Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

taskbar VIRUS ALERT! [RESOLVED]

Started by chou05 , May 31 2008 11:55 PM

This topic is locked

#16
Octagonal

Posted 13 June 2008 - 12:47 AM

Member 2k

Member
2,528 posts

Hello chou05,

Let's see if we can get to the bottom of this problem. I would like you to download and run the following tool. If you can't get on to the internet with that computer then please use a flash drive or similar removable media to transfer the file and results to and from another computer.

http://download.blee...CF-querySvc.exe

Once downloaded double click on CF-querySvc.exe to run it. Post the results of the log it produces in your next reply.

#17
chou05

Posted 15 June 2008 - 02:32 PM

Member

Topic Starter
Member
24 posts

------ REGISTRY:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
- HTTPFilter - HTTPFilter
- LocalService - Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV
- NetworkService - DnsCache
- DcomLaunch - DcomLaunch, TermService
- rpcss - RpcSs
- imgsvc - StiSvc
- termsvcs - TermService
- WudfServiceGroup - WUDFSvc
- netsvcs - 6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, wscsvc, xmlprov, MHN, BITS, wuauserv, ShellHWDetection, helpsvc, WmdmPmSN

------ SVCHOST SERVICES NOT RUNNING

STOPPED: AUTO_START: AudioSrv : Windows Audio
STOPPED: AUTO_START: BITS : Background Intelligent Transfer Service
STOPPED: AUTO_START: Browser : Computer Browser
STOPPED: AUTO_START: CryptSvc : Cryptographic Services
STOPPED: AUTO_START: dmserver : Logical Disk Manager
STOPPED: AUTO_START: Dnscache : DNS Client
STOPPED: AUTO_START: ERSvc : Error Reporting Service
STOPPED: AUTO_START: helpsvc : Help and Support
STOPPED: AUTO_START: lanmanworkstation : Workstation
STOPPED: AUTO_START: LmHosts : TCP/IP NetBIOS Helper
STOPPED: AUTO_START: RemoteRegistry : Remote Registry
STOPPED: AUTO_START: RpcSs : Remote Procedure Call (RPC)
STOPPED: AUTO_START: Schedule : Task Scheduler
STOPPED: AUTO_START: SENS : System Event Notification
STOPPED: AUTO_START: SharedAccess : Windows Firewall/Internet Connection Sharing (ICS)
STOPPED: AUTO_START: ShellHWDetection : Shell Hardware Detection
STOPPED: AUTO_START: srservice : System Restore Service
STOPPED: AUTO_START: SSDPSRV : SSDP Discovery Service
STOPPED: AUTO_START: TrkWks : Distributed Link Tracking Client
STOPPED: AUTO_START: WebClient : WebClient
STOPPED: AUTO_START: winmgmt : Windows Management Instrumentation
STOPPED: AUTO_START: wscsvc : Security Center
STOPPED: AUTO_START: wuauserv : Automatic Updates
STOPPED: AUTO_START: WZCSVC : Wireless Zero Configuration
STOPPED: DEMAND_START: AppMgmt : Application Management
STOPPED: DEMAND_START: EventSystem : COM+ Event System
STOPPED: DEMAND_START: FastUserSwitchingCompatibility : Fast User Switching Compatibility
STOPPED: DEMAND_START: HTTPFilter : HTTP SSL
STOPPED: DEMAND_START: MHN : MHN
STOPPED: DEMAND_START: Netman : Network Connections
STOPPED: DEMAND_START: Nla : Network Location Awareness (NLA)
STOPPED: DEMAND_START: RasAuto : Remote Access Auto Connection Manager
STOPPED: DEMAND_START: RasMan : Remote Access Connection Manager
STOPPED: DEMAND_START: stisvc : Windows Image Acquisition (WIA)
STOPPED: DEMAND_START: TapiSrv : Telephony
STOPPED: DEMAND_START: TermService : Terminal Services
STOPPED: DEMAND_START: upnphost : Universal Plug and Play Device Host
STOPPED: DEMAND_START: WmdmPmSN : Portable Media Serial Number Service
STOPPED: DEMAND_START: Wmi : Windows Management Instrumentation Driver Extensions
STOPPED: DEMAND_START: WudfSvc : Windows Driver Foundation - User-mode Driver Framework
STOPPED: DEMAND_START: xmlprov : Network Provisioning Service
STOPPED: DISABLED: Alerter : Alerter
STOPPED: DISABLED: HidServ : Human Interface Device Access
STOPPED: DISABLED: Messenger : Messenger
STOPPED: DISABLED: NtmsSvc : Removable Storage
STOPPED: DISABLED: RemoteAccess : Routing and Remote Access

