Question

Infected by recurring Virus. Need help interpreting HijackThis logfile.

Asked by: rljack01

The hijackthis log is appended. Please help me to interpret it about what needs to be deleted. I will then attempt the PD as this is the 2nd time infected as a result of a 2nd email from the suspect malware domain. I have since blocked future emails from the 'bad guys' and have asked the ISP to block them too.

The HijackThis logfile is appended. Also, please recommend a reliable firewall to id and block the malware from entering my XP system from unopened emails. They came through my D-Link router DI-624 and through the firewall on my PC with no warning. Empty registery keys reoccur within seconds of my iding and deleting them with Regcure, Superantispyware, etc.

Also please advise of any other suggested AV protection. I have PCTOOLS AV software running.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:52 AM, on 8/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common 
 
Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search 
 
Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft 
 
Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft 
 
Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google 
 
Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program 
 
Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google 
 
Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows 
 
Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ComcastAntispyClient] "C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" /hide
O4 - HKUS\S-1-5-21-1715567821-412668190-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Bonnie 
 
Jackson')
O4 - HKUS\S-1-5-21-1715567821-412668190-839522115-1004\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime 
 
(User 'Bonnie Jackson')
O4 - HKUS\S-1-5-21-1715567821-412668190-839522115-1004\..\Run: [swg] C:\Program 
 
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Bonnie Jackson')
O4 - S-1-5-21-1715567821-412668190-839522115-1004 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft 
 
Office\Office12\ONENOTEM.EXE (User 'Bonnie Jackson')
O4 - S-1-5-21-1715567821-412668190-839522115-1004 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program 
 
Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Bonnie Jackson')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows 
 
Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows 
 
Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - 
 
C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - 
 
C:\PROGRA~1\MIC273~1\WEB2~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network 
 
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - 
 
http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - 
 
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244823990281
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - 
 
http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - 
 
https://www1.gotomeeting.com/default/applets/g2mdlax.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft 
 
Office\Office12\GrooveSystemServices.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google 
 
Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Comcast AntiSpyware (AntiSpywareService) - Unknown owner - C:\Program 
 
Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pest Patrol Realtime Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - CA, Inc. - (no file)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
 
--
End of file - 11665 bytes

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:

Select all Open in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

Plus...

30 Day FREE access, no risk, no obligation
Collaborate with the world's top tech experts
Unlimited access to our exclusive solution database
Never be left without tech help again

Subscribe Now

Asked On: 2009-08-20 at 11:53:42ID24669182
Tags: Known malware site
Topics: Operating Systems Network Security
,; Network Software Firewalls
,; Networking Hardware Firewalls
Participating Experts: 4
Points: 500
Comments: 26

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

"The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
"Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
"Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Free Tech Articles

WARNING: 5 Reasons why you should NEVER fix a computer for free.
It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
SCCM OSD Basic troubleshooting
SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
Create a Win7 Gadget
This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
Outlook continually prompting for username and password
There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
Backup Exchange 2010 Information Store using Windows Backup
There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

Avoiding Bugs in Microsoft Access
Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
Top 10 Best New Features in Visio 2010
Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
IT Consultant Business Secrets Revealed
Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
Disaster Recovery and Business Continuity
Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
Organize Your Visio Diagrams with Containers and Lists
Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
How to Us Objects, Properties, Events and Methods in Microsoft Access
Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Watch More

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

by: atlas_shudderedPosted on 2009-08-20 at 14:05:46ID: 25147134

What is the actual malware that you are showing as being infected with?

Have you shut down the system restore service and rebooted into safe mode prior to deleting the suspected malware?

Check out Kaspersky and try to limit the number of applications to one per objective. Running multiples can lead to conflicts, etc.

by: pankusareenPosted on 2009-08-20 at 23:03:40ID: 25149397

Malwarebytes' Anti-Malware
http://www.malwarebytes.org/

spybot
http://www.safer-networking.org/index2.html

or try

Write Rescue Cd and boot from it and scan ur system

Kaspersky Rescue CD
http://dnl-eu10.kaspersky-labs.com/devbuilds/RescueDisk/

or
BitDefender Rescue CD
http://download.bitdefender.com/rescue_cd/

or
F-Secure Rescue CD:
http://www.f-secure.com/linux-weblog/files/f-secure-rescue-cd-release-3.00.zip

or
AVG Rescue CD:
http://www.grisoft.com/ww.product-avg-rescue-cd

or
avast! Rescue CD:
http://www.avast.com/eng/avast_bart_cd.html

For more rescue cd refer to this site
http://www.askvg.com/download-free-bootable-rescue-cds-from-kaspersky-bitdefender-avira-f-secure-and-others/

by: pankusareenPosted on 2009-08-20 at 23:06:20ID: 25149408

And for free antivirus for windows (GUI version)
Avira
http://www.free-av.com/

Avg
http://free.avg.com/

And paid version
Eset nod32
http://www.eset.com/

Kaspersky
http://www.kaspersky.com/

by: rljack01Posted on 2009-08-21 at 02:48:22ID: 25150214

Superantispyware and malwarebytes is unable to find it.

After PD (the 1st time around as I have been reinfected on my XP PC) was "jqs.exe" that I renamed.

Then I was reinfected (PC XP Pro) by an email from the known malware site.

by: rljack01Posted on 2009-08-21 at 02:54:07ID: 25150238

Have not been able to ID the actual spyware only its effects.

Recurring system auto shutdowns, s l o w system response, poor printer response (hours or not at all) and recurring empty registry keys (recurring within seconds of removal)

(I am working from my VISTA laptop)

by: rljack01Posted on 2009-08-21 at 03:38:46ID: 25150400

Am currently running Kaspersky online v 7.0 online scanner based upon advice from pankusareen:

I will report the results to this post.

by: rsivanandanPosted on 2009-08-22 at 05:42:21ID: 25158496

I'd suggest you to do a manual fix first.

1. First run a hijack log, and go to hijackthis.de
2. Paste your results and you can see that there are a lot of applications that could be causing the problem. I looked at it and a lot of ? are there.

3. With the same hijackthis tool, you can fix it line by line.

Cheers,
Rajesh

by: rljack01Posted on 2009-08-22 at 07:26:29ID: 25158786

rsivanandan - I hope to follow your manual fix process after running regmon per the xp inside out book, page 1328 using the syntax fc /u before.reg after.reg > regcomp.txt (where I substitute the actual names of my snapshot files for before.reg and after.reg)

According to the xp pro inside out book Regmon can be downloaded from http://www.sysinternals.com/ntw2k/source/regmon.shtml) I think it also may be in the XP Pro Resource Kit CD ISBN 0-7356-2167-5 or in ms server 2003 r2 under admin tools but I'm not sure yet. If can't find regmon program, I'll use your manual method.

Thanks.

by: rljack01Posted on 2009-08-22 at 08:33:44ID: 25159038

I appreciate your direction, rsivanandan:.

I will review the log and post it as soon as my xp pc pastes the.de results and sends an email to this PC.

I tend to think that the 'unknown service "O23" may be the culprit as all other unknown services look to be from my ISP but I must check into the last 2 characters on the ISP domain name - looks suspicious - as, under pressure from my past boss last Monday I purchased from a known malware site, to maintain my job, and gave the bad guys a comcast domain in my email registration. So I may delete those suspicious entries after I research the suspicious domain that is tied to an unidentified process and application in 6 entries in my registry.

Thanks. I respond further after I do the deletes and test my xp PC response, etc.

by: rljack01Posted on 2009-08-22 at 08:57:09ID: 25159104

I alsp appended the code snippet.

