-12-30 14:03:40 14909 --a------ C:\WINDOWS\system32\A_reg.reg 2007-12-30 14:03:37 0 d-------- C:\Program Files\Cucusoft 2007-12-29 03:19:17 0 d-------- C:\Program Files\MSXML 6.0 2007-12-28 17:13:25 0 d-------- C:\Documents and Settings\NetworkService\Desktop 2007-12-28 17:12:29 0 d-------- C:\Program Files\Zune 2007-12-28 16:58:52 0 d-------- C:\Program Files\DIFX 2007-12-28 16:58:45 0 d-------- C:\Program Files\Common Files\ComponentOne -- Find3M Report --------------------------------------------------------------- 2008-01-27 17:22:43 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-01-27 15:20:11 0 d-------- C:\Program Files\Common Files\Ahead 2008-01-27 13:44:01 0 d-------- C:\Program Files\Common Files\AOL 2008-01-27 13:24:39 0 d-------- C:\Program Files\AIM 2008-01-27 13:24:23 0 d-------- C:\Documents and Settings\joe\Application Data\Aim 2008-01-26 13:09:54 0 d-------- C:\Documents and Settings\joe\Application Data\uTorrent 2008-01-24 19:26:27 0 d-------- C:\Documents and Settings\joe\Application Data\Vso 2008-01-24 19:25:50 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat 2008-01-20 14:35:11 0 d-------- C:\Documents and Settings\joe\Application Data\Adobe 2008-01-17 20:32:44 0 d-------- C:\Program Files\AOD 2008-01-17 18:17:54 0 d-------- C:\Documents and Settings\joe\Application Data\Ahead 2008-01-01 09:57:09 0 d-------- C:\Program Files\SlySoft 2008-01-01 09:52:37 0 d-------- C:\Program Files\DVDFab Platinum 3 2007-12-28 16:58:45 0 d-------- C:\Program Files\Common Files 2007-12-26 17:11:57 0 d-------- C:\Documents and Settings\joe\Application Data\TomTom 2007-12-26 17:11:00 0 d-------- C:\Program Files\TomTom HOME 2 2007-12-26 17:09:45 0 d-------- C:\Documents and Settings\joe\Application Data\InstallShield 2007-12-04 05:38:24 0 d-------- C:\Program Files\XoftSpySE -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E85C971-F9E7-4F4D-A059-14FA00220C7A}] 01/26/2008 01:00 PM 36864 --a------ C:\WINDOWS\system32\khfefeb.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B25FB4B6-8BC5-4F2A-876B-12615D0DE500}] 01/26/2008 01:05 PM 331776 --------- C:\WINDOWS\system32\jkklm.dll [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSaveSettings"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5E85C971-F9E7-4F4D-A059-14FA00220C7A}"= C:\WINDOWS\system32\khfefeb.dll [01/26/2008 01:00 PM 36864] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfefeb] khfefeb.dll 01/26/2008 01:00 PM 36864 C:\WINDOWS\system32\khfefeb.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkklm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1783677b-d333-11db-96c3-00400534666a}] AutoRun\command- I:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e37117fb-af41-11dc-9752-00400534666a}] AutoRun\command- J:\InstallTomTomHOME.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28976088-E684-339B-0206-050403020505}] C:\WINDOWS\msnx.exe -- Hosts ----------------------------------------------------------------------- 127.0.0.1 search.kazaa.com 127.0.0.1 update.111222.cn 127.0.0.1 msg.ppstream.com -- End of Deckard's System Scanner: finished at 2008-01-28 17:16:14 ------------