------ SVCHOST CURRENTLY RUNNING:

1752- C:\WINDOWS\system32\svchost -k DcomLaunch
- DcomLaunch : DCOM Server Process Launcher

1928- C:\WINDOWS\System32\svchost.exe -k netsvcs
- Dhcp : DHCP Client
- lanmanserver : Server
- seclogon : Secondary Logon
- Themes : Themes
- W32Time : Windows Time

------ SVCHOST SUB-DEPENDENTS

HTTPFilter = 1
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

upnphost = 1
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

SSDPSRV = 3
STOPPED: McrdSvc: Media Center Extender Service
STOPPED: upnphost: Universal Plug and Play Device Host
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

DMServer = 1
STOPPED: dmadmin: Logical Disk Manager Administrative Service

EventSystem = 1
STOPPED: SENS: System Event Notification

LanmanServer = 1
STOPPED: Browser: Computer Browser

LanmanWorkstation = 5
STOPPED: Alerter: Alerter
STOPPED: Browser: Computer Browser
STOPPED: Messenger: Messenger
STOPPED: Netlogon: Net Logon
STOPPED: RpcLocator: Remote Procedure Call (RPC) Locator

Netman = 1
STOPPED: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)

Rasman = 1
STOPPED: RasAuto: Remote Access Auto Connection Manager

Tapisrv = 2
STOPPED: RasAuto: Remote Access Auto Connection Manager
STOPPED: RasMan: Remote Access Connection Manager

winmgmt = 2
STOPPED: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
STOPPED: wscsvc: Security Center

TermService = 1
STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility

RpcSs = 49
STOPPED: AudioSrv: Windows Audio
STOPPED: BITS: Background Intelligent Transfer Service
STOPPED: CiSvc: Indexing Service
STOPPED: COMSysApp: COM+ System Application
STOPPED: CryptSvc: Cryptographic Services
STOPPED: dmadmin: Logical Disk Manager Administrative Service
STOPPED: dmserver: Logical Disk Manager
STOPPED: ERSvc: Error Reporting Service
STOPPED: EventSystem: COM+ Event System
STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility
STOPPED: helpsvc: Help and Support
STOPPED: HidServ: Human Interface Device Access
STOPPED: iPodService: iPodService
STOPPED: McrdSvc: Media Center Extender Service
STOPPED: Messenger: Messenger
STOPPED: MHN: MHN
STOPPED: MSDTC: Distributed Transaction Coordinator
STOPPED: MSIServer: Windows Installer
STOPPED: Netman: Network Connections
STOPPED: NtmsSvc: Removable Storage
STOPPED: PolicyAgent: IPSEC Services
STOPPED: ProtectedStorage: Protected Storage
STOPPED: RasAuto: Remote Access Auto Connection Manager
STOPPED: RasMan: Remote Access Connection Manager
STOPPED: RDSessMgr: Remote Desktop Help Session Manager
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: RemoteRegistry: Remote Registry
STOPPED: RSVP: QoS RSVP
STOPPED: SamSs: Security Accounts Manager
STOPPED: Schedule: Task Scheduler
STOPPED: SENS: System Event Notification
STOPPED: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
STOPPED: ShellHWDetection: Shell Hardware Detection
STOPPED: Spooler: Print Spooler
STOPPED: srservice: System Restore Service
STOPPED: stisvc: Windows Image Acquisition (WIA)
STOPPED: svcWRSSSDK: Webroot Spy Sweeper Engine
STOPPED: SwPrv: MS Software Shadow Copy Provider
STOPPED: TapiSrv: Telephony
STOPPED: TermService: Terminal Services
STOPPED: TlntSvr: Telnet
STOPPED: TrkWks: Distributed Link Tracking Client
STOPPED: usnjsvc: Messenger Sharing Folders USN Journal Reader service
STOPPED: VSS: Volume Shadow Copy
STOPPED: winmgmt: Windows Management Instrumentation
STOPPED: WmiApSrv: WMI Performance Adapter
STOPPED: wscsvc: Security Center
STOPPED: WZCSVC: Wireless Zero Configuration
STOPPED: xmlprov: Network Provisioning Service

TermService = 1
STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility

Edited by chou05, 15 June 2008 - 05:41 PM.

