Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

BIG PROBLEM -- winfixer.150 -- Fraudtool.AVSystemCare.100 [RESOLVED]

Started by balbert , Mar 15 2008 10:26 PM

  • This topic is locked This topic is locked

#16
balbert
Posted 17 March 2008 - 10:20 PM

balbert

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello

Per the trail of entries above, we were able to clean up my wife's computer.

While the computer does seem to be operating much better (no more redirect of Google searches, strange programs popping up, etc.), Trojan Hunter and Spybot Search & Destroy keep turning up certain apparent malware each time I run them even after a cleaning.

Trojan Hunter keeps finding FraudTool.AVSystemCare.100 and Winfixer 150 and Spybot SandD keeps finding Vario Antivirus and Virtumonde.

Should I worry about this? Do you need another HiJack This log to tell?

Thanks again for helping me through this mess.

Kind regards,
Brian
  • 0

Advertisements

#17
kahdah
Posted 17 March 2008 - 10:26 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Can you post the logs from each of those programs please.
  • 0

#18
balbert
Posted 17 March 2008 - 10:59 PM

balbert

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks for the follow up:

Trojan Hunger Scan Report:

TrojanHunter Scan Report - Saved 2008-03-17 20:59

Registry value exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Salestart (matches WinFixer.150)
Registry value exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Salestart (matches WinFixer.150)
Registry value exists: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVSystemCare (matches FraudTool.AVSystemCare.100)
Registry value exists: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVSystemCare (matches FraudTool.AVSystemCare.100)
Removed registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Salestart
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVSystemCare

Here is Spybot Report:

-- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-27 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-03-12 Includes\Cookies.sbi
2007-12-26 Includes\Dialer.sbi
2008-03-12 Includes\DialerC.sbi
2008-03-12 Includes\HeavyDuty.sbi
2008-03-05 Includes\Hijackers.sbi
2008-03-12 Includes\HijackersC.sbi
2008-02-27 Includes\Keyloggers.sbi
2008-03-12 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2008-03-12 Includes\Malware.sbi
2008-03-12 Includes\MalwareC.sbi
2008-02-20 Includes\PUPS.sbi
2008-03-12 Includes\PUPSC.sbi
2008-03-12 Includes\Revision.sbi
2008-01-09 Includes\Security.sbi
2008-03-12 Includes\SecurityC.sbi
2008-02-20 Includes\Spybots.sbi
2008-03-12 Includes\SpybotsC.sbi
2007-11-06 Includes\Tracks.uti
2008-02-27 Includes\Trojans.sbi
2008-03-12 Includes\TrojansC.sbi
2007-12-24 Plugins\TCPIPAddress.dll


--- System information ---
Windows XP (Build: 2600) Service Pack 1 (5.1.2600)
/ DataAccess: Security update for Microsoft Data Access Components
/ Windows Media Player: Windows Media Update 817787
/ Windows XP / SP2: Windows XP Hotfix - KB282010
/ Windows XP / SP2: Windows XP Hotfix - KB818383
/ Windows XP / SP2: Windows XP Hotfix - KB821557
/ Windows XP / SP2: Windows XP Hotfix - KB823559
/ Windows XP / SP2: Windows XP Hotfix - KB824146
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q323183 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q323255 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q328310
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See q328345 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q328979 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329048 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329115 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329390 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329581 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) q329623
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329692 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329834 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) q330512
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810019
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810090
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810565
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810577
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810833
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811493
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811630
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q814033
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q815021
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q817287
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q817606
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q819696


--- Startup entries list ---
Located: HK_LM:Run, AGRSMMSG
command: AGRSMMSG.exe
file: C:\WINDOWS\AGRSMMSG.exe
size: 87751
MD5: D4977E5B6B3BF4DAA1F35D6EE44DA80F

Located: HK_LM:Run, ATIModeChange
command: Ati2mdxx.exe
file: C:\WINDOWS\system32\Ati2mdxx.exe
size: 28672
MD5: FAE95D6D7651B5629C4E19ADBC9A3863