It seems that you don't use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses. (I do but it may have been compromised. - I'll check. rljack01) You can look here for a good anti-virus scanner. We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum. Actions Entry Kind Visitor's assessment Information Logfile of Trend Micro HijackThis v2.0.2
This should be the newest version. Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
This should be the newest version. Boot mode: Normal
Very safe This entry was classified from our visitors as good. C:\WINDOWS\System32\smss.exe
Very safe
This entry was classified from our visitors as good. C:\WINDOWS\system32\csrss.exe
Safe
Systemprozess - Client Server Runtime C:\WINDOWS\system32\winlogon.exe
Very safe
This entry was classified from our visitors as good. C:\WINDOWS\system32\services.exe
Safe
This entry was classified from our visitors as good. C:\WINDOWS\system32\lsass.exe
Very safe
This entry was classified from our visitors as good. C:\WINDOWS\system32\svchost.exe
Safe
This entry was classified from our visitors as good. C:\WINDOWS\system32\svchost.exe
Safe
This entry was classified from our visitors as good. C:\WINDOWS\System32\svchost.exe
Very safe
This entry was classified from our visitors as good. C:\WINDOWS\system32\svchost.exe
Safe
This entry was classified from our visitors as good. C:\WINDOWS\system32\svchost.exe
Safe
This entry was classified from our visitors as good. C:\WINDOWS\system32\spoolsv.exe
Safe
This entry was classified from our visitors as good. C:\WINDOWS\system32\svchost.exe
Safe
This entry was classified from our visitors as good. C:\WINDOWS\system32\msdtc.exe
Safe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
Very safe
Apple Mobile Device Support C:\Program Files\Bonjour\mDNSResponder.exe
Neutral
Part of Apple iTunes 5 C:\WINDOWS\system32\cisvc.exe
Safe
Microsoft Index Service Helper C:\Program Files\Spyware Doctor\pctsAuxs.exe
Very safe Safe (4.34 / 5.00) C:\Program Files\Spyware Doctor\pctsSvc.exe
Very safe Safe (4.28 / 5.00) C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
Neutral Safe (3.55 / 5.00) C:\WINDOWS\System32\snmp.exe
Safe
C:\WINDOWS\system32\svchost.exe
Safe
This entry was classified from our visitors as good. C:\WINDOWS\system32\mqsvc.exe
Neutral
C:\WINDOWS\system32\mqtgsvc.exe
Safe
C:\WINDOWS\System32\alg.exe
Very safe This service is unnecessary if you do not use ICS.
This entry was classified from our visitors as good. C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
Safe (4.39 / 5.00) C:\Program Files\RegCure\RegCure.exe
Safe Safe (4.17 / 5.00) C:\WINDOWS\Explorer.EXE
Very safe
This entry was classified from our visitors as good. C:\WINDOWS\system32\ctfmon.exe
Very safe
This entry was classified from our visitors as good. C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
Safe
This entry was classified from our visitors as good. C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
Safe
Possibly nasty! According to our database this process runs normally in c:\programme\roxio\easy cd creator 6\dragtodisc\! Check if you know this process and arrange a viruscheck where required. Roxio Easy CD Creator DragToDisc C:\Program Files\Spyware Doctor\pctsTray.exe
Very safe Safe (4.42 / 5.00) C:\WINDOWS\System32\svchost.exe
Very safe
This entry was classified from our visitors as good. C:\Program Files\Registry Mechanic\RegMech.exe
Safe
This entry was classified from our visitors as good. C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Very safe
This entry was classified from our visitors as good. C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Very safe
HP Digital Imaging C:\Program Files\Windows Desktop Search\WindowsSearch.exe
Safe
Windows Desktop Search (WDS) C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
Very safe
ONENOTEM.EXE is a part of the note taking program that ships with Microsoft Office 2003. Its required for the side note windows to work. C:\WINDOWS\system32\SearchIndexer.exe
Safe
This entry was classified from our visitors as good. C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
Safe
Hewlett-Packard C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
Very safe
Hewlett-Packard Digital Imaging C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
Neutral
Hewlett-Packard Printer related C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
Safe
Possibly nasty! According to our database this process runs normally in c:\programme\ca\sharedcomponents\pprt\bin\! Check if you know this process and arrange a viruscheck where required. Part of Computer Associates Anti/Spyware C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
This is a unknown process.
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
This is a unknown process.
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Safe Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups! This entry was classified from our visitors as good. C:\WINDOWS\system32\NOTEPAD.EXE
Safe
This entry was classified from our visitors as good. C:\WINDOWS\system32\notepad.exe
Very safe
In Windows integriertes Schreibprogramm. C:\WINDOWS\system32\cidaemon.exe
Safe
This entry was classified from our visitors as good. C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE

Possibly nasty! According to our database this process runs normally in c:\programme\microsoft office\office11\! Check if you know this process and arrange a viruscheck where required. E-Mail Client für Windows. C:\Program Files\Internet Explorer\IEXPLORE.EXE
Very safe
This entry was classified from our visitors as good. C:\Program Files\Windows Live\Toolbar\wltuser.exe
Safe Safe (3.7 / 5.00) C:\Program Files\comcasttb\CIDGlobalLight.exe
This is a unknown process.
C:\WINDOWS\system32\HPZipm12.exe
Very safe
HP Taskbar Utility C:\WINDOWS\system32\HPZinw12.exe
Neutral
Hewlett-Packard WLAN-Printer related C:\Program Files\Spyware Doctor\pctsGui.exe
Safe (4.25 / 5.00) C:\Program Files\Internet Explorer\iexplore.exe
Safe
This entry was classified from our visitors as good. C:\WINDOWS\system32\SearchProtocolHost.exe
Safe
This entry was classified from our visitors as good. C:\WINDOWS\system32\SearchFilterHost.exe
Safe
Microsoft Windows Search related process R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
Safe This entry was classified from our visitors as good. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
Safe This entry was classified from our visitors as good. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
Safe This entry was classified from our visitors as good. R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
Safe This entry was classified from our visitors as good. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
Safe This entry was classified from our visitors as good. R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
Safe This entry was classified from our visitors as good. R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
Safe This entry was classified from our visitors as good. O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
Safe Unknown application. This entry was classified from our visitors as good. O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
Windows Live Toolbar beta Search Enhancement Pack O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
Very safe GrooveShellExtensions.dll Groove Virtual Office O2 - BHO: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll
Unknown application. O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
Very safe This entry was classified from our visitors as good. O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
Safe googletoolbar.dll, googletoolbar*.dll (* = number), googletoolbar_en_*.**-big.dll, Googletoolbar_en_*.*.**-deleon.dll. - Google toolbar, http://toolbar.google.com/ O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
swg.dll - Google Toolbar Notifier, http://googlesystem.blogspot.com/2006/07 /google-is-your-default-search.html O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
Neutral Safe (3.92 / 5.00) O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
Safe jp2ssv.dll - Sun_Java, http://java.sun.com/javase/downloads/ind ex.jsp browser plugin O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
Neutral Safe (3.55 / 5.00) O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Very safe jqs_plugin.dll - Java Quick Starter, https://jdk6.dev.java.net/testQS.html O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
Safe googletoolbar.dll, googletoolbar*.dll (* = digit), googlenav.dll, googlenav*.dll, googletoolbar_en_*.**-big.dll, googletoolbar_en_*.*.**-deleon.dll - Google Toolbar O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
Safe Safe (3.55 / 5.00) O3 - Toolbar: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll
Unknown application. O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Safe Not dangerous, but unnecessary. Speeds up the time it takes to load the Adobe Reader application. Your choice O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
Very safe Not dangerous, but unnecessary. HP software updates. If a shortcut doesn't exist O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
Not dangerous, but unnecessary. Part of Roxio EasyCD Creator 6.0 - places the Roxio Drag-to-Disc icon in you system tray. "Easily drag and drop files for burning to CD or DVD. Disc formatting and burning will happen automatically". Not required for Roxio to work properly O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
Safe Unknown application. This entry was classified from our visitors as good. O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
Safe Java von Sun O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Neutral Associated with GoogleToolbarNotifier from Google Inc. O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
Safe This entry was classified from our visitors as good. O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
Very safe Registry Mechanic for Windows - "you can safely clean and repair Windows registry problems with a few simple mouse clicks! Problems with the Windows registry are a common cause of Windows crashes and error messages" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Safe This entry was classified from our visitors as good. O4 - HKCU\..\Run: [ComcastAntispyClient] "C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" /hide
Unknown application. O4 - HKUS\S-1-5-21-1715567821-412668190-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Bonnie Jackson')
Office related O4 - HKUS\S-1-5-21-1715567821-412668190-839522115-1004\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Bonnie Jackson')
Not dangerous, but unnecessary. QuickTime O4 - HKUS\S-1-5-21-1715567821-412668190-839522115-1004\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Bonnie Jackson')
Associated with GoogleToolbarNotifier from Google Inc. O4 - S-1-5-21-1715567821-412668190-839522115-1004 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Bonnie Jackson')
Safe (4.14 / 5.00) O4 - S-1-5-21-1715567821-412668190-839522115-1004 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Bonnie Jackson')
Safe (4.14 / 5.00) O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
Safe ONENOTEM.EXE is a part of the note taking program that ships with Microsoft Office 2003. Its required for the side note windows to work. O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Safe Not dangerous, but unnecessary. HP digital imaging monitor; can apparently be launched manually. O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Neutral HP Scanner related O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
Safe Microsofts Windows Desktop Search (WDS) O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
Very safe The entry E&xport to Microsoft Excel has been identified as safe. O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
Very safe Safe (4.14 / 5.00) O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
Very safe Safe (4.14 / 5.00) O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
The entry Send to OneNote has been identified as safe. O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
The entry S&end to OneNote has been identified as safe. O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\WEB2~1\Office12\REFIEBAR.DLL
The entry Research has been identified as safe. O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
Safe This entry was classified from our visitors as good. O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
Safe This entry was classified from our visitors as good. O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
Safe This entry was classified from our visitors as good. O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
Neutral The entry Windows Messenger has been identified as safe. O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
Safe Check if you know this site and fix it if you do not. This entry was classified from our visitors as good. O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_si te.cab?1244823990281
This entry has been identified as safe. O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
Neutral Safe (3.67 / 5.00) O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
This entry has been identified as safe. O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www1.gotomeeting.com/default/applets/g2mdlax.cab
Safe Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
This entry has been identified as safe. O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
Safe This entry has been identified as safe. O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
Safe (3.97 / 5.00) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Very safe Check if you know this site and fix it if you do not. This entry was classified from our visitors as good. O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
This entry has been identified as safe. O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
Very safe This entry has been identified as safe. O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
Neutral Safe (3.92 / 5.00) O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
Very safe This entry was classified from our visitors as good. O23 - Service: Comcast AntiSpyware (AntiSpywareService) - Unknown owner - C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
Neutral Unknown service. (ComcastAntiSpyService.exe) O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
Safe This service (AppleMobileDeviceService.exe) was identified as a good one. O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
Neutral This service (mDNSResponder.exe) was identified as a good one. O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
Safe This service (GoogleUpdaterService.exe) was identified as a good one. This entry was classified from our visitors as good. O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
Very safe This service (HPBPRO.EXE) was identified as a good one. O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
Safe Unknown service. (HPBOID.EXE) This entry was classified from our visitors as good. O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
Very safe This service (iPodService.exe) was identified as a good one. O23 - Service: Pest Patrol Realtime Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
This service (ITMRTSVC.exe) was identified as a good one. O23 - Service: Java Quick Starter (JavaQuickStarterService) - CA, Inc. - (no file)
Unknown service. () O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Safe This service (HPZipm12.exe) was identified as a good one. This entry was classified from our visitors as good. O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
Very safe Unknown service. (pctsAuxs.exe) This entry was classified from our visitors as good. O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
Very safe Unknown service. (pctsSvc.exe) This entry was classified from our visitors as good. O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
Safe (4.39 / 5.00) member --- RLJACK01
Short analysis
Use these tips at your own risk! © 2004 - 2009 Mathias Mattner | Contact

 It seems that you don't use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses. You can look here for a good anti-virus scanner. 
 We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum. 
Actions Entry Kind Visitor's assessment Information 
  Logfile of Trend Micro HijackThis v2.0.2  
 This should be the newest version.  
  Platform: Windows XP SP3 (WinNT 5.01.2600)  
  
  MSIE: Internet Explorer v7.00 (7.00.6000.16876)  
 This should be the newest version.  
   Boot mode: Normal  
Very safe This entry was classified from our visitors as good. 
   C:\WINDOWS\System32\smss.exe  
Very safe 
This entry was classified from our visitors as good. 
   C:\WINDOWS\system32\csrss.exe  
Safe 
Systemprozess - Client Server Runtime 
   C:\WINDOWS\system32\winlogon.exe  
Very safe 
This entry was classified from our visitors as good. 
   C:\WINDOWS\system32\services.exe  
Safe 
This entry was classified from our visitors as good. 
   C:\WINDOWS\system32\lsass.exe  
Very safe 
This entry was classified from our visitors as good. 
   C:\WINDOWS\system32\svchost.exe  
Safe 
This entry was classified from our visitors as good. 
   C:\WINDOWS\system32\svchost.exe  
Safe 
This entry was classified from our visitors as good. 
   C:\WINDOWS\System32\svchost.exe  
Very safe 
This entry was classified from our visitors as good. 
   C:\WINDOWS\system32\svchost.exe  
Safe 
This entry was classified from our visitors as good. 
   C:\WINDOWS\system32\svchost.exe  
Safe 
This entry was classified from our visitors as good. 
   C:\WINDOWS\system32\spoolsv.exe  
Safe 
This entry was classified from our visitors as good. 
   C:\WINDOWS\system32\svchost.exe  
Safe 
This entry was classified from our visitors as good. 
   C:\WINDOWS\system32\msdtc.exe  
Safe 
 
   C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe  
Very safe 
Apple Mobile Device Support 
   C:\Program Files\Bonjour\mDNSResponder.exe  
Neutral 
Part of Apple iTunes 5 
   C:\WINDOWS\system32\cisvc.exe  
Safe 
Microsoft Index Service Helper 
   C:\Program Files\Spyware Doctor\pctsAuxs.exe  
Very safe Safe (4.34 / 5.00) 
   C:\Program Files\Spyware Doctor\pctsSvc.exe  
Very safe Safe (4.28 / 5.00) 
   C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe  
Neutral Safe (3.55 / 5.00) 
   C:\WINDOWS\System32\snmp.exe  
Safe 
 
   C:\WINDOWS\system32\svchost.exe  
Safe 
This entry was classified from our visitors as good. 
   C:\WINDOWS\system32\mqsvc.exe  
Neutral 
 
