Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Please Help, HJT log included

Started by spamn , Oct 05 2006 11:42 PM

This topic is locked

#1
spamn

Posted 05 October 2006 - 11:42 PM

Member

Member
14 posts

I restarted my computer today and I had a splashscreen from a program call Themida. I had to click on 5 instances of it for it to go away. My computer freezes up now. It tells me the task manager has access denied.

Here is my HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 10:31:08 PM, on 10/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\ehome\ehtray.exe
D:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
D:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\WinRAR\WinRAR.exe
D:\DOCUME~1\SAMUEL~1\LOCALS~1\Temp\Rar$EX00.219\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Spamn
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: load=D:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=D:\WINDOWS\system32\scvhost.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Generic Host Process] D:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [startkey] D:\WINDOWS\svchort.exe
O4 - HKLM\..\RunServices: [Generic Host Process] D:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [startkey] D:\WINDOWS\svchort.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay11...es/MsnPUpld.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangoc...ed883317b5f6dce
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - D:\WINDOWS\D:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

And here is my HJT startup log...

StartupList report, 10/5/2006, 10:32:08 PM
StartupList version: 1.52.2
Started from : D:\DOCUME~1\SAMUEL~1\LOCALS~1\Temp\Rar$EX05.672\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\ehome\ehtray.exe
D:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
D:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\DOCUME~1\SAMUEL~1\LOCALS~1\Temp\Rar$EX05.672\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = D:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ehTray = D:\WINDOWS\ehome\ehtray.exe
HP Software Update = D:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
SunJavaUpdateSched = D:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
NWEReboot =
SoundMan = SOUNDMAN.EXE
QuickTime Task = "D:\Program Files\QuickTime\qttask.exe" -atboottime
Windows Defender = "D:\Program Files\Windows Defender\MSASCui.exe" -hide
NeroFilterCheck = D:\WINDOWS\system32\NeroCheck.exe
Generic Host Process = D:\WINDOWS\system32\scvhost.exe
startkey = D:\WINDOWS\svchort.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Generic Host Process = D:\WINDOWS\system32\scvhost.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
AIM = D:\Program Files\AIM\aim.exe -cnetwait.odl
H/PC Connection Agent = "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
ctfmon.exe = D:\WINDOWS\system32\ctfmon.exe
Yahoo! Pager = "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
startkey = D:\WINDOWS\svchort.exe
SpybotSD TeaTimer = D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Load/Run keys from D:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=D:\WINDOWS\system32\scvhost.exe
HKCU\..\Windows NT\CurrentVersion\Windows: run=D:\WINDOWS\system32\scvhost.exe
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from D:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe D:\WINDOWS\system32\scvhost.exe
SCRNSAVE.EXE=D:\WINDOWS\system32\FlSaver.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - D:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

MP Scheduled Scan.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = D:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[VerifyGMN Class]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\hpobjinstaller_gmn.dll
CODEBASE = http://h20270.www2.h...staller_gmn.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[SysData Class]
InProcServer32 = D:\WINDOWS\DOWNLO~1\SysInfo.dll
CODEBASE = http://ipgweb.cce.hp...ads/sysinfo.cab

[MSN Photo Upload Tool]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://by114fd.bay11...es/MsnPUpld.cab

[XML DOM Document 4.0]
InProcServer32 = %SystemRoot%\system32\msxml4.dll
CODEBASE = http://ipgweb.cce.hp...oads/msxml4.cab

[HPObjectInstaller Class]
InProcServer32 = D:\Program Files\Hewlett-Packard\eSupportDiags\HPCommunication.dll
CODEBASE = http://h30155.www3.h...edsolutions.cab

[Get_ActiveX Control]
InProcServer32 = D:\WINDOWS\DOWNLO~1\HPGETD~1.OCX
CODEBASE = https://h17000.www1....loadManager.ocx

[Shockwave Flash Object]
InProcServer32 = D:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[SAIX]
CODEBASE = http://static.zangoc...ed883317b5f6dce

[Driver Agent ActiveX Control]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\driveragent.ocx
CODEBASE = http://driveragent.c...driveragent.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: D:\WINDOWS\system32\SHELL32.dll
CDBurn: D:\WINDOWS\system32\SHELL32.dll
WebCheck: D:\WINDOWS\system32\webcheck.dll
SysTray: D:\WINDOWS\system32\stobject.dll
WPDShServiceObj: D:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Generic Host Process = D:\WINDOWS\system32\scvhost.exe

--------------------------------------------------

End of report, 8,720 bytes
Report generated in 0.016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Any input is helpful.