Located: HK_LM:Run, ATIPTA
command: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
file: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
size: 315392
MD5: C73FF76885EB1C95B43A4610CBFBE2FC

Located: HK_LM:Run, avgnt
command: "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
file: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
size: 249896
MD5: 6E898F5959E7195D64594C30E9251938

Located: HK_LM:Run, AVSystemCare
command: C:\Program Files\AVSystemCare\pgs.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, BluetoothAuthenticationAgent
command: rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, BMMGAG
command: RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, BMMLREF
command: C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
file: C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
size: 20480
MD5: EEEB2F1891E79DC77DE07D31359CD861

Located: HK_LM:Run, dla
command: C:\WINDOWS\system32\dla\tfswctrl.exe
file: C:\WINDOWS\system32\dla\tfswctrl.exe
size: 106551
MD5: 587D68D1F57D6203A1BB7AFC0EF428CE

Located: HK_LM:Run, EZEJMNAP
command: C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
file: C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
size: 204800
MD5: CEDE80A6379C3C4F92A7F805DDFC1D3F

Located: HK_LM:Run, icasServ
command: C:\WINDOWS\System32\icasServ.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, QCTray
command: C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, QCWLICON
command: C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, S3TRAY2
command: S3Tray2.exe
file: C:\WINDOWS\system32\S3Tray2.exe
size: 69632
MD5: C11D79B0421D833CBC2A182E708A170A

Located: HK_LM:Run, Salestart
command: "C:\Program Files\Common Files\ErrClean\strpmon.exe" dm=http://errclean.com ad=http://errclean.com sd=http://inspaid.errclean.com
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, StorageGuard
command: "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
file: c:\Program Files\VERITAS Software\Update Manager\sgtray.exe
size: 155648
MD5: 68C91658A3CB6773EC79C90CC0EE6BC1

Located: HK_LM:Run, SynTPEnh
command: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
file: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 512000
MD5: 60F9B56EF5F7615D4762FE8A6B6FEADB

Located: HK_LM:Run, SynTPLpr
command: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
file: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
size: 110592
MD5: 0B9D759A3891D06B0F5415DB3CB4A07B

Located: HK_LM:Run, THGuard
command: "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
file: C:\Program Files\TrojanHunter 5.0\THGuard.exe
size: 1047712
MD5: 0658BAB5FFFB6EB48A8BA0D9D87C519E

Located: HK_LM:Run, TP4EX
command: tp4ex.exe
file: C:\WINDOWS\system32\tp4ex.exe
size: 53248
MD5: 15CFE57F05D7FD80D1C5E70BCDCB01FF

Located: HK_LM:Run, TPHOTKEY
command: C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, TPKMAPHELPER
command: C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
file: C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe
size: 897024
MD5: 865F49B1EEC049728CDDB35F948DE759

Located: HK_LM:Run, ucookw
command: "C:\PROGRA~1\ErrClean\ucookw.exe" -start
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, ZoneAlarm Client
command: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 919016
MD5: 29FF6100B7B3D4818B61119BBFAAE53A

Located: HK_CU:Run, ibmmessages
where: PE_C_ADMINISTRATOR...
command: C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
file: C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
size: 495616
MD5: 6DBB6F4BFD311C5672DC736C7CC341F4

Located: HK_CU:Run, MSMSGS
where: S-1-5-21-510812086-3930200193-1037951259-1004...
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1511453
MD5: 1E455B08870D4AC3BB6AB5968603E8AF

Located: HK_CU:Run, Spoolsv
where: S-1-5-21-510812086-3930200193-1037951259-1004...
command: C:\WINDOWS\System32\spoolvs.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-510812086-3930200193-1037951259-1004...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2097488
MD5: A9A5DB6AC3721BE698B996913693D73F

Located: Startup (common), Belkin Wireless G Notebook Card Client Utility.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe
file: C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe
size: 1556480
MD5: 5D53A408C98B9FB78A87C7B1CB3D1BD5