   C:\WINDOWS\system32\mqtgsvc.exe  
Safe 
 
   C:\WINDOWS\System32\alg.exe  
Very safe This service is unnecessary if you do not use ICS.
This entry was classified from our visitors as good. 
   C:\Program Files\Spyware Doctor\TFEngine\TFService.exe  
 Safe (4.39 / 5.00) 
   C:\Program Files\RegCure\RegCure.exe  
Safe Safe (4.17 / 5.00) 
   C:\WINDOWS\Explorer.EXE  
Very safe 
This entry was classified from our visitors as good. 
   C:\WINDOWS\system32\ctfmon.exe  
Very safe 
This entry was classified from our visitors as good. 
   C:\Program Files\HP\HP Software Update\HPWuSchd2.exe  
Safe 
This entry was classified from our visitors as good. 
   C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe  
Safe 
Possibly nasty! According to our database this process runs normally in c:\programme\roxio\easy cd creator 6\dragtodisc\! Check if you know this process and arrange a viruscheck where required. Roxio Easy CD Creator DragToDisc 
   C:\Program Files\Spyware Doctor\pctsTray.exe  
Very safe Safe (4.42 / 5.00) 
   C:\WINDOWS\System32\svchost.exe  
Very safe 
This entry was classified from our visitors as good. 
   C:\Program Files\Registry Mechanic\RegMech.exe  
Safe 
This entry was classified from our visitors as good. 
   C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe  
Very safe 
This entry was classified from our visitors as good. 
   C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe  
Very safe 
HP Digital Imaging 
   C:\Program Files\Windows Desktop Search\WindowsSearch.exe  
Safe 
Windows Desktop Search (WDS) 
   C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE  
Very safe 
ONENOTEM.EXE is a part of the note taking program that ships with Microsoft Office 2003. Its required for the side note windows to work. 
   C:\WINDOWS\system32\SearchIndexer.exe  
Safe 
This entry was classified from our visitors as good. 
   C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe  
Safe 
Hewlett-Packard 
   C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe  
Very safe 
Hewlett-Packard Digital Imaging 
   C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe  
Neutral 
Hewlett-Packard Printer related 
   C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe  
Safe 
Possibly nasty! According to our database this process runs normally in c:\programme\ca\sharedcomponents\pprt\bin\! Check if you know this process and arrange a viruscheck where required. Part of Computer Associates Anti/Spyware 
   C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe  
 This is a unknown process.
 
   C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe  
 This is a unknown process.
 
   C:\Program Files\Trend Micro\HijackThis\HijackThis.exe  
Safe Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups! This entry was classified from our visitors as good. 
   C:\WINDOWS\system32\NOTEPAD.EXE  
Safe 
This entry was classified from our visitors as good. 
   C:\WINDOWS\system32\notepad.exe  
Very safe 
In Windows integriertes Schreibprogramm. 
   C:\WINDOWS\system32\cidaemon.exe  
Safe 
This entry was classified from our visitors as good. 
   C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE  
 
Possibly nasty! According to our database this process runs normally in c:\programme\microsoft office\office11\! Check if you know this process and arrange a viruscheck where required. E-Mail Client für Windows. 
   C:\Program Files\Internet Explorer\IEXPLORE.EXE  
Very safe 
This entry was classified from our visitors as good. 
   C:\Program Files\Windows Live\Toolbar\wltuser.exe  
Safe Safe (3.7 / 5.00) 
   C:\Program Files\comcasttb\CIDGlobalLight.exe  
 This is a unknown process.
 
   C:\WINDOWS\system32\HPZipm12.exe  
Very safe 
HP Taskbar Utility 
   C:\WINDOWS\system32\HPZinw12.exe  
Neutral 
Hewlett-Packard WLAN-Printer related 
   C:\Program Files\Spyware Doctor\pctsGui.exe  
 Safe (4.25 / 5.00) 
   C:\Program Files\Internet Explorer\iexplore.exe  
Safe 
This entry was classified from our visitors as good. 
   C:\WINDOWS\system32\SearchProtocolHost.exe  
Safe 
This entry was classified from our visitors as good. 
   C:\WINDOWS\system32\SearchFilterHost.exe  
Safe 
Microsoft Windows Search related process 
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157  
Safe This entry was classified from our visitors as good. 
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896  
Safe This entry was classified from our visitors as good. 
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896  
Safe This entry was classified from our visitors as good. 
   R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157  
Safe This entry was classified from our visitors as good. 
   R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
Safe This entry was classified from our visitors as good. 
   R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
Safe This entry was classified from our visitors as good. 
   R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local  
Safe This entry was classified from our visitors as good. 
   O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll  
Safe Unknown application. This entry was classified from our visitors as good. 
   O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll  
 Windows Live Toolbar beta Search Enhancement Pack 
   O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll  
Very safe GrooveShellExtensions.dll Groove Virtual Office  
   O2 - BHO: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll  
 Unknown application.  
   O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll  
Very safe This entry was classified from our visitors as good. 
   O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll  
Safe googletoolbar.dll, googletoolbar*.dll (* = number), googletoolbar_en_*.**-big.dll, Googletoolbar_en_*.*.**-deleon.dll. - Google toolbar, http://toolbar.google.com/  
   O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll  
 swg.dll - Google Toolbar Notifier, http://googlesystem.blogspot.com/2006/07 /google-is-your-default-search.html 
   O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll  
Neutral Safe (3.92 / 5.00) 
   O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll  
Safe jp2ssv.dll - Sun_Java, http://java.sun.com/javase/downloads/ind ex.jsp browser plugin 
   O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll  
Neutral Safe (3.55 / 5.00) 
   O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll  
Very safe jqs_plugin.dll - Java Quick Starter, https://jdk6.dev.java.net/testQS.html 
   O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll  
Safe googletoolbar.dll, googletoolbar*.dll (* = digit), googlenav.dll, googlenav*.dll, googletoolbar_en_*.**-big.dll, googletoolbar_en_*.*.**-deleon.dll - Google Toolbar  
   O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll  
Safe Safe (3.55 / 5.00) 
   O3 - Toolbar: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll  
 Unknown application.  
   O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"  
Safe Not dangerous, but unnecessary. Speeds up the time it takes to load the Adobe Reader application. Your choice 
   O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe  
Very safe Not dangerous, but unnecessary. HP software updates. If a shortcut doesn't exist 
   O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"  
 Not dangerous, but unnecessary. Part of Roxio EasyCD Creator 6.0 - places the Roxio Drag-to-Disc icon in you system tray. "Easily drag and drop files for burning to CD or DVD. Disc formatting and burning will happen automatically". Not required for Roxio to work properly  
   O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"  
Safe Unknown application. This entry was classified from our visitors as good. 
   O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"  
Safe Java von Sun 
   O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe  
Neutral Associated with GoogleToolbarNotifier from Google Inc. 
   O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe  
Safe This entry was classified from our visitors as good. 
   O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H  
Very safe Registry Mechanic for Windows - "you can safely clean and repair Windows registry problems with a few simple mouse clicks! Problems with the Windows registry are a common cause of Windows crashes and error messages" 
   O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe  
Safe This entry was classified from our visitors as good. 
   O4 - HKCU\..\Run: [ComcastAntispyClient] "C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" /hide  
 Unknown application.  
   O4 - HKUS\S-1-5-21-1715567821-412668190-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Bonnie Jackson')  
 Office related 
   O4 - HKUS\S-1-5-21-1715567821-412668190-839522115-1004\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Bonnie Jackson')  
 Not dangerous, but unnecessary. QuickTime 
   O4 - HKUS\S-1-5-21-1715567821-412668190-839522115-1004\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Bonnie Jackson')  
 Associated with GoogleToolbarNotifier from Google Inc. 
   O4 - S-1-5-21-1715567821-412668190-839522115-1004 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Bonnie Jackson')  
 Safe (4.14 / 5.00) 
   O4 - S-1-5-21-1715567821-412668190-839522115-1004 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Bonnie Jackson')  
 Safe (4.14 / 5.00) 
   O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE  
Safe ONENOTEM.EXE is a part of the note taking program that ships with Microsoft Office 2003. Its required for the side note windows to work.  
   O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe  
Safe Not dangerous, but unnecessary. HP digital imaging monitor; can apparently be launched manually.  
   O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe  
Neutral HP Scanner related 
   O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe  
Safe Microsofts Windows Desktop Search (WDS) 
   O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000  
Very safe The entry E&xport to Microsoft Excel has been identified as safe. 
   O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll  
Very safe Safe (4.14 / 5.00) 
   O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll  
Very safe Safe (4.14 / 5.00) 
   O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll  
 The entry Send to OneNote has been identified as safe. 
   O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll  
 The entry S&end to OneNote has been identified as safe. 
   O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\WEB2~1\Office12\REFIEBAR.DLL  
 The entry Research has been identified as safe. 
   O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe  
Safe This entry was classified from our visitors as good. 
   O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe  
Safe This entry was classified from our visitors as good. 
   O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe  
Safe This entry was classified from our visitors as good. 
   O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe  
Neutral The entry Windows Messenger has been identified as safe. 
   O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab  
Safe Check if you know this site and fix it if you do not. This entry was classified from our visitors as good. 
   O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_si te.cab?1244823990281  
 This entry has been identified as safe. 
   O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab  
Neutral Safe (3.67 / 5.00) 
   O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx  
 This entry has been identified as safe. 
   O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www1.gotomeeting.com/default/applets/g2mdlax.cab  
Safe Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! 
   O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx  
 This entry has been identified as safe. 
   O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab  
Safe This entry has been identified as safe. 
   O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx  
 Safe (3.97 / 5.00) 
   O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab  
Very safe Check if you know this site and fix it if you do not. This entry was classified from our visitors as good. 
   O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx  
 This entry has been identified as safe. 
   O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll  
Very safe This entry has been identified as safe.  
   O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll  
Neutral Safe (3.92 / 5.00) 
   O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll  
Very safe This entry was classified from our visitors as good. 
   O23 - Service: Comcast AntiSpyware (AntiSpywareService) - Unknown owner - C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe  
Neutral Unknown service. (ComcastAntiSpyService.exe)  
   O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe  
Safe This service (AppleMobileDeviceService.exe) was identified as a good one.  
   O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe  
Neutral This service (mDNSResponder.exe) was identified as a good one.  
   O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe  
Safe This service (GoogleUpdaterService.exe) was identified as a good one. This entry was classified from our visitors as good. 
   O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE  
Very safe This service (HPBPRO.EXE) was identified as a good one.  
   O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE  
Safe Unknown service. (HPBOID.EXE) This entry was classified from our visitors as good. 
   O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe  
Very safe This service (iPodService.exe) was identified as a good one.  
   O23 - Service: Pest Patrol Realtime Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe  
 This service (ITMRTSVC.exe) was identified as a good one.  
   O23 - Service: Java Quick Starter (JavaQuickStarterService) - CA, Inc. - (no file)  
 Unknown service. ()  
   O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe  
Safe This service (HPZipm12.exe) was identified as a good one. This entry was classified from our visitors as good. 
   O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe  
Very safe Unknown service. (pctsAuxs.exe) This entry was classified from our visitors as good. 
   O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe  
Very safe Unknown service. (pctsSvc.exe) This entry was classified from our visitors as good. 
   O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe  
 Safe (4.39 / 5.00) 
   member --- RLJACK01  
  
Short analysis
Use these tips at your own risk! 
 
    
© 2004 - 2009 Mathias Mattner | Contact

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:

Select all Open in new window

by: rljack01Posted on 2009-08-22 at 09:32:15ID: 25159234

Photo Gallery automatically installs within 2 minutes of my having manually deleted 4 Comcasttb (suspicious) registry keys.

by: rsivanandanPosted on 2009-08-22 at 09:32:24ID: 25159237

I did a google search for cox antispyware but looks like many people don't like it.

Looks like this antivirus is nothing but rebranded mcafee at least from one site;

http://en.community.dell.com/forums/p/19274088/19487315.aspx

I'd suggest go down the other road, I used to like AVG a lot and still use it.

Cheers,
Rajesh

by: rljack01Posted on 2009-08-22 at 11:00:21ID: 25159602

I just edited the registry and did a reboot.

I'll check performance. However I did a regcure scan and clean just prior to shutdown.

After reboot I immediately did a registry scan with Regscan. 57 registry errors were found by regcure. and cleaned. (I have removed the PC from the internet during this process so it seems that there is still an infection resident.) Also at reboot an app started to self-install itself. I stopped it but it may have caused the registry issues also my reg checker told me that the registry had been chgd 2xs.

I just did another regcure scan and found 27 empty reg keys. So since I am not connected to the internet applications from the bad guys on the internet coupled with internal PC spyware cause a greater # of empty registy keys and other registry errors together than when not connected to the internet.

Therefore it seems that I have to take 2 actions:

1- change my IP address

2- id and remove the internal PC malware

Please advise how I do item # 1. (I have blocked the email domain of the predator but they are likely transmitting in other ways perhaps by piggybacking another transmission.

(These are my personal machines and I fired my customer on the last project that I was doing. OK, I admit that I was dumb for having order (but never downloaded) software demanded by the employer (because of cost) that I later id'd as a known malware site of which I was suspicious in the 1st place.)

by: rljack01Posted on 2009-08-22 at 11:05:27ID: 25159615

System performance is better, it seems.

I run some tests, let the system run for awhile and the comment further.

Thanks.

by: rljack01Posted on 2009-08-22 at 14:02:12ID: 25160248

System still has long respone times and MS Word is nonresponsive.

by: rljack01Posted on 2009-08-22 at 14:04:14ID: 25160254

Up to 54% CPU usage at idle certainly indicates that system resources are being used more than normal. Can't yet id the malware - My XP PC is disconnected from the internet.

by: rpggamergirlPosted on 2009-08-22 at 16:40:14ID: 25160711

If the infection could've come from a different source, viruses in an unopened email doesn't usually infect without it being opened or activated.
Unless the user using OE is in "preview pane" which can allow to execute the malicoius code, you can turn it off so any unopened email with viruses can't enter the system.

Also a lot of nasties can hide from a Hijackthis scan, so it's no longer the best diagnostic tool.

Also try scanning with Combofix and we'll see what it finds.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run re-download but rename before saving to your desktop)

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

by: rljack01Posted on 2009-08-22 at 18:49:34ID: 25161074

Combofix log report is attached. Pls see code snippet.

Thanks. I appreciate the guidance.

ComboFix 09-08-22.06 - Richard Jackson 08/22/2009 18:30.1.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1294 [GMT -7:00]
Running from: c:\documents and settings\Richard Jackson\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
c:\windows\system32\_000018_.tmp.dll
c:\windows\system32\_000019_.tmp.dll
c:\windows\system32\_000020_.tmp.dll
 
.
(((((((((((((((((((((((((   Files Created from 2009-07-23 to 2009-08-23  )))))))))))))))))))))))))))))))
.
 