Thanks in advance,
Sam

#2
Ryan

Posted 06 October 2006 - 12:15 AM

Member 4k

Member
4,867 posts

Hi spamn, welcome to geekstogo. I'm Ryan, and I'll be helping you clean your machine.

Please copy the HiJack This executable (hijackthis.exe) to your desktop. This is very important as the backups it makes could be needed if something goes wrong.

It appears that you are not running any anti-virus software. It is very important that you do so, as any efforts we make may be made in vain without it.

Please install one of the following free antivirus programs.

Once you have installed it, please update it according to its documentation.

Next, please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Log onto the machine using an account with administrator privleges, and run a full system scan using the anti-virus you installed earlier.

After the scan has finished, delete/quarantine everything it finds. If a log is produced (again, please consult the program's documentation) make sure you save it to a location you will remember later.

Reboot your computer into normal windows. If a log was produced, please post that.

In any case, please post a new HiJack This log, and an uninstall log as well.For the uninstall list:
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
-Ryan

#3
spamn

Posted 06 October 2006 - 01:15 AM

Member

Topic Starter
Member
14 posts

Ok, after my AVG scan here are my results...

Logfile of HijackThis v1.99.1
Scan saved at 12:14:18 AM, on 10/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\ehome\ehtray.exe
D:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
D:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Windows Defender\MSASCui.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\Program Files\internet explorer\iexplore.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\WINDOWS\system32\dllhost.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Documents and Settings\Samuel

Beckring\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Spamn
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName

=
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: load=D:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=D:\WINDOWS\system32\scvhost.exe
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: N.Cs4 - {E14DCE67-8FB7-4721-8149-179BAA4D792C} -

D:\WINDOWS\system32\wsock32.sys
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\Hp\HP Software

Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program

Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Generic Host Process]

D:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [Generic Host Process]

D:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft

ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search

& Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel

present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,

DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program

Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite -

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -

D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

D:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) -

http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) -

http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload

Tool) - http://by114fd.bay11...es/MsnPUpld.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document

4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller

Class) -

http://h30155.www3.h...edsolutions.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control)

- https://h17000.www1....loadManager.ocx
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) -

http://static.zangoc...9519e30683f03be

d2438a9847b87abbaa25377e24a23c88074d681b8ea9d8fa5d71016becbe8f3abc3ba8a

d2a1f2076596dda16bc575929c883d0bb59e5009fb8447d21863d4ce:ef012dcffdb51c

5bfed883317b5f6dce
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX

Control) - http://driveragent.c...driveragent.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -

D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945}

- D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program

Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service

(LightScribeService) - Hewlett-Packard Company - D:\Program

Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS)

(SharedAccess) - Unknown owner -

D:\WINDOWS\D:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

And the uninstall log...

Adobe Bridge 1.0
Adobe Common File Installer
Adobe Download Manager 2.0 (Remove Only)
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.8
Adobe Shockwave Player
Adobe Stock Photos 1.0
Agere Systems PCI-SV92PP Soft Modem
AOL Instant Messenger
ATI - Software Uninstall Utility
ATI Display Driver
AVG Anti-Virus 7.1
Azureus
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Easy Video Joiner 5.21
FilmLoop Player
HijackThis 1.99.1
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB905213)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB912024)
HP Software Update
J2SE Runtime Environment 5.0 Update 7
LimeWire PRO 4.11.0
LiveUpdate 2.7 (Symantec Corporation)
Macromedia Extension Manager
Macromedia Flash Player 8
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft ActiveSync 4.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office Access MUI (English) 2007 (Beta)
Microsoft Office Excel MUI (English) 2007 (Beta)
Microsoft Office InfoPath MUI (English) 2007 (Beta)
Microsoft Office Outlook MUI (English) 2007 (Beta)
Microsoft Office PowerPoint MUI (English) 2007 (Beta)
Microsoft Office Professional Plus 2007 (Beta)
Microsoft Office Professional Plus 2007 (Beta)
Microsoft Office Proof (English) 2007 (Beta)
Microsoft Office Proof (French) 2007 (Beta)
Microsoft Office Proof (Spanish) 2007 (Beta)
Microsoft Office Publisher MUI (English) 2007 (Beta)
Microsoft Office Shared MUI (English) 2007 (Beta)
Microsoft Office Word MUI (English) 2007 (Beta)
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
mIRC
Nero 7 Premium
PENTAX USB DISK Device
PowerISO
QuickTime
QuickVCD Player v3.0
Realtek AC'97 Audio
REALTEK GbE & FE Ethernet PCI NIC Driver
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB925486)
SPBBC
Spybot - Search & Destroy 1.4
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Media Center Edition 2005 KB919803
WinRAR archiver
World of Warcraft
Yahoo! Mail Quick Select Tool (PhotoMail)
Yahoo! Messenger