#18
Octagonal

Posted 16 June 2008 - 06:06 AM

Member 2k

Member
2,528 posts

Hello chou05,

There appears to be several issues concerning the services on your machine. I have a few questions to ask you in regards to the problems you are experiencing with your computer.

Have you altered any of the settings for the services on your computer?

Can you tell me when did you start to experience problems with the computer (infection wise)?

Did you have any problems with dragging and dropping prior to the past week?

Do you have your Windows XP CD?

I need you to install Windows Recovery Console on the computer. If you cannot gain internet access with that computer, please use a flash drive or other removable media to transfer files to and from another computer that does have internet access.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

#19
chou05

Posted 16 June 2008 - 03:40 PM

Member

Topic Starter
Member
24 posts

i dont think i've changed any settings on my computer. Although, at one point i had registry mechanic scanning my registry, but i dont remember editing any of my registry variables. that would be too dangerious for someone not knowing what the variables meant.

i began having problems the day before i began posting up on geekstogo. i was getting many pop-up adds stating i had a virus and linking me to faulty webbrowsers telling me to purchase this or purchase that (the whole story). but it was just reciently when i deleted java6 and dap that i wasn't able to access internet, copy & paste, drag & drop, view images, audio not detectable, and so on.

my purchase did not come with a windows XP cd, it was already pre-loaded.

i cant drag and drop anything, is there a way to fix this? (in case i need to back up files?)
>> cant proceed with your instructions above with combofix.

btw, my system says "windows xp MEDIA edition" that would be the same as HOME edition right?
cause the link you prompt me to states only home or proffesional edition downloads.

#20
Octagonal

Posted 17 June 2008 - 06:34 AM

Member 2k

Member
2,528 posts

Hello chou05,

Hold off on my previous instructions for now.

We need to make some changes to the Registry.

Please read through the following instructions and if there is anything that you don't understand, please post your questions before proceeding.

It is important that you follow these instructions exactly as I have listed.

You will need to print out a copy of these instructions and also save them to NotePad and put a shortcut to the file on the desktop so that you can refer to while you complete this procedure.

It is important to backup the Registry before we make any changes so that we have a fresh copy in case of misfortune. Please click on Start then Run and copy the following code into the command line.

regedit /e C:\RegBU.reg

Click the OK button or press the Enter key. This will save a copy of the Registry to a file (C:\RegBU.reg) on your local hard drive.

Open Notepad, and copy the complete contents of the code box (including the REGEDIT4 line) below into a new text file. Save it on your Desktop as FixLSA.reg. For the "save as type" choose all files.

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

Locate FixLSA.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Reboot the computer.

Then download a fresh copy of querySvc.exe This file is different from a similar one I had you download and run previously. Do not mistake the two, I would suggest removing the older one.

Double click the fresh copy of querySvc.exe to run it and post the log that it produces, also let me know what problems you are still having.

If you can't access the internet with that computer, then same as before with transferring the files.

#21
chou05

Posted 18 June 2008 - 09:10 PM

Member

Topic Starter
Member
24 posts

------ REGISTRY:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
- HTTPFilter - HTTPFilter
- LocalService - Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV
- NetworkService - DnsCache
- DcomLaunch - DcomLaunch, TermService
- rpcss - RpcSs
- imgsvc - StiSvc
- termsvcs - TermService
- WudfServiceGroup - WUDFSvc
- netsvcs - 6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, wscsvc, xmlprov, MHN, BITS, wuauserv, ShellHWDetection, helpsvc, WmdmPmSN

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Notification Packages REG_MULTI_SZ scecli\0\0
Authentication Packages REG_MULTI_SZ msv1_0\0\0

------ SVCHOST SERVICES NOT RUNNING

STOPPED: AUTO_START: WZCSVC : Wireless Zero Configuration
STOPPED: DEMAND_START: AppMgmt : Application Management
STOPPED: DEMAND_START: HTTPFilter : HTTP SSL
STOPPED: DEMAND_START: MHN : MHN
STOPPED: DEMAND_START: RasAuto : Remote Access Auto Connection Manager
STOPPED: DEMAND_START: stisvc : Windows Image Acquisition (WIA)
STOPPED: DEMAND_START: upnphost : Universal Plug and Play Device Host
STOPPED: DEMAND_START: WmdmPmSN : Portable Media Serial Number Service
STOPPED: DEMAND_START: Wmi : Windows Management Instrumentation Driver Extensions
STOPPED: DEMAND_START: WudfSvc : Windows Driver Foundation - User-mode Driver Framework
STOPPED: DEMAND_START: xmlprov : Network Provisioning Service
STOPPED: DISABLED: Alerter : Alerter
STOPPED: DISABLED: HidServ : Human Interface Device Access
STOPPED: DISABLED: Messenger : Messenger
STOPPED: DISABLED: NtmsSvc : Removable Storage
STOPPED: DISABLED: RemoteAccess : Routing and Remote Access

------ SVCHOST CURRENTLY RUNNING:

1744- C:\WINDOWS\system32\svchost -k DcomLaunch
- DcomLaunch : DCOM Server Process Launcher
- TermService : Terminal Services

1796- C:\WINDOWS\system32\svchost -k rpcss
- RpcSs : Remote Procedure Call (RPC)

1840- C:\WINDOWS\System32\svchost.exe -k netsvcs
- AudioSrv : Windows Audio
- BITS : Background Intelligent Transfer Service
- Browser : Computer Browser
- CryptSvc : Cryptographic Services
- Dhcp : DHCP Client
- dmserver : Logical Disk Manager
- ERSvc : Error Reporting Service
- EventSystem : COM+ Event System
- FastUserSwitchingCompatibility : Fast User Switching Compatibility
- helpsvc : Help and Support
- lanmanserver : Server
- lanmanworkstation : Workstation
- Netman : Network Connections
- Nla : Network Location Awareness (NLA)
- RasMan : Remote Access Connection Manager
- Schedule : Task Scheduler
- seclogon : Secondary Logon
- SENS : System Event Notification
- SharedAccess : Windows Firewall/Internet Connection Sharing (ICS)
- ShellHWDetection : Shell Hardware Detection
- srservice : System Restore Service
- TapiSrv : Telephony
- Themes : Themes
- TrkWks : Distributed Link Tracking Client
- W32Time : Windows Time
- winmgmt : Windows Management Instrumentation
- wscsvc : Security Center
- wuauserv : Automatic Updates

2044- C:\WINDOWS\system32\svchost.exe -k NetworkService
- Dnscache : DNS Client

228- C:\WINDOWS\system32\svchost.exe -k LocalService
- LmHosts : TCP/IP NetBIOS Helper
- RemoteRegistry : Remote Registry
- WebClient : WebClient

164- C:\WINDOWS\system32\svchost.exe -k LocalService
- SSDPSRV : SSDP Discovery Service

------ SVCHOST SUB-DEPENDENTS

HTTPFilter = 1
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

upnphost = 1
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

SSDPSRV = 3
RUNNING: McrdSvc: Media Center Extender Service
STOPPED: upnphost: Universal Plug and Play Device Host
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

DMServer = 1
STOPPED: dmadmin: Logical Disk Manager Administrative Service

EventSystem = 1
RUNNING: SENS: System Event Notification

LanmanServer = 1
RUNNING: Browser: Computer Browser

LanmanWorkstation = 5
RUNNING: Browser: Computer Browser
STOPPED: Alerter: Alerter
STOPPED: Messenger: Messenger
STOPPED: Netlogon: Net Logon
STOPPED: RpcLocator: Remote Procedure Call (RPC) Locator

Netman = 1
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)

Rasman = 1
STOPPED: RasAuto: Remote Access Auto Connection Manager

Tapisrv = 2
RUNNING: RasMan: Remote Access Connection Manager
STOPPED: RasAuto: Remote Access Auto Connection Manager

winmgmt = 2
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
RUNNING: wscsvc: Security Center

TermService = 1
RUNNING: FastUserSwitchingCompatibility: Fast User Switching Compatibility

RpcSs = 49
RUNNING: AudioSrv: Windows Audio
RUNNING: BITS: Background Intelligent Transfer Service
RUNNING: CryptSvc: Cryptographic Services
RUNNING: dmserver: Logical Disk Manager
RUNNING: ERSvc: Error Reporting Service
RUNNING: EventSystem: COM+ Event System
RUNNING: FastUserSwitchingCompatibility: Fast User Switching Compatibility
RUNNING: helpsvc: Help and Support
RUNNING: McrdSvc: Media Center Extender Service
RUNNING: Netman: Network Connections
RUNNING: PolicyAgent: IPSEC Services
RUNNING: ProtectedStorage: Protected Storage
RUNNING: RasMan: Remote Access Connection Manager
RUNNING: RemoteRegistry: Remote Registry
RUNNING: SamSs: Security Accounts Manager
RUNNING: Schedule: Task Scheduler
RUNNING: SENS: System Event Notification
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
RUNNING: ShellHWDetection: Shell Hardware Detection
RUNNING: Spooler: Print Spooler
RUNNING: srservice: System Restore Service
RUNNING: svcWRSSSDK: Webroot Spy Sweeper Engine
RUNNING: TapiSrv: Telephony
RUNNING: TermService: Terminal Services
RUNNING: TrkWks: Distributed Link Tracking Client
RUNNING: winmgmt: Windows Management Instrumentation
RUNNING: wscsvc: Security Center
STOPPED: CiSvc: Indexing Service
STOPPED: COMSysApp: COM+ System Application
STOPPED: dmadmin: Logical Disk Manager Administrative Service
STOPPED: HidServ: Human Interface Device Access
STOPPED: iPodService: iPodService
STOPPED: Messenger: Messenger
STOPPED: MHN: MHN
STOPPED: MSDTC: Distributed Transaction Coordinator
STOPPED: MSIServer: Windows Installer
STOPPED: NtmsSvc: Removable Storage
STOPPED: RasAuto: Remote Access Auto Connection Manager
STOPPED: RDSessMgr: Remote Desktop Help Session Manager
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: RSVP: QoS RSVP
STOPPED: stisvc: Windows Image Acquisition (WIA)
STOPPED: SwPrv: MS Software Shadow Copy Provider
STOPPED: TlntSvr: Telnet
STOPPED: usnjsvc: Messenger Sharing Folders USN Journal Reader service
STOPPED: VSS: Volume Shadow Copy
STOPPED: WmiApSrv: WMI Performance Adapter
STOPPED: WZCSVC: Wireless Zero Configuration
STOPPED: xmlprov: Network Provisioning Service

TermService = 1
RUNNING: FastUserSwitchingCompatibility: Fast User Switching Compatibility

#22
chou05

Posted 18 June 2008 - 09:21 PM

Member

Topic Starter
Member
24 posts

after merging the FixLSA.reg file into my registry, things seem to come back together. normal speed startup, able to access internet browser, copy+paste, drag+drop. yet after looking at the log(above), many things still seem to be STOPPED, is that normal?

btw, my taskbar time is still set to millitary time since the malware infection. least of my worries, now that i am able to use my computer more efficiently instead of transfering files back and forth

to begin the healing process.

#23
Octagonal

Posted 19 June 2008 - 02:09 AM

Member 2k

Member
2,528 posts

Hello chou05,

Great to hear that your system is somewhere near back to normal.

Let's start over and have a fresh look at your computer.

Double-click on dss.exe that you downloaded previously and post the results.

#24
chou05

Posted 20 June 2008 - 01:09 AM

Member

Topic Starter
Member
24 posts

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-20 00:07:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:07, on 20/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe
C:\Program Files\U.S.Robotics Wireless Monitor\WLanCfgG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [InfoMyCa.exe] C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EA41871-B967-4DD5-BBD0-67047428FE88}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: U.S. Robotics 802.11g Wireless USB Adapter Service (U.S. Robotics 802.11g Wireless USB Adapter) - Unknown owner - C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe

--
End of file - 6030 bytes

-- Files created between 2008-05-20 and 2008-06-20 -----------------------------

2008-06-18 19:55:31 98962624 --a------ C:\RegBU.reg
2008-06-04 23:21:54 68096 --a------ C:\WINDOWS\zip.exe
2008-06-04 23:21:54 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-04 23:21:54 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-04 23:21:54 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-04 23:21:54 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-04 23:21:54 98816 --a------ C:\WINDOWS\sed.exe
2008-06-04 23:21:54 80412 --a------ C:\WINDOWS\grep.exe
2008-06-04 23:21:54 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-04 22:34:56 0 d-------- C:\Program Files\Common Files\Java
2008-06-02 20:19:21 0 d-------- C:\VundoFix Backups
2008-05-31 23:19:44 0 d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-05-27 23:26:03 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-27 23:26:03 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-27 23:23:56 140064 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-27 23:23:56 12045856 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 23:10:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files

-- Find3M Report ---------------------------------------------------------------

2008-06-04 22:35:51 0 d-------- C:\Program Files\Java
2008-06-04 22:34:56 0 d-------- C:\Program Files\Common Files
2008-06-01 12:13:37 0 d-------- C:\Program Files\Trend Micro
2008-05-27 23:23:55 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-27 23:08:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2008-05-25 06:14:34 0 d-------- C:\Program Files\Warcraft III
2008-05-25 04:51:21 0 d-------- C:\Program Files\Starcraft
2008-05-19 20:26:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-05-11 16:36:23 201728 --a------ C:\WINDOWS\system32\im_screensaver.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-04-13 15:58:26 2539 --a------ C:\WINDOWS\unins000.dat
2008-04-13 15:46:37 691545 --a------ C:\WINDOWS\unins000.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" []
"InfoMyCa.exe"="C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe" [10/03/2004 20:57]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [20/07/2005 00:55]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [18/11/2007 18:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [08/02/2008 18:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/08/2004 12:00]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [13/11/2006 14:39]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [19/01/2007 12:54]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

-- End of Deckard's System Scanner: finished at 2008-06-20 00:09:37 ------------

#25
chou05

Posted 20 June 2008 - 01:12 AM

Member

Topic Starter
Member
24 posts

does it look serious dr.octagonal?

#26
Octagonal

Posted 21 June 2008 - 07:16 AM

Member 2k

Member
2,528 posts

Hello chou05,

I don't see much wrong in that log.

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

I would like you to do a full system scan with the online version of Kaspersky AV as this may have a more up to the minute detection database.

Please go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

Please post the following in your next reply:

MBAM results
Kaspersky results
A fresh HijackThis log

Also let me know how your computer is now behaving.

#27
chou05

Posted 24 June 2008 - 02:07 PM

Member

Topic Starter
Member
24 posts

hi Octagonal,
im out on a business trip currently, so my reply with my logs will be delayed. sry for inconvienent late response

#28
chou05

Posted 01 July 2008 - 01:09 AM

Member

Topic Starter
Member
24 posts

Malwarebytes' Anti-Malware 1.19
Database version: 901
Windows 5.1.2600 Service Pack 2

12:48:32 AM 29/06/2008
mbam-log-6-29-2008 (00-48-32).txt

Scan type: Quick Scan
Objects scanned: 41776
Time elapsed: 5 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{37d00cd6-4ff0-4004-9a5b-d0d777b09eef} (Spyware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

#29
chou05

Posted 01 July 2008 - 01:09 AM

Member

Topic Starter
Member
24 posts

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, June 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, June 29, 2008 08:40:45
Records in database: 896750
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 79284
Threat name: 4
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 03:54:53

File name / Threat name / Threats count
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\adprotect_setup.exe.bac_a00208 Infected: not-a-virus:FraudTool.Win32.ContaVir.b 1
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\adprotect_setup.exe.bac_a03696 Infected: not-a-virus:FraudTool.Win32.ContaVir.b 1
C:\Documents and Settings\Owner\Desktop\file 6 - Infection\Mod\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.288 1
C:\Documents and Settings\Owner\Desktop\file 6 - Infection\Mod\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 2
C:\QooBox\Quarantine\C\WINDOWS\system32\cbXQkhhF.dll.vir Infected: Trojan.Win32.Monderb.gen 1

The selected area was scanned.

#30
chou05

Posted 01 July 2008 - 01:10 AM

Member

Topic Starter
Member
24 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:53, on 30/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe
C:\Program Files\U.S.Robotics Wireless Monitor\WLanCfgG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [InfoMyCa.exe] C:\Program Files\U.S.Robotics Wireless Monitor\InfoMyCa.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EA41871-B967-4DD5-BBD0-67047428FE88}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: U.S. Robotics 802.11g Wireless USB Adapter Service (U.S. Robotics 802.11g Wireless USB Adapter) - Unknown owner - C:\Program Files\U.S.Robotics Wireless Monitor\WLService.exe

--
End of file - 5876 bytes