2009-08-21 10:28 . 2009-08-21 10:28	--------	d-----w-	c:\windows\Sun
2009-08-20 12:19 . 2009-08-20 12:21	127921	----a-w-	c:\documents and settings\Richard Jackson\Application Data\Move Networks\uninstall.exe
2009-08-20 12:18 . 2009-08-20 12:21	--------	d-----w-	c:\documents and settings\Richard Jackson\Application Data\Move Networks
2009-08-20 12:17 . 2009-08-22 16:33	--------	d-----w-	c:\documents and settings\Richard Jackson\Application Data\CallingID
2009-08-20 12:16 . 2009-08-20 12:16	--------	d-----w-	c:\program files\Common Files\scanner
2009-08-20 12:16 . 2009-08-20 12:16	--------	d-----w-	c:\program files\CA
2009-08-20 12:15 . 2009-08-20 12:22	--------	d-----w-	c:\documents and settings\Richard Jackson\Application Data\comcasttb
2009-08-20 12:15 . 2009-08-22 16:25	--------	d-----w-	c:\program files\comcasttb
2009-08-13 17:25 . 2009-08-13 17:25	--------	d-----w-	c:\documents and settings\Richard Jackson\Local Settings\Application Data\Deployment
2009-08-12 07:59 . 2009-07-10 13:27	1315328	-c----w-	c:\windows\system32\dllcache\msoe.dll
2009-08-11 01:00 . 2009-08-11 01:00	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-08-05 23:42 . 2009-08-05 23:42	152576	----a-w-	c:\documents and settings\Richard Jackson\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-05 19:42 . 2009-08-05 19:48	104355	----a-w-	c:\windows\HPFins09.dat
2009-08-05 19:42 . 2005-11-01 09:29	3732	------w-	c:\windows\hpfmdl09.dat
2009-08-05 09:01 . 2009-08-05 09:01	204800	-c----w-	c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 03:23 . 2009-08-05 03:37	--------	d-----w-	c:\documents and settings\Richard Jackson\Local Settings\Application Data\Quicken Legal Business Pro
2009-08-05 03:23 . 2004-03-29 23:23	90112	----a-w-	c:\windows\unvise32.exe
2009-08-05 03:22 . 2009-08-05 03:34	--------	d-----w-	c:\program files\Quicken Legal Business Pro 2008
2009-08-01 18:41 . 2008-05-02 13:25	465920	-c----w-	c:\windows\system32\dllcache\imapi2fs.dll
2009-08-01 18:41 . 2008-05-02 13:25	465920	------w-	c:\windows\system32\imapi2fs.dll
2009-08-01 18:41 . 2008-05-02 13:25	317952	-c----w-	c:\windows\system32\dllcache\imapi2.dll
2009-08-01 18:41 . 2008-05-02 13:25	317952	------w-	c:\windows\system32\imapi2.dll
2009-08-01 18:41 . 2008-05-02 10:49	62976	-c----w-	c:\windows\system32\dllcache\cdrom.sys
2009-08-01 18:41 . 2009-08-01 18:45	--------	d-----w-	c:\program files\Kodak
2009-08-01 18:40 . 2009-08-01 18:40	77824	----a-w-	c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Staging\ess\bindbins\bindbins.exe
2009-08-01 18:40 . 2009-08-01 18:40	175104	----a-w-	c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Staging\reduced_contents_PrintCreation_expanded\setup.exe
2009-08-01 18:39 . 2009-08-01 18:39	45056	----a-w-	c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Staging\sysfiles\kb945060\kb945060.exe
2009-08-01 18:38 . 2009-08-01 18:38	1187840	----a-w-	c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_1fedfff\EasyShrx.Dll
2009-08-01 18:38 . 2009-08-01 18:38	2684304	----a-w-	c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_1fedfff\Setup.exe
2009-08-01 18:38 . 2009-08-01 18:38	114688	----a-w-	c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_8.0.20.1.dll
2009-08-01 18:38 . 2009-08-01 18:38	1187840	----a-w-	c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_1fea140\EasyShrx.Dll
2009-08-01 18:38 . 2008-10-30 11:57	2499984	----a-r-	c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_1fea140\Setup.exe
2009-08-01 18:35 . 2009-08-01 18:35	114688	----a-w-	c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.9.20.1.dll
2009-08-01 18:35 . 2009-08-01 18:35	--------	d-----w-	c:\documents and settings\All Users\Application Data\Kodak
2009-08-01 00:37 . 2009-08-01 00:37	--------	d-----w-	c:\program files\SANYO Digital Camera
2009-08-01 00:37 . 2007-02-27 04:28	55808	----a-w-	c:\windows\system32\drivers\nvtcam.sys
2009-08-01 00:37 . 2007-02-27 04:28	24192	----a-w-	c:\windows\system32\drivers\NVTCAMD2.SYS
2009-08-01 00:37 . 2004-04-12 21:32	41760	----a-w-	c:\windows\system\VFWWDM.DRV
2009-07-31 07:56 . 2009-07-31 07:56	--------	d-----w-	c:\documents and settings\All Users\Application Data\RegCure
2009-07-31 07:56 . 2009-07-31 08:22	--------	d-----w-	c:\program files\RegCure
2009-07-31 03:16 . 2009-07-31 03:21	--------	d-----w-	c:\program files\ReNamer
2009-07-27 18:54 . 2009-07-27 18:54	--------	d-----w-	c:\documents and settings\Richard Jackson\Application Data\Creative
2009-07-26 13:37 . 2009-07-26 13:37	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2009-07-24 15:19 . 2009-07-24 15:19	--------	d-----w-	c:\documents and settings\Bonnie Jackson\Local Settings\Application Data\Apple Computer
2009-07-24 12:08 . 2009-08-19 02:30	3942048	----a-w-	c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-23 01:38 . 2009-06-12 14:30	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2009-08-22 22:44 . 2009-07-10 17:42	117760	----a-w-	c:\documents and settings\Richard Jackson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-21 19:29 . 2009-06-12 14:30	--------	d-----w-	c:\program files\Spyware Doctor
2009-08-21 10:28 . 2009-06-24 18:42	1636	----a-w-	c:\windows\system32\d3d9caps.dat
2009-08-20 12:21 . 2009-06-17 07:52	4183416	----a-w-	c:\documents and settings\Richard Jackson\Application Data\Move Networks\plugins\npqmp071504000001.dll
2009-08-20 11:24 . 2009-06-12 15:23	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-19 12:22 . 2009-08-19 12:22	3846144	---ha-w-	c:\documents and settings\Richard Jackson\ntuser.tmp
2009-08-19 02:30 . 2009-07-10 12:37	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2009-08-07 01:24 . 2009-07-10 17:42	--------	d-----w-	c:\program files\SUPERAntiSpyware
2009-08-05 23:44 . 2009-07-08 20:36	--------	d-----w-	c:\program files\Java
2009-08-05 09:01 . 2004-08-04 12:00	204800	----a-w-	c:\windows\system32\mswebdvd.dll
2009-08-03 20:36 . 2009-07-10 12:37	38160	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-07-10 12:37	19096	----a-w-	c:\windows\system32\drivers\mbam.sys
2009-08-01 09:20 . 2009-06-12 18:18	--------	d-----w-	c:\program files\Microsoft Silverlight
2009-07-25 20:13 . 2009-06-12 15:57	--------	d-----w-	c:\program files\Common Files\Adobe
2009-07-25 12:23 . 2009-07-08 20:37	411368	----a-w-	c:\windows\system32\deploytk.dll
2009-07-19 20:45 . 2009-07-19 20:45	--------	d-----w-	c:\documents and settings\Richard Jackson\Application Data\Apple Computer
2009-07-19 20:45 . 2009-07-19 20:44	--------	d-----w-	c:\program files\iTunes
2009-07-19 20:45 . 2009-07-19 20:44	--------	d-----w-	c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-19 20:44 . 2009-07-19 20:44	--------	d-----w-	c:\program files\iPod
2009-07-19 20:44 . 2009-07-19 20:43	--------	d-----w-	c:\program files\Common Files\Apple
2009-07-19 20:44 . 2009-07-19 20:44	--------	d-----w-	c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-19 20:44 . 2009-07-19 20:44	--------	d-----w-	c:\program files\Bonjour
2009-07-19 20:44 . 2009-07-19 20:44	--------	d-----w-	c:\program files\QuickTime
2009-07-19 20:43 . 2009-07-19 20:43	--------	d-----w-	c:\program files\Apple Software Update
2009-07-19 20:43 . 2009-07-19 20:43	--------	d-----w-	c:\documents and settings\All Users\Application Data\Apple
2009-07-19 13:22 . 2009-07-19 13:22	--------	d-----w-	c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-07-17 19:01 . 2004-08-04 12:00	58880	----a-w-	c:\windows\system32\atl.dll
