Deckard's System Scanner v20071014.68 Run by LEE on 2008-05-09 20:16:14 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as LEE.exe) ------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:16:17 PM, on 5/9/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\agrsmsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\Program Files\Spyware Terminator\sp_rsser.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\AVEO\AVEO UVC Filter Driver Kit\AveoSTI.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe C:\Documents and Settings\LEE\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\LEE.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60311 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60311 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60311 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311 O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [BM5ba9b3d2] Rundll32.exe "C:\WINDOWS\system32\claolhek.dll",s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: aveosti.exe.lnk = ? O4 - Global Startup: Bluetooth Manager.lnk = ? O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Crawler Search - tbr:iemenu O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200978281201 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201159382781 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: iIbabBSM - C:\WINDOWS\SYSTEM32\iIbabBSM.dll O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\LEE\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing) O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- End of file - 9321 bytes -- Files created between 2008-04-09 and 2008-05-09 ----------------------------- 2008-05-09 19:59:19 0 d-------- C:\Program Files\Trend Micro 2008-05-09 08:17:20 1035833 --ahs---- C:\WINDOWS\system32\hiPrBcfe.ini2 2008-05-09 00:39:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe 2008-05-08 23:52:01 0 d-------- C:\WINDOWS\ERUNT 2008-05-08 23:49:52 0 d--h----- C:\Documents and Settings\Administrator\Templates 2008-05-08 23:49:52 0 dr------- C:\Documents and Settings\Administrator\Start Menu 2008-05-08 23:49:52 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2008-05-08 23:49:52 0 d--h----- C:\Documents and Settings\Administrator\Recent 2008-05-08 23:49:52 0 d--h----- C:\Documents and Settings\Administrator\PrintHood 2008-05-08 23:49:52 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2008-05-08 23:49:52 0 d-------- C:\Documents and Settings\Administrator\My Documents 2008-05-08 23:49:52 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2008-05-08 23:49:52 0 d-------- C:\Documents and Settings\Administrator\Favorites 2008-05-08 23:49:52 0 d-------- C:\Documents and Settings\Administrator\Desktop 2008-05-08 23:49:52 0 d--hs---- C:\Documents and Settings\Administrator\Cookies 2008-05-08 23:49:52 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2008-05-08 23:49:52 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2008-05-08 23:49:51 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT 2008-05-08 23:10:21 0 d-------- C:\VundoFix Backups 2008-05-08 22:30:58 0 d-------- C:\Program Files\Exterminate It! 2008-05-08 22:19:20 7331 --ahs---- C:\WINDOWS\system32\MSYbaGgh.ini2 2008-05-08 20:57:18 6518 --ahs---- C:\WINDOWS\system32\VxEggMoq.ini2 2008-05-08 14:37:33 6832 --ahs---- C:\WINDOWS\system32\GffPsYxx.ini2 2008-05-08 14:35:33 0 d-------- C:\WINDOWS\system32\hNF 2008-05-08 14:35:27 0 d-------- C:\WINDOWS\system32\vdTMP 2008-05-08 14:35:27 0 d-------- C:\WINDOWS\system32\din3 2008-05-08 14:32:36 0 d-------- C:\WINDOWS\system32\2033b 2008-05-08 14:32:32 0 d-------- C:\Temp 2008-05-08 14:32:26 28672 --a------ C:\WINDOWS\system32\iIbabBSM.dll 2008-05-07 20:26:38 83968 ---hs---- C:\Documents and Settings\LEE\lsass.exe 2008-04-30 13:46:05 1748 --a------ C:\WINDOWS\system32\tablet.dat 2008-04-30 13:46:02 8138 --a------ C:\WINDOWS\system32\drivers\PenClass.sys 