#4
Ryan

Posted 06 October 2006 - 12:11 PM

Member 4k

Member
4,867 posts

We have a few things to take care of in this post. If you have any questions, please ask before doing them.

You will want to print out a copy of these instructions to follow while you complete this procedure, as you will not be able to access the internet later in the fix.

== Create batch file ==

Please copy everything in the code box below to a clean notepad file:

del D:\WINDOWS\system32\scvhost.exe
del D:\WINDOWS\system32\wsock32.sys
sc stop SPBBCSvc
sc delete SPBBCSvc

Save the file to your desktop as "cleanme.bat" (include the quotation marks).

== Install/Update/Configure AVG Anti-Spyware ==

First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

== HiJack This Entries ==

Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)

F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: load=D:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=D:\WINDOWS\system32\scvhost.exe
O2 - BHO: N.Cs4 - {E14DCE67-8FB7-4721-8149-179BAA4D792C} - D:\WINDOWS\system32\wsock32.sys
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Close all open windows except for HiJack This and click fix checked.

== Clear temp folders, create new restore point ==

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next, let's make a new restore point and get rid of the others.Step #1 - Create a New Restore Point

Go - Start>Programmes>Accessories>System Tools>System Restore>Create a New Restore point.

Step #2 - Flush All Previous Points

Go - Start>Programmes>Accessories>System Tools>Disc Cleanup>"More Options" Tab>Remove All But Most Recent Point.

== Run batch and AVG Anti-Spyware in Safe Mode ==

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

Double click on the cleanme.bat file that you created earlier. A black window will appear; this is normal.

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode

== Request Logs ==

Once you have logged back onto the computer, please rescan with HijackThis and post a fresh log, along with the results from the AVG Anti-Spyware scan, in this same topic, and [b]let us know how your system's working. :whistling:

-Ryan

#5
spamn

Posted 06 October 2006 - 03:40 PM

Member

Topic Starter
Member
14 posts

I did everything you said up to the point of "Create a restore point".

My system restore feature is gone. I don't know where it went, but it's not on my computer. The shortcuts and the .exe are gone.

#6
Ryan

Posted 06 October 2006 - 03:49 PM

Member 4k

Member
4,867 posts

That's fine, just skip that and proceed with the rest of the instructions.

-Ryan

#7
spamn

Posted 06 October 2006 - 04:34 PM

Member

Topic Starter
Member
14 posts

Ok, so I did the whole process, minus the sytem restore point and... I forgot to save the log for the AVG anti spyware run. It did find two things, but I completely forgot to save the log. :whistling:

Here is the new HJT log..

Logfile of HijackThis v1.99.1
Scan saved at 3:35:58 PM, on 10/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\ehome\ehtray.exe
D:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
D:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Windows Defender\MSASCui.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Kerio\WinRoute Firewall\wrctrl.exe
D:\Program Files\internet explorer\iexplore.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Kerio\WinRoute Firewall\winroute.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Kerio\WinRoute Firewall\avServer.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
D:\Documents and Settings\Samuel

Beckring\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Spamn
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName

=
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {E14DCE67-8FB7-4721-8149-179BAA4D792C} - (no

file)
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\Hp\HP Software

Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program

Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Generic Host Process]

D:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [Generic Host Process]

D:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft

ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WrCtrl] "D:\Program Files\Kerio\WinRoute

Firewall\wrctrl.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel

present
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program

Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite -

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -

D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

D:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) -

http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) -

http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload

Tool) - http://by114fd.bay11...es/MsnPUpld.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document

4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller

Class) -

http://h30155.www3.h...edsolutions.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control)

- https://h17000.www1....loadManager.ocx
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) -

http://static.zangoc...9519e30683f03be

d2438a9847b87abbaa25377e24a23c88074d681b8ea9d8fa5d71016becbe8f3abc3ba8a

d2a1f2076596dda16bc575929c883d0bb59e5009fb8447d21863d4ce:ef012dcffdb51c

5bfed883317b5f6dce
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX

Control) - http://driveragent.c...driveragent.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -

D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945}

- D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program

Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. -

D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service

(LightScribeService) - Hewlett-Packard Company - D:\Program

Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies

- D:\Program Files\Kerio\WinRoute Firewall\winroute.exe

#8
Ryan

Posted 06 October 2006 - 04:36 PM

Member 4k

Member
4,867 posts

Hi. Can you please post a new HiJack This log, but turn off word wrap? It makes it easier for us when word wrap is off. Thanks

-Ryan

#9
spamn

Posted 06 October 2006 - 05:28 PM

Member

Topic Starter
Member
14 posts

Sorry about that...

Logfile of HijackThis v1.99.1
Scan saved at 4:29:51 PM, on 10/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\ehome\ehtray.exe
D:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
D:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Windows Defender\MSASCui.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Kerio\WinRoute Firewall\wrctrl.exe
D:\Program Files\internet explorer\iexplore.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\Program Files\Kerio\WinRoute Firewall\winroute.exe
D:\Program Files\Kerio\WinRoute Firewall\avServer.exe
D:\Documents and Settings\Samuel Beckring\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Spamn
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {E14DCE67-8FB7-4721-8149-179BAA4D792C} - (no file)
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Generic Host Process] D:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [Generic Host Process] D:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WrCtrl] "D:\Program Files\Kerio\WinRoute Firewall\wrctrl.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay11...es/MsnPUpld.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangoc...ed883317b5f6dce
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - D:\Program Files\Kerio\WinRoute Firewall\winroute.exe

#10
Ryan

Posted 06 October 2006 - 06:15 PM

Member 4k

Member
4,867 posts

Thanks spamn. There are still a few entries in your HiJack This log that we need to take care of.

== HiJack This Entries ==

Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E14DCE67-8FB7-4721-8149-179BAA4D792C} - (no file)
O4 - HKLM\..\Run: [Generic Host Process] D:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\RunServices: [Generic Host Process] D:\WINDOWS\system32\scvhost.exe
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangoc...ed883317b5f6dce

Close all open windows except for HiJack This and click fix checked.

Reboot your PC.

== Panda ActiveScan ==

Please go HERE to run Panda's ActiveScan. You will need to use Internet Explorer to run it.

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

== Request Logs ==

If you would please rescan with HijackThis and post a fresh log, along with the results from the Panda ActiveScan, in this same topic, and let us know how your system's working. :whistling:

-Ryan

#11
spamn

Posted 06 October 2006 - 06:48 PM

Member

Topic Starter
Member
14 posts

New HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 5:48:58 PM, on 10/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\ehome\ehtray.exe
D:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
D:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Windows Defender\MSASCui.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Kerio\WinRoute Firewall\wrctrl.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Kerio\WinRoute Firewall\winroute.exe
D:\Program Files\Kerio\WinRoute Firewall\avServer.exe
D:\WINDOWS\system32\dllhost.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\eHome\ehmsas.exe
D:\Documents and Settings\Samuel Beckring\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Spamn
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {E14DCE67-8FB7-4721-8149-179BAA4D792C} - (no file)
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WrCtrl] "D:\Program Files\Kerio\WinRoute Firewall\wrctrl.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay11...es/MsnPUpld.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - D:\Program Files\Kerio\WinRoute Firewall\winroute.exe

Panda ActiveScan found nothing at all. Sytem seems to be faster and has not locked up on me at all. I now have access to the task manager, too. Only thing I still notice is the "Themida" splashscreen when I log on.

Edited by spamn, 06 October 2006 - 06:50 PM.

#12
Ryan

Posted 07 October 2006 - 11:46 AM

Member 4k

Member
4,867 posts

Is this the program that opens? http://www.softpedia...shot-18595.html

Please post a new Uninstall list as well please.

-Ryan

#13
spamn

Posted 07 October 2006 - 04:32 PM

Member

Topic Starter
Member
14 posts

No program opens up, just a splash screen is displayed. The splashs screen is for that program though. I have never downloaded that program. I don't know if I downloaded something that uses that program though..

Here is my latest uninstall log...

Adobe Bridge 1.0
Adobe Common File Installer
Adobe Download Manager 2.0 (Remove Only)
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.8
Adobe Shockwave Player
Adobe Stock Photos 1.0
Agere Systems PCI-SV92PP Soft Modem
AOL Instant Messenger
ATI - Software Uninstall Utility
ATI Display Driver
AVG Anti-Spyware 7.5
AVG Anti-Virus 7.1
Azureus
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Beta Two Technical Refresh for Microsoft Office 2007 (KB000000): OfficeSPFullFile(12.0.4407.1005): B2TR
Easy Video Joiner 5.21
FilmLoop Player
HijackThis 1.99.1
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB905213)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB912024)
HP Software Update
J2SE Runtime Environment 5.0 Update 7
Kerio WinRoute Firewall
Kerio WinRoute Firewall Administration
LimeWire PRO 4.11.0
LiveUpdate 2.7 (Symantec Corporation)
Macromedia Extension Manager
Macromedia Flash Player 8
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft ActiveSync 4.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office Access MUI (English) 2007 (Beta)
Microsoft Office Excel MUI (English) 2007 (Beta)
Microsoft Office InfoPath MUI (English) 2007 (Beta)
Microsoft Office Outlook MUI (English) 2007 (Beta)
Microsoft Office PowerPoint MUI (English) 2007 (Beta)
Microsoft Office Professional Plus 2007 (Beta)
Microsoft Office Professional Plus 2007 (Beta)
Microsoft Office Proof (English) 2007 (Beta)
Microsoft Office Proof (French) 2007 (Beta)
Microsoft Office Proof (Spanish) 2007 (Beta)
Microsoft Office Publisher MUI (English) 2007 (Beta)
Microsoft Office Shared MUI (English) 2007 (Beta)
Microsoft Office Word MUI (English) 2007 (Beta)
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
mIRC
Nero 7 Premium
Panda ActiveScan
PENTAX USB DISK Device
PowerISO
QuickTime
QuickVCD Player v3.0
Realtek AC'97 Audio
REALTEK GbE & FE Ethernet PCI NIC Driver
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB925486)
SPBBC
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Media Center Edition 2005 KB919803
WinRAR archiver
World of Warcraft
Yahoo! Mail Quick Select Tool (PhotoMail)
Yahoo! Messenger

#14
Ryan

Posted 07 October 2006 - 09:54 PM

Member 4k

Member
4,867 posts

Thanks spamn. Themida isn't showing up in any of the previous scans, and it appears to be a legitimate product. Let's try one more scan to see if we can find out where it's coming from.

Please print these directions before continuing since we will be rebooting the computer into Safe Mode and these instructions will not be available.

Download WinPFind.exe to your desktop and double-click on it to extract the files. This will create a folder named WinPFind on your desktop.

Start in Safe Mode Using the F8 method:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
Use the arrow keys to select the Safe Mode menu item.
Press the Enter key.

Double-click on the WinPFind folder on your desktop to open it and then double-click on the WinPFind.exe file to start the program.

Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.

-Ryan

#15
spamn

Posted 08 October 2006 - 06:00 PM

Member

Topic Starter
Member
14 posts

WinPFind Log...

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 10/8/2006 4:46:23 PM
WinPFind v1.5.0 Folder = D:\Documents and Settings\Samuel Beckring\Desktop\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
WSUD 5/19/2006 8:01:32 AM 18796544 D:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
UPX! 6/8/2004 10:17:42 PM 33792 D:\WINDOWS\SYSTEM32\cpwiuy.dll (Microsoft Corporation)
PEC2 8/9/2004 10:00:00 PM 41397 D:\WINDOWS\SYSTEM32\dfrg.msc ()
UPX! 8/11/2004 9:54:46 PM 35840 D:\WINDOWS\SYSTEM32\ecesq.dll (Microsoft Corporation)
PTech 8/6/2005 3:42:52 PM 519944 D:\WINDOWS\SYSTEM32\LegitCheckControl.dll (Microsoft Corporation)
PECompact2 9/11/2006 10:37:22 AM 8960936 D:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 9/11/2006 10:37:22 AM 8960936 D:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 8/9/2004 10:00:00 PM 708096 D:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 8/9/2004 10:00:00 PM 257024 D:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 8/9/2004 10:00:00 PM 657920 D:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
UPX! 4/30/2004 5:46:24 AM 28672 D:\WINDOWS\SYSTEM32\t3odm.dll (Cyberlink)
UPX! 3/26/2004 12:32:36 AM 99328 D:\WINDOWS\SYSTEM32\t5rdv.dll (Microsoft Corporation)
WSUD 5/9/2006 10:26:34 PM 7706112 D:\WINDOWS\SYSTEM32\wmploc.dll (Microsoft Corporation)

Checking %System%\Drivers folder and sub-folders...
UPX! 10/5/2006 11:26:40 PM 778656 D:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
FSG! 10/5/2006 11:26:40 PM 778656 D:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
PEC2 10/5/2006 11:26:40 PM 778656 D:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
aspack 10/5/2006 11:26:40 PM 778656 D:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)

Items found in D:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/8/2006 4:29:48 PM S 2048 D:\WINDOWS\bootstat.dat ()
10/7/2006 6:19:12 PM H 54156 D:\WINDOWS\QTFont.qfn ()
10/5/2006 11:24:28 PM HS 19694 D:\WINDOWS\SysPr.prx ()
9/29/2006 7:24:28 AM RH 0 D:\WINDOWS\assembly\PublisherPolicy.tme ()
9/29/2006 7:24:28 AM RH 0 D:\WINDOWS\assembly\pubpol27.dat ()
8/9/2006 5:53:24 PM RH 0 D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index28.dat ()
10/5/2006 9:30:22 PM RH 0 D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index31.dat ()
10/8/2006 4:25:12 PM S 64 D:\WINDOWS\CSC\00000001 ()
10/5/2006 9:06:34 PM S 64 D:\WINDOWS\CSC\00000002 ()
10/5/2006 8:57:18 PM S 64 D:\WINDOWS\CSC\csc1.tmp ()
9/19/2006 2:18:46 AM RHS 1338569 D:\WINDOWS\system32\7D561D2UxE.ini ()
10/6/2006 12:42:02 AM HS 4265 D:\WINDOWS\system32\SysPr.prx ()
8/21/2006 6:00:10 AM S 11749 D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB922582.cat ()
9/18/2006 7:40:26 AM S 8847 D:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB925486.cat ()
10/8/2006 4:29:58 PM H 12288 D:\WINDOWS\system32\config\default.LOG ()
10/8/2006 4:33:52 PM H 1024 D:\WINDOWS\system32\config\SAM.LOG ()
10/8/2006 4:30:02 PM H 24576 D:\WINDOWS\system32\config\SECURITY.LOG ()
10/8/2006 4:34:12 PM H 69632 D:\WINDOWS\system32\config\software.LOG ()
10/8/2006 4:30:02 PM H 1085440 D:\WINDOWS\system32\config\system.LOG ()
9/20/2006 10:06:26 PM H 1024 D:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG ()
9/29/2006 9:58:54 PM S 341 D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8 ()
9/29/2006 9:58:54 PM S 413 D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165 ()
9/29/2006 9:58:54 PM S 574 D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5 ()
9/29/2006 9:58:54 PM S 126 D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8 ()
9/29/2006 9:58:54 PM S 98 D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165 ()
9/29/2006 9:58:54 PM S 136 D:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5 ()
9/19/2006 10:47:30 PM HS 388 D:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\33a427ff-f3ed-4401-a42c-8c45103ab546 ()
9/19/2006 10:47:30 PM HS 24 D:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
10/8/2006 4:33:22 PM H 330 D:\WINDOWS\Tasks\MP Scheduled Scan.job ()
10/8/2006 4:25:14 PM H 6 D:\WINDOWS\Tasks\SA.DAT ()

Checking for CPL files...
5/19/2006 8:01:32 AM 18796544 D:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
8/9/2004 10:00:00 PM 549888 D:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 110592 D:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 135168 D:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 80384 D:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 155136 D:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 358400 D:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 129536 D:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 380416 D:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 68608 D:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
5/3/2006 2:56:54 AM 49265 D:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
8/9/2004 10:00:00 PM 187904 D:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 618496 D:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 35840 D:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 25600 D:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 257024 D:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 32768 D:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 114688 D:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
9/23/2004 6:57:40 PM 323072 D:\WINDOWS\SYSTEM32\QuickTime.cpl (Apple Computer, Inc.)
8/9/2004 10:00:00 PM 298496 D:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 28160 D:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 94208 D:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
8/9/2004 10:00:00 PM 148480 D:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
5/26/2005 4:16:30 AM 174360 D:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
12/16/2005 2:19:10 PM 18776064 D:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\ALSNDMGR.CPL (Realtek Semiconductor Corp.)

Checking for Downloaded Program Files...
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://download.macr...director/sw.cab
{200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - VerifyGMN Class - CodeBase = http://h20270.www2.h...staller_gmn.cab
{33564D57-0000-0010-8000-00AA00389B71} - - CodeBase = http://download.micr...922/wmv9VCM.CAB
{49232000-16E4-426C-A231-62846947304B} - SysData Class - CodeBase = http://ipgweb.cce.hp...ads/sysinfo.cab
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} - MSN Photo Upload Tool - CodeBase = http://by114fd.bay11...es/MsnPUpld.cab
{88D969C0-F192-11D4-A65F-0040963251E5} - XML DOM Document 4.0 - CodeBase = http://ipgweb.cce.hp...oads/msxml4.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_07 - CodeBase = http://java.sun.com/...indows-i586.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoft...free/asinst.cab
{9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} - HPObjectInstaller Class - CodeBase = http://h30155.www3.h...edsolutions.cab
{AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - Get_ActiveX Control - CodeBase = https://h17000.www1....loadManager.ocx
{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - Java Plug-in 1.5.0_07 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_07 - CodeBase = http://java.sun.com/...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://download.macr...ash/swflash.cab
{E8F628B5-259A-4734-97EE-BA914D7BE941} - Driver Agent ActiveX Control - CodeBase = http://driveragent.c...driveragent.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/15/2006 3:59:58 PM HS 84 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
6/15/2006 8:48:20 AM HS 62 D:\Documents and Settings\All Users\Application Data\desktop.ini ()
10/6/2006 7:28:44 PM 2173 D:\Documents and Settings\All Users\Application Data\hpzinstall.log ()