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



--- Browser helper object list ---
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 2/27/2008 7:58:20 AM
Date (last access): 3/17/2008 8:53:10 PM
Date (last write): 1/28/2008 11:43:28 AM
Filesize: 1554256
Attributes: archive
MD5: 5248E02EFBCB64D328647CD00E384B85
CRC32: C1B426A9
Version: 1.5.0.11



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)
DPF name:
CLSID name: CKAVWebScan Object
Installer: C:\WINDOWS\Downloaded Program Files\kavwebscan.inf
Codebase: http://www.kaspersky...can_unicode.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\
Long name: kavwebscan.dll
Short name: KAVWEB~1.DLL
Date (created): 8/29/2007 3:49:54 PM
Date (last access): 3/17/2008 8:53:12 PM
Date (last write): 8/29/2007 3:49:54 PM
Filesize: 950272
Attributes: archive
MD5: BC915C49931CE46222F9B0A7EFB56CEE
CRC32: 11048171
Version: 5.0.98.0

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://www.update.mi...b?1204393670618
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\System32\
Long name: wuweb.dll
Short name:
Date (created): 7/30/2007 7:19:46 PM
Date (last access): 3/17/2008 8:53:12 PM
Date (last write): 7/30/2007 7:19:46 PM
Filesize: 203096
Attributes: archive
MD5: FD984F9BFC9C62BD6546BD183CE5ADE7
CRC32: 8092F837
Version: 7.0.6000.381

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.ma...ash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash9e.ocx
Short name:
Date (created): 11/20/2007 4:04:14 PM
Date (last access): 3/17/2008 8:53:12 PM
Date (last write): 11/20/2007 4:04:14 PM
Filesize: 2987392
Attributes: readonly archive
MD5: D3C50535C26190FEAD7785A03499C0AC
CRC32: A77C3E92
Version: 9.0.115.0



--- Process list ---
PID: 0 ( 0) [System]
PID: 784 ( 4) \SystemRoot\System32\smss.exe
size: 45568
PID: 872 ( 784) \??\C:\WINDOWS\system32\csrss.exe
size: 4096
PID: 896 ( 784) \??\C:\WINDOWS\system32\winlogon.exe
size: 516608
PID: 948 ( 896) C:\WINDOWS\system32\services.exe
size: 101376
MD5: E3DF4A0252D287C44606EE55355E1623
PID: 960 ( 896) C:\WINDOWS\system32\lsass.exe
size: 11776
MD5: B2B6BA905D0E3F8A32A0EB3B4051807B
PID: 1148 ( 948) C:\WINDOWS\system32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1296 ( 948) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1488 ( 948) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1588 ( 948) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1676 ( 948) C:\WINDOWS\system32\ZoneLabs\vsmon.exe
size: 75304
MD5: 1495486C0C39013A98BDB149A3145751
PID: 1880 (1840) C:\WINDOWS\Explorer.EXE
size: 1004032
MD5: A82B28BFC2E4455FE43022A498C0EF0A
PID: 176 (1880) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
size: 110592
MD5: 0B9D759A3891D06B0F5415DB3CB4A07B
PID: 248 (1880) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 512000
MD5: 60F9B56EF5F7615D4762FE8A6B6FEADB
PID: 252 (1880) C:\WINDOWS\System32\RunDll32.exe
size: 31744
MD5: 0FB22DD37C17F80AD71316049F725170
PID: 392 (1880) C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
size: 204800
MD5: CEDE80A6379C3C4F92A7F805DDFC1D3F
PID: 404 (1880) C:\WINDOWS\AGRSMMSG.exe
size: 87751
MD5: D4977E5B6B3BF4DAA1F35D6EE44DA80F
PID: 508 (1880) C:\WINDOWS\system32\dla\tfswctrl.exe
size: 106551
MD5: 587D68D1F57D6203A1BB7AFC0EF428CE
PID: 520 (1880) C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
size: 249896
MD5: 6E898F5959E7195D64594C30E9251938
PID: 528 (1880) C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 919016
MD5: 29FF6100B7B3D4818B61119BBFAAE53A
PID: 536 (1880) C:\Program Files\TrojanHunter 5.0\THGuard.exe
size: 1047712
MD5: 0658BAB5FFFB6EB48A8BA0D9D87C519E
PID: 676 (1880) C:\Program Files\Messenger\msmsgs.exe
size: 1511453
MD5: 1E455B08870D4AC3BB6AB5968603E8AF
PID: 920 (1880) C:\Program Files\Belkin\Cardbus F5D701F\Wireless Utility\Belkinwcui.exe
size: 1556480
MD5: 5D53A408C98B9FB78A87C7B1CB3D1BD5
PID: 1260 ( 948) C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
size: 607576
MD5: 1A198D2182ED39470A70C54C5078BD4D
PID: 372 ( 948) C:\WINDOWS\system32\spoolsv.exe
size: 51200
MD5: 9B4155BA58192D4073082B8FC5D42612
PID: 868 ( 948) C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
size: 214056
MD5: F640EA98231D7B1DB730385813BFCE79
PID: 1700 ( 948) C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
size: 63016
MD5: A6FA9C14E649B2F3DE15390A1840774D
PID: 1948 ( 948) C:\WINDOWS\System32\Ati2evxx.exe
size: 159744
MD5: A3AA4BB72B3661F92DCEDADCF792E415
PID: 3276 (1296) C:\WINDOWS\System32\wuauclt.exe
size: 53080
MD5: F3E9065EB617A7E3A832A7976BFA021B
PID: 2620 (3756) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2097488
MD5: A9A5DB6AC3721BE698B996913693D73F
PID: 2208 (1880) C:\Program Files\TrojanHunter 5.0\TrojanHunter.exe
size: 2418336
MD5: 7718EB7BD0949DB95AB57F78EAB082C9
PID: 2296 (1880) C:\Program Files\Mozilla Firefox\firefox.exe
size: 7655024
MD5: 5F5DB4D92B7095DAED04689DB6DFD586
PID: 2624 (1880) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 3/17/2008 8:55:48 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\System32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft...amp;ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft....k/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft....k/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft....k/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn...st/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn...st/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD nwlnkipx [IPX]
GUID: {11058240-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware UPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkipx *

Protocol 6: MSAFD nwlnkspx [SPX]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 7: MSAFD nwlnkspx [SPX] [Pseudo Stream]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 8: MSAFD nwlnkspx [SPX II]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 9: MSAFD nwlnkspx [SPX II] [Pseudo Stream]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BB23AE86-B50E-466F-B938-F0E14C396BA8}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BB23AE86-B50E-466F-B938-F0E14C396BA8}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{533DA78F-41A1-4CD5-B373-92D33C749C49}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{533DA78F-41A1-4CD5-B373-92D33C749C49}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8AC73171-6899-4232-ACED-FF39B66D2AFC}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8AC73171-6899-4232-ACED-FF39B66D2AFC}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5A80516A-0F52-493D-A91C-1257286B3EAB}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5A80516A-0F52-493D-A91C-1257286B3EAB}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{836FF792-7BFA-44EE-AB05-67D85E2381FD}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{836FF792-7BFA-44EE-AB05-67D85E2381FD}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{56B2D501-D026-4300-A8BF-157F06E79FEA}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{56B2D501-D026-4300-A8BF-157F06E79FEA}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
GUID: {E02DAAF0-7E9F-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\nwprovau.dll
Description: Microsoft Windows NT/2k/XP Novell Netware name space provider
DB filename: %SystemRoot%\system32\nwprovau.dll
DB protocol: NWLink IPX/SPX/NetBIOS*
  • 0

#19
kahdah
Posted 18 March 2008 - 03:32 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Those are entries in the registry and are just leftovers.
THey are not active anymore and will get removed via those 2 programs.

Trojan Hunter already deleted those values that it found.
And the Spybot log only shows one entry.

Keep running spybot until it cleans up what it finds.

You are clean :)
  • 0

#20
balbert
Posted 18 March 2008 - 11:02 AM

balbert

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Awesome. Thank you.
  • 0

#21
kahdah
Posted 18 March 2008 - 01:43 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#22
kahdah
Posted 18 March 2008 - 01:43 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP