Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

kxvo.exe PLEASE HELP [RESOLVED]

Started by amm007 , Mar 05 2008 08:19 AM

This topic is locked

#166
amm007

Posted 06 May 2008 - 07:32 PM

Member

Topic Starter
Member
265 posts

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-05-07 09:32:37
Windows 5.1.2600 Service Pack 2

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[432] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018B73CC] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [018B7376] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [018B7376] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018B73CC] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018B73CC] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [018B7376] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [018B7376] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018B73CC] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018B73CC] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [018B7376] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [018B7376] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018B73CC] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018B73CC] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [018B7376] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018B73CC] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [018B7376] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018B73CC] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [018B7376] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [018B7376] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018B73CC] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018B73CC] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [018B7376] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018B73CC] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [018B7376] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [018B7376] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018B73CC] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [018B7376] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018B73CC] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [018B73CC] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[3244] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [018B7376] C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.14 ----

#167
kahdah

Posted 07 May 2008 - 02:25 PM

GeekU Teacher

Retired Staff
15,822 posts

Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Check off the 2 boxes next to the Box that says "Generate StartupList log"
Click on the button "Generate StartupList log"
Copy and past the StartupList from the notepad into your next post

#168
amm007

Posted 08 May 2008 - 04:38 AM

Member

Topic Starter
Member
265 posts

StartupList report, 5/8/2008, 6:37:59 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16640)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ChikkaV4\ChikkaLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Documents and Settings\Ruberc\Application Data\Smilebox\SmileboxTray.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Ruberc\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

BMMGAG = RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
BLOG = rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
Adobe Photo Downloader = ; "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
Adobe Reader Speed Launcher = ; "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
BMMLREF = ; C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
BMMMONWND = ; rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
DataLayer = ; C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
EZEJMNAP = ; C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
HotKeysCmds = ; C:\WINDOWS\system32\hkcmd.exe
IgfxTray = ; C:\WINDOWS\system32\igfxtray.exe
iTunesHelper = ; "C:\Program Files\iTunes\iTunesHelper.exe"
NeroFilterCheck = ; C:\WINDOWS\system32\NeroCheck.exe
PCSuiteTrayApplication = ; C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
QCTRAY = ; C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
QCWLICON = ; C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
QuickTime Task = ; "C:\Program Files\QuickTime\qttask.exe" -atboottime
RemoteControl = ; "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
SoundMAX = ; "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
SoundMAXPnP = ; C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
TP4EX = ; tp4ex.exe
TPHOTKEY = ; C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
TPKMAPHELPER = ; C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
TrackPointSrv = ; tp4serv.exe
AVG8_TRAY = C:\PROGRA~1\AVG\AVG8\avgtray.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSKAGENTEXE = C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
Yahoo! Pager = "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
msnmsgr = ; "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
PcSync = ; C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
SmileboxTray = "C:\Documents and Settings\Ruberc\Application Data\Smilebox\SmileboxTray.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

ARC = "C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Boxing Manager Professional Edition 1.8.3

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=avgrsstx.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
WormRadar.com IESiteBlocker.NavFilter - C:\Program Files\AVG\AVG8\avgssie.dll - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
BMMTask.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky...can_unicode.cab

[SpinTop DRM Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.2\stg_drm.ocx
CODEBASE = file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx

[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan82.ocx
CODEBASE = http://download.bitd...can8/oscan8.cab

[F-Secure Online Scanner 3.3]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\fscax.dll
CODEBASE = http://support.f-sec...m/ols/fscax.cab

[ArmHelper Control]
InProcServer32 = ./Images/armhelper.ocx
CODEBASE = file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Embedded Controller Driver: system32\DRIVERS\ACPIEC.sys (system)
Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
ANC: System32\drivers\ANC.SYS (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG8 E-mail Scanner: C:\PROGRA~1\AVG\AVG8\avgemc.exe (autostart)
AVG8 WatchDog: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (autostart)
AVG AVI Loader Driver x86: \SystemRoot\System32\Drivers\avgldx86.sys (system)
AVG On-access Scanner Minifilter Driver x86: \SystemRoot\System32\Drivers\avgmfx86.sys (system)
AVG8 Network Redirector: \SystemRoot\System32\Drivers\avgtdix.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
Microsoft AC Adapter Driver: System32\DRIVERS\CmBatt.sys (manual start)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Kodak Camera Proxy: system32\DRIVERS\DcCam.sys (system)
DcFpoint: system32\DRIVERS\DcFpoint.sys (manual start)
DCFS2k: system32\DRIVERS\DCFS2k.sys (autostart)
dcfssvc: %SystemRoot%\system32\DRIVERS\dcfssvc.exe (autostart)
Legacy Polling Service: system32\DRIVERS\DcLps.sys (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
%DcPTP.SvcDesc%: system32\DRIVERS\DcPTP.sys (manual start)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: system32\DRIVERS\dmio.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel® PRO Adapter Driver: system32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Exportit: system32\DRIVERS\exportit.sys (system)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
gmer: System32\DRIVERS\gmer.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HSFHWICH: system32\DRIVERS\HSFHWICH.sys (manual start)
HSF_DP: system32\DRIVERS\HSF_DP.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: system32\DRIVERS\ialmnt5.sys (manual start)
IBMPMDRV: system32\DRIVERS\ibmpmdrv.sys (manual start)
IBM PM Service: %SystemRoot%\system32\ibmpmsvc.exe (autostart)
IBMTPCHK: System32\drivers\IBMBLDID.SYS (system)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
IntelIde: system32\DRIVERS\intelide.sys (system)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
mdmxsdk: system32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: %systemroot%\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Nokia USB Generic: system32\drivers\nmwcdc.sys (manual start)
Nokia USB Modem: system32\drivers\nmwcdcm.sys (manual start)
Nokia USB Phone Parent: system32\drivers\nmwcd.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
Pcmcia: system32\DRIVERS\pcmcia.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
QCNDISIF: System32\drivers\qcndisif.SYS (manual start)
QCONSVC: System32\QCONSVC.EXE (autostart)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
smwdm: system32\drivers\smwdm.sys (manual start)
Sony USB Filter Driver (SONYPVU1): system32\DRIVERS\SONYPVU1.SYS (manual start)
SoundMAX Agent Service: C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{A24DBD1C-2839-424B-8F57-206EE81A7C3A} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
IBM PS/2 TrackPoint Driver: system32\DRIVERS\tp4track.sys (manual start)
IBM KCU Service: C:\WINDOWS\system32\TpKmpSVC.exe (autostart)
TPPWR: System32\drivers\Tppwr.sys (system)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TSMAPIP: System32\drivers\TSMAPIP.SYS (system)
IBM PS/2 TrackPoint Filter Driver: System32\DRIVERS\TwoTrack.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
Messenger Sharing Folders USN Journal Reader service: "C:\Program Files\MSN Messenger\usnsvc.exe" (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Visual Studio Analyzer RPC bridge: C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe (manual start)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP: system32\DRIVERS\w29n51.sys (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
winachsf: system32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 34,728 bytes
Report generated in 0.640 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#169
kahdah

Posted 08 May 2008 - 09:52 AM

GeekU Teacher

Retired Staff
15,822 posts

Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste them in one at a time)

C:\Windows\system32\DRIVERS\Ip6Fw.sys

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.
===============
Also post a new dss log please.

#170
amm007

Posted 08 May 2008 - 11:11 AM

Member

Topic Starter
Member
265 posts

Service load:
0% 100%
File: Ip6Fw.sys
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 4448006b6bc60e6c027932cfc38d6855
Packers detected:
-
Bit9 reports:

File has already been analysed:
MD5: 4448006b6bc60e6c027932cfc38d6855
First received: 06.16.2007 18:12:31 (CET)
Date: 05.08.2008 02:01:59 (CET) [<1D]
Results: 0/31
Permalink: analisis/c046ea77e0f30569aec589af4d91d62d

#171
amm007

Posted 08 May 2008 - 11:13 AM

Member

Topic Starter
Member
265 posts

Deckard's System Scanner v20071014.68
Run by Ruberc on 2008-05-09 01:12:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 503 MiB (512 MiB recommended).

-- HijackThis (run as Ruberc.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:54 AM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Ruberc\Application Data\Smilebox\SmileboxTray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Ruberc\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ruberc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Adobe Photo Downloader] ; "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] ; "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BMMLREF] ; C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] ; rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [DataLayer] ; C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [EZEJMNAP] ; C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [HotKeysCmds] ; C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] ; C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [iTunesHelper] ; "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] ; C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] ; C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [QCTRAY] ; C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] ; C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [QuickTime Task] ; "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] ; "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMAX] ; "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SoundMAXPnP] ; C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [TP4EX] ; tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] ; C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] ; C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TrackPointSrv] ; tp4serv.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] ; "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] ; C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Ruberc\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\RunOnce: [ARC] "C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Boxing Manager Professional Edition 1.8.3
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 7638 bytes

-- Files created between 2008-04-09 and 2008-05-09 -----------------------------

2008-05-05 12:21:26 0 d-------- C:\Program Files\Smilebox
2008-05-05 12:20:05 0 d-------- C:\Documents and Settings\Ruberc\Application Data\Smilebox
2008-04-29 19:00:56 0 d--h----- C:\$AVG8.VAULT$
2008-04-27 22:17:18 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-27 22:16:36 0 d-------- C:\Program Files\AVG
2008-04-27 22:16:35 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-23 21:24:26 0 d-------- C:\Documents and Settings\Ruberc\DoctorWeb
2008-04-21 19:12:53 0 d-------- C:\Documents and Settings\Ruberc\Application Data\Malwarebytes
2008-04-21 19:12:47 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-09 10:09:12 0 d-------- C:\fsaua.data

-- Find3M Report ---------------------------------------------------------------

2008-04-29 19:25:30 0 d-------- C:\Program Files\Buddy Spy
2008-04-27 22:41:34 0 d-------- C:\Program Files\McAfee.com
2008-04-27 22:40:41 0 d-------- C:\Program Files\McAfee
2008-03-27 19:51:19 0 d-------- C:\Program Files\Yahoo!
2008-03-27 09:43:49 0 d-------- C:\Documents and Settings\Ruberc\Application Data\Yahoo!
2008-03-24 21:36:06 0 d-------- C:\Program Files\QuickTime
2008-03-24 21:35:00 0 d-------- C:\Program Files\MSN Messenger
2008-03-24 21:29:14 0 d-------- C:\Program Files\Messenger
2008-03-24 21:28:37 0 d-------- C:\Program Files\iTunes
2008-03-24 13:59:41 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-03-24 13:56:24 0 d-------- C:\Program Files\Saxton NCLEX-RN® 18e
2008-03-11 06:16:00 0 d-------- C:\Program Files\EPSON
2008-03-10 00:14:04 0 d-------- C:\Program Files\Trend Micro
2008-03-04 18:43:12 2082 --a------ C:\WINDOWS\mozver.dat
2008-02-26 18:43:39 8554 --a------ C:\logfile

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [04/20/2005 01:38 AM]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [04/20/2005 01:38 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [04/20/2005 01:38 AM]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [04/20/2005 01:38 AM]
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [03/31/2005 09:30 AM]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [11/24/2004 02:10 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [11/02/2004 08:59 AM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [11/02/2004 09:03 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [04/27/2007 11:25 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [03/22/2005 09:39 AM]
"QCTRAY"="C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [03/18/2005 03:07 AM]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [03/18/2005 03:07 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 09:41 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 08:24 PM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [08/06/2004 08:27 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [04/01/2004 10:52 AM]
"TP4EX"="tp4ex.exe" [11/12/2004 01:07 AM C:\WINDOWS\system32\TP4EX.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [03/03/2005 05:10 PM]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [02/04/2004 06:39 PM]
"TrackPointSrv"="tp4serv.exe" [10/28/2004 03:50 AM C:\WINDOWS\system32\tp4serv.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [04/27/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:56 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [04/20/2005 09:57 AM]
"SmileboxTray"="C:\Documents and Settings\Ruberc\Application Data\Smilebox\SmileboxTray.exe" [05/01/2008 04:44 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ARC"="C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Boxing Manager Professional Edition 1.8.3

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 03/18/2005 03:07 AM 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 08/12/2004 08:11 PM 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ruberc^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Ruberc\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85af5a94-5ebf-11dc-a775-000ae435643f}]
AutoRun\command- G:\USBNB.exe

-- End of Deckard's System Scanner: finished at 2008-05-09 01:13:26 ------------

#172
kahdah

Posted 08 May 2008 - 06:40 PM

GeekU Teacher

Retired Staff
15,822 posts

Download avz4en.zip from here

Save it to your desktop and unzip it to a folder on your desktop
Double click on AVZ.exe to run it.
Choose from the menu "File" => "System Analysis"
Close all windows except for AVZ
Click on "Start" and save the report to your desktop.
Let the scan run and click "No" on the right when it asks you if you want to view it.
Upload the report you saved on your desktop onto this site in your next reply.

#173
amm007

Posted 08 May 2008 - 07:19 PM

Member

Topic Starter
Member
265 posts

I cannot access the site. It says:
Error connecting to database.
Please try again.

#174
kahdah

Posted 08 May 2008 - 07:59 PM

GeekU Teacher

Retired Staff
15,822 posts

Try this one.

http://z-oleg.com/avz4.zip

#175
amm007

Posted 11 May 2008 - 07:47 AM

Member

Topic Starter
Member
265 posts

Results of system analysis

AVZ 4.30 http://z-oleg.com/secur/avz/
List of processes
File name PID Description Copyright MD5 Information
c:\progra~1\avg\avg8\avgemc.exe
Script: Quarantine, Delete, BC delete, Terminate 2004 AVG E-Mail Scanner Copyright © 2008 AVG Technologies CZ, s.r.o. ?? 881.27 kb, rsAh,
created: 4/27/2008 10:16:44 PM,
modified: 4/27/2008 10:16:45 PM
Command line:
C:\PROGRA~1\AVG\AVG8\avgemc.exe
c:\progra~1\avg\avg8\avgrsx.exe
Script: Quarantine, Delete, BC delete, Terminate 716 AVG Resident Shield Service Copyright © 2008 AVG Technologies CZ, s.r.o. ?? 304.27 kb, rsAh,
created: 4/27/2008 10:17:07 PM,
modified: 4/27/2008 10:17:08 PM
Command line:
avgrsx.exe
c:\progra~1\avg\avg8\avgtray.exe
Script: Quarantine, Delete, BC delete, Terminate 648 AVG Tray Monitor Copyright © 2008 AVG Technologies CZ, s.r.o. ?? 1149.77 kb, rsAh,
created: 4/27/2008 10:16:50 PM,
modified: 4/27/2008 10:16:51 PM
Command line:
"C:\PROGRA~1\AVG\AVG8\avgtray.exe"
c:\progra~1\avg\avg8\avgwdsvc.exe
Script: Quarantine, Delete, BC delete, Terminate 504 AVG Watchdog Service Copyright © 2008 AVG Technologies CZ, s.r.o. ?? 276.27 kb, rsAh,
created: 4/27/2008 10:16:42 PM,
modified: 4/27/2008 10:16:42 PM
Command line:
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\windows\system32\drivers\dcfssvc.exe
Script: Quarantine, Delete, BC delete, Terminate 580 Kodak DC Ring 3 Conduit (Win32) Copyright © Eastman Kodak Co. 2000 ?? 73.56 kb, rsAh,
created: 2/25/2008 8:02:47 PM,
modified: 5/18/2000 3:00:12 PM
Command line:
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
c:\windows\explorer.exe
Script: Quarantine, Delete, BC delete, Terminate 204 Windows Explorer © Microsoft Corporation. All rights reserved. ?? 1009.00 kb, rsAh,
created: 8/4/2004 6:56:50 AM,
modified: 6/13/2007 6:23:07 PM
Command line:
C:\WINDOWS\Explorer.EXE
c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate 3840 Firefox Mozilla Corporation ?? 7481.11 kb, rsAh,
created: 6/20/2007 7:27:52 PM,
modified: 4/17/2008 4:29:34 PM
Command line:
"C:\Program Files\Mozilla Firefox\firefox.exe"
c:\windows\system32\qconsvc.exe
Script: Quarantine, Delete, BC delete, Terminate 768 IBM Access Connections - Service Component. Copyright © IBM Corp. 2001, 2005 ?? 76.00 kb, rsAh,
created: 6/20/2007 5:51:55 PM,
modified: 3/18/2005 3:07:00 AM
Command line:
System32\QCONSVC.EXE
c:\windows\system32\rundll32.exe
Script: Quarantine, Delete, BC delete, Terminate 524 Run a DLL as an App © Microsoft Corporation. All rights reserved. ?? 32.50 kb, rsAh,
created: 8/4/2004 6:56:56 AM,
modified: 8/4/2004 6:56:56 AM
Command line:
"C:\WINDOWS\system32\RunDll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
c:\documents and settings\ruberc\application data\smilebox\smileboxtray.exe
Script: Quarantine, Delete, BC delete, Terminate 856 Smilebox Tray © 2007 Smilebox, Inc. All Rights Reserved. ?? 196.63 kb, rsAh,
created: 4/30/2008 1:44:40 PM,
modified: 5/1/2008 4:44:40 AM
Command line:
"C:\Documents and Settings\Ruberc\Application Data\Smilebox\SmileboxTray.exe"
c:\windows\system32\tpkmpsvc.exe
Script: Quarantine, Delete, BC delete, Terminate 1312 ?? 32.00 kb, rsAh,
created: 6/20/2007 5:44:12 PM,
modified: 7/11/2003 6:19:22 PM
Command line:
C:\WINDOWS\system32\TpKmpSVC.exe
c:\windows\system32\winlogon.exe
Script: Quarantine, Delete, BC delete, Terminate 828 Windows NT Logon Application © Microsoft Corporation. All rights reserved. ?? 490.50 kb, rsAh,
created: 8/4/2004 6:56:58 AM,
modified: 8/4/2004 6:56:58 AM
Command line:
winlogon.exe
c:\program files\microsoft office\office11\winword.exe
Script: Quarantine, Delete, BC delete, Terminate 2288 Microsoft Office Word Copyright © 1983-2003 Microsoft Corporation. All rights reserved. ?? 11755.55 kb, rsAh,
created: 8/6/2003 1:24:20 PM,
modified: 8/6/2003 1:24:20 PM
Command line:
"C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" /n /dde
c:\progra~1\yahoo!\messen~1\ymsgr_tray.exe
Script: Quarantine, Delete, BC delete, Terminate 176 Yahoo! Messenger Tray © 1998-2007 Yahoo! Inc. All rights reserved. ?? 101.23 kb, rsAh,
created: 3/27/2008 11:37:56 AM,
modified: 8/30/2007 5:43:18 PM
Command line:
"C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe" -ymsgr
Detected:33, recognized as trusted 23
Module name Handle Description Copyright MD5 Used by processes
C:\Documents and Settings\Ruberc\Application Data\Smilebox\SmileboxTray.exe
Script: Quarantine, Delete, BC delete 4194304 Smilebox Tray © 2007 Smilebox, Inc. All Rights Reserved. ?? 856
C:\Program Files\Adobe\Reader 8.0\Reader\viewerps.dll
Script: Quarantine, Delete, BC delete 18743296 Acrobat Viewer ProxyStub Library Adobe Systems, Inc. Copyright © 2007 -- 204
C:\Program Files\AVG\AVG8\avgabout.dll
Script: Quarantine, Delete, BC delete 12779520 AVG About Box Library Copyright © 2008 AVG Technologies CZ, s.r.o. -- 648
C:\Program Files\AVG\AVG8\avgcfgx.dll
Script: Quarantine, Delete, BC delete 13434880 AVG Configuration Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2004, 648, 3840, 2288
C:\Program Files\AVG\AVG8\avgcorex.dll
Script: Quarantine, Delete, BC delete 19333120 AVG Scanning Core Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2288
C:\Program Files\AVG\AVG8\avgcrlpx.dll
Script: Quarantine, Delete, BC delete 24838144 AVG Core RLP Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2288
C:\Program Files\AVG\AVG8\avglngx.dll
Script: Quarantine, Delete, BC delete 14221312 AVG Language Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2004, 648, 3840, 2288
C:\Program Files\AVG\AVG8\avglogx.dll
Script: Quarantine, Delete, BC delete 268435456 AVG Logging Library Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2004, 716, 648, 504, 3840, 2288
C:\Program Files\AVG\AVG8\avgoff2k.dll
Script: Quarantine, Delete, BC delete 1645740032 Office 2000+ anti-virus extension Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2288
C:\Program Files\AVG\AVG8\avgscanx.dll
Script: Quarantine, Delete, BC delete 18874368 AVG Scanning Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2288
C:\Program Files\AVG\AVG8\avgsrmx.dll
Script: Quarantine, Delete, BC delete 16384000 AVG Scan Result Manager Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 648
C:\Program Files\AVG\AVG8\avgvvx.dll
Script: Quarantine, Delete, BC delete 16973824 AVG Virus Vault Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 648
C:\Program Files\AVG\AVG8\avgxpl.dll
Script: Quarantine, Delete, BC delete 53215232 LinkScanner SDK Copyright © 2008 AVG Technologies CZ, s.r.o. -- 3840
C:\Program Files\AVG\AVG8\Firefox\components\avgssff.dll
Script: Quarantine, Delete, BC delete 49414144 Safe Search for Firefox Copyright © 2008 AVG Technologies CZ, s.r.o. -- 3840
C:\Program Files\Microsoft Office\OFFICE11\1033\srintl.dll
Script: Quarantine, Delete, BC delete 1040187392 Microsoft Office component Copyright © 2001-2003 Microsoft Corporation. All rights reserved. -- 2288
C:\Program Files\Mozilla Firefox\components\jar50.dll
Script: Quarantine, Delete, BC delete 1610678272 License: MPL 1.1/GPL 2.0/LGPL 2.1 -- 3840
C:\Program Files\Mozilla Firefox\components\myspell.dll
Script: Quarantine, Delete, BC delete 1610874880 License: MPL 1.1/GPL 2.0/LGPL 2.1 -- 3840
C:\Program Files\Mozilla Firefox\components\spellchk.dll
Script: Quarantine, Delete, BC delete 1610940416 License: MPL 1.1/GPL 2.0/LGPL 2.1 -- 3840
C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\FULLSOFT.DLL
Script: Quarantine, Delete, BC delete 25886720 Talkback Library © Copyright 1997-1999 Full Circle Software, Inc. All Rights Reserved. -- 3840
C:\Program Files\Mozilla Firefox\extensions\[email protected]\components\qfaservices.dll
Script: Quarantine, Delete, BC delete 268435456 License: MPL 1.1/GPL 2.0/LGPL 2.1 -- 3840
C:\Program Files\Mozilla Firefox\firefox.exe
Script: Quarantine, Delete, BC delete 4194304 Firefox Mozilla Corporation ?? 3840
C:\Program Files\Mozilla Firefox\freebl3.dll
Script: Quarantine, Delete, BC delete 1611202560 NSS freebl Library -- 3840
C:\Program Files\Mozilla Firefox\js3250.dll
Script: Quarantine, Delete, BC delete 1611464704 Netscape 32-bit JavaScript Module Copyright Netscape Communications. 1994-96 -- 3840
C:\Program Files\Mozilla Firefox\nspr4.dll
Script: Quarantine, Delete, BC delete 1612316672 NSPR Library Copyright © 1996-2000 Netscape Communications Corporation -- 3840
C:\Program Files\Mozilla Firefox\nss3.dll
Script: Quarantine, Delete, BC delete 1612513280 NSS Base Library -- 3840
C:\Program Files\Mozilla Firefox\nssckbi.dll
Script: Quarantine, Delete, BC delete 1612906496 NSS Builtin Trusted Root CAs -- 3840
C:\Program Files\Mozilla Firefox\plc4.dll
Script: Quarantine, Delete, BC delete 1613234176 PLC Library Copyright © 1996-2000 Netscape Communications Corporation -- 3840
C:\Program Files\Mozilla Firefox\plds4.dll
Script: Quarantine, Delete, BC delete 1613299712 PLDS Library Copyright © 1996-2000 Netscape Communications Corporation -- 3840
C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll
Script: Quarantine, Delete, BC delete 805306368 -- 3840
C:\Program Files\Mozilla Firefox\smime3.dll
Script: Quarantine, Delete, BC delete 1613430784 NSS S/MIME Library -- 3840
C:\Program Files\Mozilla Firefox\softokn3.dll
Script: Quarantine, Delete, BC delete 1613561856 NSS PKCS #11 Library -- 3840
C:\Program Files\Mozilla Firefox\ssl3.dll
Script: Quarantine, Delete, BC delete 1613824000 NSS SSL Library -- 3840
C:\Program Files\Mozilla Firefox\xpcom.dll
Script: Quarantine, Delete, BC delete 1613955072 License: MPL 1.1/GPL 2.0/LGPL 2.1 -- 3840
C:\Program Files\Mozilla Firefox\xpcom_compat.dll
Script: Quarantine, Delete, BC delete 1614020608 License: MPL 1.1/GPL 2.0/LGPL 2.1 -- 3840
C:\Program Files\Mozilla Firefox\xpcom_core.dll
Script: Quarantine, Delete, BC delete 1614151680 License: MPL 1.1/GPL 2.0/LGPL 2.1 -- 3840
C:\Program Files\Yahoo!\Shared\YbSkin2.dll
Script: Quarantine, Delete, BC delete 1667235840 Yahoo! Skinning Object © Yahoo! Inc. All rights reserved. -- 176
C:\PROGRA~1\AVG\AVG8\avgcfgx.dll
Script: Quarantine, Delete, BC delete 10682368 AVG Configuration Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 504
C:\PROGRA~1\AVG\AVG8\avgcorex.dll
Script: Quarantine, Delete, BC delete 4521984 AVG Scanning Core Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 716
C:\PROGRA~1\AVG\AVG8\avgcrlpx.dll
Script: Quarantine, Delete, BC delete 60227584 AVG Core RLP Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 716
C:\PROGRA~1\AVG\AVG8\avgemc.exe
Script: Quarantine, Delete, BC delete 4194304 AVG E-Mail Scanner Copyright © 2008 AVG Technologies CZ, s.r.o. ?? 2004
C:\PROGRA~1\AVG\AVG8\avglngx.dll
Script: Quarantine, Delete, BC delete 28311552 AVG Language Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 504
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
Script: Quarantine, Delete, BC delete 4194304 AVG Resident Shield Service Copyright © 2008 AVG Technologies CZ, s.r.o. ?? 716
C:\PROGRA~1\AVG\AVG8\avgsched.dll
Script: Quarantine, Delete, BC delete 27459584 AVG Scheduler Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 504
C:\PROGRA~1\AVG\AVG8\avgtray.exe
Script: Quarantine, Delete, BC delete 4194304 AVG Tray Monitor Copyright © 2008 AVG Technologies CZ, s.r.o. ?? 648
C:\PROGRA~1\AVG\AVG8\avgwd.dll
Script: Quarantine, Delete, BC delete 7602176 AVG Watchdog Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 504
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
Script: Quarantine, Delete, BC delete 4194304 AVG Watchdog Service Copyright © 2008 AVG Technologies CZ, s.r.o. ?? 504
C:\PROGRA~1\AVG\AVG8\avgwdwsc.dll
Script: Quarantine, Delete, BC delete 27918336 AVG Windows Security Center Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 504
C:\PROGRA~1\AVG\AVG8\libsasl.dll
Script: Quarantine, Delete, BC delete 1646264320 Cyrus SASL API implementation Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2004
C:\PROGRA~1\AVG\AVG8\saslcrammd5.dll
Script: Quarantine, Delete, BC delete 1646460928 Cyrus SASL API implementation Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2004
C:\PROGRA~1\AVG\AVG8\sasldigestmd5.dll
Script: Quarantine, Delete, BC delete 1646526464 Cyrus SASL API implementation Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2004
C:\PROGRA~1\AVG\AVG8\sasllogin.dll
Script: Quarantine, Delete, BC delete 1646395392 Cyrus SASL API implementation Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2004
C:\PROGRA~1\AVG\AVG8\saslplain.dll
Script: Quarantine, Delete, BC delete 1646329856 Cyrus SASL API implementation Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2004
C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll
Script: Quarantine, Delete, BC delete 268435456 IBM ThinkPad Battery MaxiMiser Gauge Copyright © IBM Corp. 2000,2005. -- 204, 524
C:\PROGRA~1\ThinkPad\UTILIT~1\tppwrw32.dll
Script: Quarantine, Delete, BC delete 10158080 IBM ThinkPad Power Management DLL for Win32 Copyright © IBM Corp. 1997,2005. -- 524
C:\PROGRA~1\Yahoo!\MESSEN~1\res_msgr.dll
Script: Quarantine, Delete, BC delete 1694498816 Resource Module © 1998-2007 Yahoo! Inc. All rights reserved. -- 176
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
Script: Quarantine, Delete, BC delete 4194304 Yahoo! Messenger Tray © 1998-2007 Yahoo! Inc. All rights reserved. ?? 176
C:\WINDOWS\system32\avgrsstx.dll
Script: Quarantine, Delete, BC delete 268435456 AVG Resident Shield Starter Copyright © 2008 AVG Technologies CZ, s.r.o. -- 828
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
Script: Quarantine, Delete, BC delete 65536 Kodak DC Ring 3 Conduit (Win32) Copyright © Eastman Kodak Co. 2000 ?? 580
C:\WINDOWS\system32\Macromed\Common\SwSupport.dll
Script: Quarantine, Delete, BC delete 1761607680 Director Support Copyright © 1985-2006 Adobe Systems, Inc. -- 3840
C:\WINDOWS\System32\QCONSVC.EXE
Script: Quarantine, Delete, BC delete 4194304 IBM Access Connections - Service Component. Copyright © IBM Corp. 2001, 2005 ?? 768
C:\WINDOWS\system32\tphklock.dll
Script: Quarantine, Delete, BC delete 18481152 -- 828
C:\WINDOWS\system32\TpKmpSVC.exe
Script: Quarantine, Delete, BC delete 4194304 ?? 1312
Modules detected:342, recognized as trusted 280
Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\WINDOWS\System32\drivers\ANC.SYS
Script: Quarantine, Delete, BC delete F7BF1000 003000 (12288) IBM Access Connections - ANC Copyright © IBM Corp. 2003, 2004
C:\WINDOWS\System32\Drivers\avgldx86.sys
Script: Quarantine, Delete, BC delete EF808000 016000 (90112) AVG AVI Loader Driver Copyright © 2008 AVG Technologies CZ, s.r.o.
C:\WINDOWS\System32\Drivers\avgmfx86.sys
Script: Quarantine, Delete, BC delete F891B000 005000 (20480) AVG Resident Shield Minifilter Driver Copyright © 2008 GRISOFT, s.r.o.
C:\WINDOWS\System32\Drivers\avgtdix.sys
Script: Quarantine, Delete, BC delete EF158000 011000 (69632) AVG Network connection watcher Copyright © 2008 AVG Technologies CZ, s.r.o.
C:\WINDOWS\system32\DRIVERS\DcCam.sys
Script: Quarantine, Delete, BC delete F88E3000 008000 (32768) Kodak Digital Camera Driver Copyright © Eastman Kodak Co. 2000
C:\WINDOWS\system32\DRIVERS\DCFS2k.sys
Script: Quarantine, Delete, BC delete F8693000 009000 (36864) Kodak DC File System Driver (NT) Copyright © Eastman Kodak Co. 2000
C:\WINDOWS\system32\DRIVERS\DcLps.sys
Script: Quarantine, Delete, BC delete F8A7B000 002000 (8192) Kodak Digital Camera LPS Driver Copyright © Eastman Kodak Co. 2000
C:\WINDOWS\System32\Drivers\dump_atapi.sys
Script: Quarantine, Delete, BC delete EF7F0000 018000 (98304)
C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Script: Quarantine, Delete, BC delete F8A79000 002000 (8192)
C:\WINDOWS\system32\DRIVERS\EXPORTIT.SYS
Script: Quarantine, Delete, BC delete EF9F6000 01D000 (118784) Kodak DC File System driver Copyright © Eastman Kodak Co. 2000
C:\WINDOWS\System32\drivers\IBMBLDID.SYS
Script: Quarantine, Delete, BC delete F8B52000 001000 (4096)
C:\WINDOWS\System32\Drivers\TPHKDRV.SYS
Script: Quarantine, Delete, BC delete F89EF000 004000 (16384) ThinkPad Hotkey Driver Copyright © 1999,2002, IBM Corporation
C:\WINDOWS\System32\drivers\Tppwr.sys
Script: Quarantine, Delete, BC delete F890B000 008000 (32768) IBM ThinkPad Power Management Device Driver Copyright © IBM Corp. 1997,2005.
C:\WINDOWS\System32\drivers\TSMAPIP.SYS
Script: Quarantine, Delete, BC delete F8903000 006000 (24576)
Modules detected - 133, recognized as trusted - 119
Services
Service Description Status File Group Dependencies
avg8emc
Service: Stop, Delete, Disable AVG8 E-mail Scanner Running C:\PROGRA~1\AVG\AVG8\avgemc.exe
Script: Quarantine, Delete, BC delete RPCSS
avg8wd
Service: Stop, Delete, Disable AVG8 WatchDog Running C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
Script: Quarantine, Delete, BC delete
Dcfssvc
Service: Stop, Delete, Disable Dcfssvc Running C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
Script: Quarantine, Delete, BC delete
QCONSVC
Service: Stop, Delete, Disable QCONSVC Running C:\WINDOWS\system32\QCONSVC.EXE
Script: Quarantine, Delete, BC delete
TpKmpSVC
Service: Stop, Delete, Disable IBM KCU Service Running C:\WINDOWS\system32\TpKmpSVC.exe
Script: Quarantine, Delete, BC delete
Detected - 51, recognized as trusted - 46
Drivers
Service Description Status File Group Dependencies
ANC
Driver: Unload, Delete, Disable ANC Running C:\WINDOWS\system32\drivers\ANC.SYS
Script: Quarantine, Delete, BC delete
AvgLdx86
Driver: Unload, Delete, Disable AVG AVI Loader Driver x86 Running C:\WINDOWS\System32\Drivers\avgldx86.sys
Script: Quarantine, Delete, BC delete AVG
AvgMfx86
Driver: Unload, Delete, Disable AVG On-access Scanner Minifilter Driver x86 Running C:\WINDOWS\System32\Drivers\avgmfx86.sys
Script: Quarantine, Delete, BC delete AVG
AvgTdiX
Driver: Unload, Delete, Disable AVG8 Network Redirector Running C:\WINDOWS\System32\Drivers\avgtdix.sys
Script: Quarantine, Delete, BC delete
DcCam
Driver: Unload, Delete, Disable Kodak Camera Proxy Running C:\WINDOWS\system32\DRIVERS\DcCam.sys
Script: Quarantine, Delete, BC delete Base
DCFS2k
Driver: Unload, Delete, Disable DCFS2k Running C:\WINDOWS\system32\DRIVERS\DCFS2k.sys
Script: Quarantine, Delete, BC delete Base
DcLps
Driver: Unload, Delete, Disable Legacy Polling Service Running C:\WINDOWS\system32\DRIVERS\DcLps.sys
Script: Quarantine, Delete, BC delete Base
IBMTPCHK
Driver: Unload, Delete, Disable IBMTPCHK Running C:\WINDOWS\system32\drivers\IBMBLDID.SYS
Script: Quarantine, Delete, BC delete
TPHKDRV
Driver: Unload, Delete, Disable TPHKDRV Running C:\WINDOWS\system32\Drivers\TPHKDRV.sys
Script: Quarantine, Delete, BC delete
TPPWR
Driver: Unload, Delete, Disable TPPWR Running C:\WINDOWS\system32\drivers\Tppwr.sys
Script: Quarantine, Delete, BC delete
TSMAPIP
Driver: Unload, Delete, Disable TSMAPIP Running C:\WINDOWS\system32\drivers\TSMAPIP.SYS
Script: Quarantine, Delete, BC delete
Detected - 100, recognized as trusted - 89
Autoruns
File name Status Startup method Description
"C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\msdev.exe" -p %ld -e %ld
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug, Debugger
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Adobe Photo Downloader
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Adobe Reader Speed Launcher
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, BMMLREF
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, BMMMONWND
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, DataLayer
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, EZEJMNAP
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, HotKeysCmds
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, IgfxTray
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, iTunesHelper
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, NeroFilterCheck
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, PCSuiteTrayApplication
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, QCTRAY
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, QCWLICON
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, QuickTime Task
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, RemoteControl
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, SoundMAX
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, SoundMAXPnP
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TP4EX
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TPHOTKEY
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TPKMAPHELPER
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TrackPointSrv
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, msnmsgr
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, PcSync
C:\Documents and Settings\Ruberc\Application Data\Smilebox\SmileboxTray.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, SmileboxTray
C:\PROGRA~1\AVG\AVG8\avgtray.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, AVG8_TRAY
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, MSKAGENTEXE
C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, BLOG
C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, BMMGAG
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
Script: Quarantine, Delete, BC delete Active Registry key HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, Yahoo! Pager
C:\Program Files\McAfee\McAfee QuickClean\Uni.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\RunOnce, ARC
C:\WINDOWS\system32\avgrsstx.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs
QConGina.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\QConGina, DLLName
tphklock.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey, DLLName
Autoruns items detected - 86, recognized as trusted - 52
Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
C:\Program Files\AVG\AVG8\avgssie.dll
Script: Quarantine, Delete, BC delete BHO Safe Search for Internet Explorer Copyright © 2008 AVG Technologies CZ, s.r.o. {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Delete
Elements detected - 4, recognized as trusted - 3
Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
deskpan.dll
Script: Quarantine, Delete, BC delete Display Panning CPL Extension {42071714-76d4-11d1-8b24-00a0c9068ff3}
Shell extensions for file compression {764BF0E1-F219-11ce-972D-00AA00A14F56}
Encryption Context Menu {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}
Taskbar and Start Menu {0DF44EAA-FF21-4412-828E-260A8728E7F1}
Media Band {32683183-48a0-441b-a342-7c2a440a9478}
User Accounts {7A9D77BD-5403-11d2-8785-2E0420524153}
rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
Script: Quarantine, Delete, BC delete Autoplay for SlideShow {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL
Script: Quarantine, Delete, BC delete Registered ActiveX Controls Microsoft® Developer Studio Explorer Shell Extensions Copyright © Microsoft Corp. 1997 {6B19FEC2-A45B-11CF-9045-00A0C9039735}
C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL
Script: Quarantine, Delete, BC delete Developer Studio Components Microsoft® Developer Studio Explorer Shell Extensions Copyright © Microsoft Corp. 1997 {D545EBD1-BD92-11CF-8772-00A0C9039735}
C:\Program Files\Common Files\KODAK\IFSCore\shellext.dll
Script: Quarantine, Delete, BC delete KodakShellExtension Shell Extension DLL Copyright © Eastman Kodak Company 2000 {acb4a560-3606-11d3-aef4-00104bd0f92d}
C:\Program Files\AVG\AVG8\avgse.dll
Script: Quarantine, Delete, BC delete AVG8 Shell Extension AVG Shell Extension Copyright © 2008 AVG Technologies CZ, s.r.o. {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
AVG8 Find Extension {9F97547E-460A-42C5-AE0C-81C61FFAEBC3}
Elements detected - 204, recognized as trusted - 192
Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
Elements detected - 8, recognized as trusted - 8
Task Scheduler jobs
File name Job name Job status Description Manufacturer
C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
Script: Quarantine, Delete, BC delete BMMTask.job The task will not run at the scheduled times because it has been disabled.
Elements detected - 2, recognized as trusted - 1
SPI/LSP settings
Namespace providers (NSP)
Manufacturer Status EXE file Description GUID
Detected - 3, recognized as trusted - 3
Transport protocol providers (TSP, LSP)
Manufacturer EXE file Description
Detected - 13, recognized as trusted - 13
Results of automatic SPI settings check

LSP settings checked. No errors detected

TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 2192 [1152] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 38926 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 28803 [4] System
Script: Quarantine, Delete, BC delete, Terminate
1028 LISTENING 0.0.0.0 59513 [2344] c:\windows\system32\alg.exe
Script: Quarantine, Delete, BC delete, Terminate
1034 ESTABLISHED 127.0.0.1 1035 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1035 ESTABLISHED 127.0.0.1 1034 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1036 ESTABLISHED 127.0.0.1 1037 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1037 ESTABLISHED 127.0.0.1 1036 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1128 ESTABLISHED 205.188.194.1 80 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1222 FIN_WAIT2 122.55.35.169 443 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1238 TIME_WAIT 58.71.107.11 80 [0]
1263 LAST_ACK 203.84.204.69 80 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1269 LAST_ACK 203.84.204.69 80 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1279 ESTABLISHED 58.71.107.18 80 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1309 LAST_ACK 209.191.93.150 80 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1312 ESTABLISHED 206.222.234.68 80 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1313 ESTABLISHED 206.222.234.68 443 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1314 ESTABLISHED 206.222.234.68 80 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
10110 LISTENING 0.0.0.0 57452 [2004] c:\progra~1\avg\avg8\avgemc.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123 LISTENING -- -- [1224] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
123 LISTENING -- -- [1224] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [892] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
1032 LISTENING -- -- [1292] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1040 LISTENING -- -- [1292] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1041 LISTENING -- -- [1292] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1060 LISTENING -- -- [1292] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1412] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1412] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [892] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
Microsoft XML Parser for Java
Delete file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
Script: Quarantine, Delete, BC delete Kaspersky Online Scanner GUI Part Copyright c Kaspersky Lab 1997-2007. Portions Copyright c Lan Crypto {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}
Delete http://www.kaspersky...can_unicode.cab
C:\WINDOWS\DOWNLO~1\CONFLICT.2\stg_drm.ocx
Script: Quarantine, Delete, BC delete SpinTopDRM Module Copyright 2007 {149E45D8-163E-4189-86FC-45022AB2B6C9}
Delete file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx
C:\WINDOWS\DOWNLO~1\oscan82.ocx
Script: Quarantine, Delete, BC delete {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}
Delete http://download.bitd...can8/oscan8.cab
C:\WINDOWS\Downloaded Program Files\fscax.dll
Script: Quarantine, Delete, BC delete {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}
Delete http://support.f-sec...m/ols/fscax.cab
./Images/armhelper.ocx
Script: Quarantine, Delete, BC delete {CC450D71-CC90-424C-8638-1F2DBAC87A54}
Delete file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx
Elements detected - 6, recognized as trusted - 0
Control Panel Applets (CPL)
File name Description Manufacturer
C:\WINDOWS\system32\tp4ex.cpl
Script: Quarantine, Delete, BC delete IBM TrackPoint Accessibility Features Copyright © IBM Corporation 2001-2002
Elements detected - 25, recognized as trusted - 24
Active Setup
File name Description Manufacturer CLSID
Elements detected - 14, recognized as trusted - 14
HOSTS file
Hosts file record

127.0.0.1 localhost

Protocols and handlers
File name Type Description Manufacturer CLSID
C:\Program Files\AVG\AVG8\avgpp.dll
Script: Quarantine, Delete, BC delete Handler Safe Search pluggable protocol (linkscanner: ExPLabs.com Pluggable Protocol) Copyright © 2008 AVG Technologies CZ, s.r.o. {F274614C-63F8-47D5-A4D1-FBDDE494F8D1}
Elements detected - 34, recognized as trusted - 33
Suspicious objects
File Description Type

Script commands
Add commands to script:

* Blocking hooks using Anti-Rootkit
* Enable AVZGuard
* BootCleaner - import list of deleted files
* Registry cleanup after deleting files
* BootCleaner - activate
* Reboot
* Insert template for QuarantineFile() - quarantining file
* Insert template for BC_QrFile() - quarantining file via BootCleaner
* Insert template for DeleteFile() - deleting file
* Insert template for DelCLSID() - deleting CLSID item from registry

File list

Attached Files

avz_sysinfo.htm 120.2KB 26 downloads

#176
kahdah

Posted 11 May 2008 - 09:25 AM

GeekU Teacher

Retired Staff
15,822 posts

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.reg on your Desktop.

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85af5a94-5ebf-11dc-a775-000ae435643f}]

Now double-click fixthis.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.

You can delete that after it merges.
============
Download the HostsXpert 4.2 - Hosts File Manager.

Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
Run HostsXpert 4.2 - Hosts File Manager from its new home
Click on "File Handling".
Click on "Restore MS Hosts File".
Click OK on the Confirmation box.
Click on "Make Read Only?"
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

====================
Please download and unzip Icesword to its own folder on your desktop

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.

Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.

Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.

Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.

Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.

Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks

Edited by kahdah, 11 May 2008 - 09:26 AM.

#177
amm007

Posted 16 May 2008 - 06:59 AM

Member

Topic Starter
Member
265 posts

I found no red items. Sorry for the delay in reply.
Process:

System Idle Process
System
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Ruberc\Desktop\IceSword122en\IceSword122en\IceSword.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Ruberc\Application Data\Smilebox\SmileboxTray.exe

Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BMMGAG
RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BLOG
rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Photo Downloader
; "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Reader Speed Launcher
; "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BMMLREF
; C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BMMMONWND
; rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DataLayer
; C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EZEJMNAP
; C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds
; C:\WINDOWS\system32\hkcmd.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray
; C:\WINDOWS\system32\igfxtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunesHelper
; "C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NeroFilterCheck
; C:\WINDOWS\system32\NeroCheck.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PCSuiteTrayApplication
; C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QCTRAY
; C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QCWLICON
; C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
; "C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RemoteControl
; "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMAX
; "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMAXPnP
; C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TP4EX
; tp4ex.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TPHOTKEY
; C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TPKMAPHELPER
; C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TrackPointSrv
; tp4serv.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVG8_TRAY
C:\PROGRA~1\AVG\AVG8\avgtray.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
MSKAGENTEXE
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo! Pager
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
msnmsgr
; "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
PcSync
; C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SmileboxTray
"C:\Documents and Settings\Ruberc\Application Data\Smilebox\SmileboxTray.exe"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini

C:\Documents and Settings\Ruberc\Start Menu\Programs\Startup
desktop.ini

Started Service:

Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:AudioSrv Display Name:Windows Audio
Service Name:avg8emc Display Name:AVG8 E-mail Scanner
Service Name:avg8wd Display Name:AVG8 WatchDog
Service Name:BITS Display Name:Background Intelligent Transfer Service
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:Dcfssvc Display Name:Dcfssvc
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:dmserver Display Name:Logical Disk Manager
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:helpsvc Display Name:Help and Support
Service Name:IBMPMSVC Display Name:IBM PM Service
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:MDM Display Name:Machine Debug Manager
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:QCONSVC Display Name:QCONSVC
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RemoteRegistry Display Name:Remote Registry
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:SoundMAX Agent Service (default) Display Name:SoundMAX Agent Service
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TpKmpSVC Display Name:IBM KCU Service
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:wscsvc Display Name:Security Center
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WZCSVC Display Name:Wireless Zero Configuration

Message hooks:
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Documents and Settings\Ruberc\Application Data\Smilebox\Smileboxtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe

#178
kahdah

Posted 16 May 2008 - 10:51 AM

GeekU Teacher

Retired Staff
15,822 posts

Are you still getting redirected after running the Host expert program?

#179
amm007

Posted 20 May 2008 - 08:16 PM

Member

Topic Starter
Member
265 posts

I am not redirected anymore but the virus activity is resilient. Displaying hidden files is once again counteracted by the virus. Below is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:12 AM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Ruberc\Application Data\Smilebox\SmileboxTray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\ChikkaV4\ChikkaLauncher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Nokia\NOKIAP~1\VFSWRA~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Adobe Photo Downloader] ; "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] ; "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BMMLREF] ; C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] ; rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [DataLayer] ; C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [EZEJMNAP] ; C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [HotKeysCmds] ; C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] ; C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [iTunesHelper] ; "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] ; C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] ; C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [QCTRAY] ; C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] ; C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [QuickTime Task] ; "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] ; "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMAX] ; "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SoundMAXPnP] ; C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [TP4EX] ; tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] ; C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] ; C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TrackPointSrv] ; tp4serv.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] ; "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] ; C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Ruberc\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\RunOnce: [ARC] "C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Boxing Manager Professional Edition 1.8.3
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 7891 bytes

#180
kahdah

Posted 21 May 2008 - 02:57 AM

GeekU Teacher

Retired Staff
15,822 posts

Please go to Start > Run> then copy\paste this in "%userprofile%\desktop\dss.exe" /config then hit ok.
Place a check next to everything and click on ok or scan.
Post those logs please.