2008-04-30 13:46:00 0 d-------- C:\WINDOWS\system32\WTablet 2008-04-30 13:45:59 102400 --a------ C:\WINDOWS\system32\Wintab32.dll 2008-04-30 13:45:59 749568 --a------ C:\WINDOWS\system32\Tablet.exe 2008-04-30 13:45:58 0 d-------- C:\Program Files\Tablet 2008-04-27 15:22:41 0 d-------- C:\Program Files\2BrightSparks -- Find3M Report --------------------------------------------------------------- 2008-05-09 01:06:12 0 d-------- C:\Documents and Settings\LEE\Application Data\Spyware Terminator 2008-05-09 00:59:12 0 d-------- C:\Program Files\Spyware Terminator 2008-05-08 23:26:55 0 d-------- C:\Program Files\PowerISO 2008-04-23 20:49:49 0 d-------- C:\Documents and Settings\LEE\Application Data\Adobe 2008-04-16 13:26:48 19760 --a------ C:\WINDOWS\system32\nvModes.dat 2008-04-06 19:53:33 1025 --a------ C:\WINDOWS\system32\sysprs7.dll 2008-04-06 19:53:33 73 --a------ C:\WINDOWS\system32\ssprs.dll 2008-04-06 19:53:33 205 --a------ C:\WINDOWS\system32\lsprst7.dll 2008-04-06 19:53:33 1025 --a------ C:\WINDOWS\system32\clauth2.dll 2008-04-06 19:53:33 1025 --a------ C:\WINDOWS\system32\clauth1.dll 2008-03-21 12:20:27 0 d-------- C:\Documents and Settings\LEE\Application Data\WinRAR 2008-03-20 19:05:15 0 d-------- C:\Program Files\Crazybump Beta Test 2008-03-19 09:19:24 0 d-------- C:\Program Files\Common Files 2008-03-19 09:19:24 0 d-------- C:\Program Files\Common Files\Control Panels 2008-03-19 09:05:08 0 d-------- C:\Program Files\QuickTime 2008-03-19 08:51:45 0 d-------- C:\Program Files\Common Files\Adobe 2008-03-19 08:34:34 0 d-------- C:\Program Files\Bonjour 2008-03-18 23:18:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-03-18 23:17:41 0 d-------- C:\Program Files\AGEIA Technologies 2008-03-18 22:07:58 0 d-------- C:\Program Files\SUPERAntiSpyware 2008-03-13 14:52:54 0 d-------- C:\Documents and Settings\LEE\Application Data\CyberLink -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [08/10/2007 12:21 AM C:\WINDOWS\RTHDCPL.exe] "Alcmtr"="ALCMTR.EXE" [05/03/2005 03:43 AM C:\WINDOWS\Alcmtr.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04/28/2007 07:05 PM] "nwiz"="nwiz.exe" [04/28/2007 07:05 PM C:\WINDOWS\system32\nwiz.exe] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 09:24 PM] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 11:37 AM] "SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [03/18/2008 10:07 PM] "DMXLauncher"="C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [08/14/2007 04:44 AM] "Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [05/10/2007 10:46 PM] "BM5ba9b3d2"="C:\WINDOWS\system32\claolhek.dll" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/08/2004 05:01 AM] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [03/18/2008 10:07 PM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ aveosti.exe.lnk - C:\Program Files\AVEO\AVEO UVC Filter Driver Kit\AveoSTI.exe [1/8/2008 4:29:42 PM] Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2/27/2007 3:31:34 PM] TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [4/30/2008 1:46:00 PM] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 02:55 PM 77824] "{A7E81B89-DF38-40C8-A767-6FBECB65B862}"= C:\WINDOWS\system32\iIbabBSM.dll [05/08/2008 02:32 PM 28672] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 02:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iIbabBSM] iIbabBSM.dll 05/08/2008 02:32 PM 28672 C:\WINDOWS\system32\iIbabBSM.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{154417b7-f145-11dc-943f-0019dbf13fca}] Auto\command- infrom.exe AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{286bc0b1-f573-11dc-9441-0019dbf13fca}] AutoRun\command- wd_windows_tools\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{812c9908-0bf3-11dd-9451-0019dbf13fca}] Auto\command- E:\Start.exe AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe -- End of Deckard's System Scanner: finished at 2008-05-09 20:16:51 ------------