Checking files in %USERPROFILE%\Startup folder...
6/15/2006 3:59:58 PM HS 84 D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %USERPROFILE%\Application Data folder...
6/15/2006 8:48:20 AM HS 62 D:\Documents and Settings\Administrator\Application Data\desktop.ini ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft...p...ER}&ar=home
\\Search Page - http://www.microsoft...amp;ar=iesearch
\\Default_Page_URL - http://www.microsoft...p...&ar=msnhome
\\Default_Search_URL - http://www.microsoft...amp;ar=iesearch
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn...st/srchcust.htm
\\SearchAssistant - http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Adobe PDF Reader Link Helper = D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll (Sun Microsystems, Inc.)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8192 = Sun Java Console
\\NEXTID - 8198
\\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - 8193 =
\\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - 8194 = Create Mobile Favorite...
\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8195 =
\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8196 =
\\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - 8197 = Yahoo! Messenger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = D:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll (Sun Microsystems, Inc.)
\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - ButtonText: Create Mobile Favorite =
\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - MenuText: Create Mobile Favorite... = ()
\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research =
\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - ButtonText: AIM = D:\Program Files\AIM\aim.exe (America Online, Inc.)
\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - ButtonText: Yahoo! Messenger = D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} - Autoplay for SlideShow = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} - PowerISO = D:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.)
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = D:\Program Files\WinRAR\rarext.dll ()
\\{B327765E-D724-4347-8B16-78AE18552FC3} - NeroDigitalIconHandler = D:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG)
\\{7F1CF152-04F8-453A-B34C-E609530A9DC8} - NeroDigitalPropSheetHandler = D:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG)
\\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} - AVG7 Shell Extension = D:\Program Files\Grisoft\AVG7\avgse.dll (GRISOFT, s.r.o.)
\\{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} - AVG7 Find Extension = D:\Program Files\Grisoft\AVG7\avgse.dll (GRISOFT, s.r.o.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = D:\Program Files\Grisoft\AVG7\avgse.dll (GRISOFT, s.r.o.)
\PowerISO - {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = D:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Program Files\WinRAR\rarext.dll ()
\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} - = D:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]
\Copy To - = ()
\Move To - = ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\PowerISO - {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = D:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Program Files\WinRAR\rarext.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = D:\Program Files\Grisoft\AVG7\avgse.dll (GRISOFT, s.r.o.)
\PowerISO - {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = D:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Program Files\WinRAR\rarext.dll ()
\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} - = D:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{7D4D6379-F301-4311-BEBA-E26EB0561882} - NeroDigitalExt.NeroDigitalColumnHandler = D:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG)
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ehTray - D:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation)
HP Software Update - D:\Program Files\Hp\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co.)
SunJavaUpdateSched - D:\Program Files\Java\jre1.5.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
NWEReboot - Reg Data missing or invalid ()
SoundMan - D:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
QuickTime Task - D:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
Windows Defender - D:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
NeroFilterCheck - D:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
AVG7_CC - D:\PROGRA~1\Grisoft\AVG7\avgcc.exe (GRISOFT, s.r.o.)
!AVG Anti-Spyware - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (Anti-Malware Development a.s.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
NeroHomeFirstStart - D:\Program Files\Common Files\Ahead\Lib\NeroScoutOptions.exe (Nero AG)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
GEARSecurity 2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\FilmLoop
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item FilmLoop
hkey HKLM
command "D:\Program Files\FilmLoop Player\FilmLoop.exe" -hide
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsnMsgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MsnMsgr
hkey HKCU
command "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "D:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Yahoo! Pager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item YahooMessenger
hkey HKCU
command "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 2
startup 2

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\SV1 -

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = D:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
\\WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} = D:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - Microsoft AntiMalware ShellExecuteHook = D:\PROGRA~1\WIFD1F~1\MpShHook.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = D:\WINDOWS\system32\userinit.exe,
\\Shell = explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\AtiExtEvent - Ati2evxx.dll = (ATI Technologies Inc.)
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{13C18A22-15C9-4A13-935B-9AAA0BDDDEA8} - (Windows Mobile-based Device)
{3120D63E-0929-4638-8F7F-F19392072D72} - (Windows Mobile-based Device)
{46ED224C-CA12-4CC0-A8F2-BABBB3993D69} - ()
{75D30370-997C-48C1-9968-320D8CB456E4} - (Realtek RTL8139/810x Family Fast Ethernet NIC)
{C7CB3643-BD43-45EB-BAAE-E414A966C1FA} - (1394 Net Adapter)
{CF5B41AB-7A83-406B-BBA4-BC11EC125C59} - (INPROCOMM IPN2120 Wireless LAN Card)
{D0341A3C-F86D-4A98-A8DC-CA4776290552} - ()

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000018\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000019\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000020\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000021\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000022\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000023\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000024\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000025\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000026\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000027\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 4:59:51 PM, on 10/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\ehome\ehtray.exe
D:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
D:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Windows Defender\MSASCui.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Kerio\WinRoute Firewall\wrctrl.exe
D:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Kerio\WinRoute Firewall\winroute.exe
D:\Program Files\Kerio\WinRoute Firewall\avServer.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Samuel Beckring\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Spamn
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WrCtrl] "D:\Program Files\Kerio\WinRoute Firewall\wrctrl.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay11...es/MsnPUpld.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - D:\Program Files\Kerio\WinRoute Firewall\winroute.exe

Thanks!