2009-07-15 01:30 . 2009-07-15 01:30	--------	d-----w-	c:\documents and settings\Bonnie Jackson\Application Data\HP
2009-07-15 01:30 . 2009-07-15 01:30	--------	d-----w-	c:\documents and settings\Bonnie Jackson\Application Data\Windows Search
2009-07-14 06:43 . 2004-08-04 12:00	286208	----a-w-	c:\windows\system32\wmpdxm.dll
2009-07-13 22:16 . 2009-07-13 22:16	--------	d-----w-	c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-07-13 21:22 . 2009-07-13 21:22	75048	----a-w-	c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-13 20:29 . 2009-07-06 16:39	--------	d-----w-	c:\program files\dxwebsetup
2009-07-10 17:42 . 2009-07-10 17:42	--------	d-----w-	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-10 17:42 . 2009-07-10 17:42	--------	d-----w-	c:\documents and settings\Richard Jackson\Application Data\SUPERAntiSpyware.com
2009-07-10 12:37 . 2009-07-10 12:37	--------	d-----w-	c:\documents and settings\Richard Jackson\Application Data\Malwarebytes
2009-07-10 12:37 . 2009-07-10 12:37	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-08 20:24 . 2009-07-08 20:24	152576	----a-w-	c:\documents and settings\Richard Jackson\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-08 19:58 . 2009-07-08 19:58	--------	d-----w-	c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-08 19:36 . 2009-07-08 19:36	--------	d-----w-	c:\program files\AskBarDis
2009-07-08 17:03 . 2009-07-08 16:35	--------	d-----w-	c:\documents and settings\All Users\Application Data\PC Tools
2009-07-08 16:36 . 2009-07-08 16:35	--------	d-----w-	c:\program files\Common Files\PC Tools
2009-07-08 16:35 . 2009-07-08 16:35	--------	d-----w-	c:\documents and settings\Richard Jackson\Application Data\PC Tools
2009-07-08 16:21 . 2009-07-08 16:21	114168	----a-w-	c:\documents and settings\Bonnie Jackson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-08 16:21 . 2009-07-08 16:21	137	----a-w-	c:\documents and settings\Bonnie Jackson\Local Settings\Application Data\fusioncache.dat
2009-07-08 16:21 . 2009-07-08 16:21	--------	d-----w-	c:\documents and settings\Bonnie Jackson\Application Data\Windows Desktop Search
2009-07-08 16:21 . 2009-07-08 16:21	--------	d-----w-	c:\documents and settings\Bonnie Jackson\Application Data\Avanquest
2009-07-06 04:12 . 2009-07-06 04:12	--------	d-----w-	c:\program files\Trend Micro
2009-07-03 13:57 . 2009-07-03 13:57	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\Avanquest
2009-07-03 13:57 . 2009-07-03 13:57	--------	d-----w-	c:\program files\Microsoft Visual Studio 8
2009-07-03 13:57 . 2009-07-03 13:57	--------	d-----w-	c:\program files\Microsoft.NET
2009-07-03 13:56 . 2009-06-20 15:20	--------	d-----w-	c:\program files\Creative
2009-07-03 13:56 . 2009-06-20 15:10	--------	d-----w-	c:\documents and settings\All Users\Application Data\Napster
2009-07-03 13:56 . 2009-06-12 14:21	--------	d-----w-	c:\program files\Common Files\InstallShield
2009-07-03 13:56 . 2009-06-20 14:23	--------	d-----w-	c:\program files\Common Files\Roxio Shared
2009-07-03 13:54 . 2009-06-12 15:25	--------	d-----w-	c:\program files\Microsoft Works
2009-07-03 13:53 . 2009-06-18 13:32	--------	d-----w-	c:\program files\Windows Media Connect 2
2009-07-03 13:53 . 2009-07-03 13:53	--------	d-----w-	c:\documents and settings\Richard Jackson\Application Data\Download Manager
2009-07-03 13:53 . 2009-07-03 13:53	--------	d-----w-	c:\documents and settings\LocalService\Application Data\Avanquest
2009-07-03 13:52 . 2009-07-03 13:52	--------	d-----w-	c:\program files\WexTech
2009-07-03 13:52 . 2009-07-03 13:52	--------	d-----w-	c:\program files\MSXML 4.0
2009-07-03 13:52 . 2009-07-03 13:52	--------	d-----w-	c:\documents and settings\Richard Jackson\Application Data\Autodesk
2009-07-03 13:52 . 2009-07-03 13:52	--------	d-----w-	c:\program files\Common Files\Wextech Shared
2009-07-03 13:52 . 2009-06-13 04:57	--------	d-----w-	c:\program files\AutoCAD LT 2002
2009-07-03 13:52 . 2009-06-13 04:57	--------	d-----w-	c:\program files\Common Files\Autodesk Shared
2009-07-03 13:52 . 2009-06-13 13:55	--------	d-----w-	c:\program files\Quick View Plus
2009-07-03 13:52 . 2009-06-12 15:30	--------	d-----w-	c:\program files\Windows Desktop Search
2009-07-03 13:51 . 2009-07-03 13:51	--------	d-----w-	c:\documents and settings\LocalService\Application Data\Windows Search
2009-07-03 13:51 . 2009-06-12 19:07	--------	d-----w-	c:\documents and settings\All Users\Application Data\HP
2009-07-03 13:51 . 2009-07-03 13:51	--------	d-----w-	c:\program files\Common Files\Sonic Shared
2009-07-03 13:51 . 2009-06-12 19:06	--------	d-----w-	c:\program files\Common Files\HP
2009-07-02 13:59 . 2009-07-02 13:59	10134	----a-r-	c:\documents and settings\Richard Jackson\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-07-02 13:59 . 2009-06-12 18:47	--------	d-----w-	c:\program files\HP
2009-06-29 16:12 . 2004-08-04 12:00	827392	----a-w-	c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00	78336	----a-w-	c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00	17408	----a-w-	c:\windows\system32\corpol.dll
2009-06-26 20:14 . 2009-06-26 20:14	--------	d-----w-	c:\program files\Microsoft Expression
2009-06-25 08:25 . 2009-06-13 10:00	730112	----a-w-	c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00	56832	----a-w-	c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00	54272	----a-w-	c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00	301568	----a-w-	c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00	147456	----a-w-	c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00	136192	----a-w-	c:\windows\system32\msv1_0.dll
2009-06-24 16:51 . 2009-06-24 16:51	--------	d-----w-	c:\program files\Citrix
2009-06-24 11:18 . 2004-08-04 12:00	92928	----a-w-	c:\windows\system32\drivers\ksecdd.sys
2009-06-20 15:12 . 2009-06-12 13:53	114168	----a-w-	c:\documents and settings\Richard Jackson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-17 07:52 . 2009-06-17 07:52	97144	----a-w-	c:\documents and settings\Richard Jackson\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-16 14:36 . 2004-08-04 12:00	81920	----a-w-	c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00	119808	----a-w-	c:\windows\system32\t2embed.dll
2009-06-12 20:36 . 2009-06-12 20:36	138	----a-w-	c:\documents and settings\Richard Jackson\Local Settings\Application Data\fusioncache.dat
2009-06-12 17:37 . 2009-06-12 13:35	86327	----a-w-	c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-12 15:56 . 2009-06-12 15:56	86016	----a-w-	c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-06-12 13:33 . 2009-06-12 13:33	21640	----a-w-	c:\windows\system32\emptyregdb.dat
2009-06-12 12:31 . 2004-08-04 12:00	80896	----a-w-	c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00	76288	----a-w-	c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2009-06-12 13:32	2066432	----a-w-	c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00	84992	----a-w-	c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00	132096	----a-w-	c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-04 12:00	1291264	----a-w-	c:\windows\system32\quartz.dll
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-12 39408]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-09 2828184]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-07 1830128]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-01-27 1179648]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
 
c:\documents and settings\Richard Jackson\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
 
c:\documents and settings\Bonnie Jackson\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
 
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
 
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9}"= "qvphook.dll" [2002-04-10 45056]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05	356352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.dll
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
 
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/8/2009 9:36 AM 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [7/8/2009 10:03 AM 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [7/8/2009 10:03 AM 39200]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [7/8/2009 9:36 AM 159600]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 74480]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 10:49 AM 616408]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/8/2009 9:35 AM 348752]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [7/8/2009 9:35 AM 64392]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [7/8/2009 10:03 AM 33056]
R3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
S3 I97DRIVER;I97DRIVER;\??\c:\program files\Avanquest\Fix-It\dgs.sys --> c:\program files\Avanquest\Fix-It\dgs.sys [?]
S3 MailScan;MailScan;\??\c:\progra~1\AVANQU~1\Fix-It\MailScan.sys --> c:\progra~1\AVANQU~1\Fix-It\MailScan.sys [?]
 
--- Other Services/Drivers In Memory ---
 
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
 
2009-08-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
 
2009-08-23 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
 
2009-08-23 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
 
2009-08-23 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
.
- - - - ORPHANS REMOVED - - - -
 
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
 
 
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
 
**************************************************************************
 
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 18:39
Windows 5.1.2600 Service Pack 3 NTFS
 
detected NTDLL code modification:
ZwClose
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
 
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
 
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
 
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
- - - - - - - > 'winlogon.exe'(932)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\documents and settings\Richard Jackson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
c:\program files\Spyware Doctor\TFEngine\TFNI.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
 
- - - - - - - > 'lsass.exe'(988)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
.
Completion time: 2009-08-23 18:42
ComboFix-quarantined-files.txt  2009-08-23 01:42
 
Pre-Run: 36,185,645,056 bytes free
Post-Run: 39,568,060,416 bytes free
 
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
 
306	--- E O F ---	2009-08-12 10:03

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:

Select all Open in new window

by: rljack01Posted on 2009-08-22 at 19:01:33ID: 25161099

I had selected the search for hidden files option in Spyware Doctor with antivirus and found and removed 120 infections not found prior.

a- fn: trojan.general

b- filename: application.nircmd (116 infections)

c- filename: trojan.general

Also just now my XP PC (the subject of these posts) did an auto shutdown.

There is still a bad guy in there that I hope to eradicate soon.

by: rljack01Posted on 2009-08-22 at 19:04:16ID: 25161109

Is it possible that the malware site has my email address (2) that they can access my machine via IP address transmission and not by email?

I have closed the prior capability of 'previewing' incoming emails.

I know that the bad email appeared in the preview window yesterday.

by: rljack01Posted on 2009-08-23 at 06:35:18ID: 25162528

"catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-08-22 18:39Windows 5.1.2600 Service Pack 3 NTFS detected NTDLL code modification:ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0" was found by combofix scan of the XP Pro PC.

by: rljack01Posted on 2009-08-23 at 06:39:54ID: 25162541

LOCATION IN LOG FILE: 1:25

by: rljack01Posted on 2009-08-23 at 07:11:30ID: 25162686

See http://msdn.microsoft.com/en-us/library/ms804356.aspx for a definition of the kernal function ZwClose.

This, it seems, is the reason for reoccurrence of deleted files (by superantispyware and regcure).

It looks like handles remain open or database pointers remain active which disallows closure by ZwClose.

The problem remains about how to id and totally delete the malware that, it seems, remains in my XP PC s l o w i n g processing to a crawl.

Next I'll look in my XPPC for a file called "jqp.exe", malware that slows XP to a crawl and try to id the source of any other malware invoked process.

I still need the help of rpggamergirl.

by: rljack01Posted on 2009-08-23 at 08:00:30ID: 25162865

The file name I'm looking for is 'jqs.exe' and not jqp.exe.

See http://search.microsoft.com/results.aspx?form=MSHOME&mkt=en-US&setlang=en-US&q=jqs.exe for more info on jqs.exe.

This is as I found this file in the Java directory and deleted it earlier.

Has it returned?

by: rpggamergirlPosted on 2009-08-23 at 18:07:38ID: 25165051

Hi,

Sorry for late reply. Have you also tried updating your java to the latest version?

Combofix did remove 3 files but nothing else showing in the log.

Can you please run Gmer's rootkit scanner, the catchme integrated in Combofix only detects userland rootkits.
Also run RootRepeal.

1. Download RootRepeal from the following location and save it to your desktop.
Zip Mirrors (Recommended)
Primary Mirror
http://rootrepeal.googlepages.com/RootRepeal.zip
Secondary Mirror
http://ad13.geekstogo.com/RootRepeal.zip

Rar Mirrors - Only if you know what a RAR is and can extract it.
Primary Mirror:
http://ad13.geekstogo.com/RootRepeal.rar
Secondary Mirror:
http://ad13.geekstogo.com/RootRepeal.rar

Extract RootRepeal.exe from the archive.
Open RootRepeal on your desktop.
Click the "Report" tab.
Click the "Scan" button.
Check all seven boxes:

o Drivers
o Files
o Processes
o SSDT
o Stealth Objects
o Hidden Services
o Shadow SSDT

Push Yes
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the "Save Report" button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

2. Download GMER from here:
http://www.geekstogo.com/forum/redirect.php?url=http%3A%2F%2Fwww.gmer.net%2Ffiles.php

Unzip it to the desktop.
Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for Show All.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

by: rljack01Posted on 2009-08-27 at 12:41:56ID: 31618308

Hijackthis helped partially but Prevx id'd 25 infections that other packages couldn't and eliminated 18 Trojans and 7 other malware infections.

Thanks. I appreciate you help.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

For individual users
Instant access to solutions
Ask your tech questions
Start your 30-day Free Trial

Business Accounts

Perfect for organizations
Multiple users
Save over 36%
Create a Business Account

Answer for Membership

Earn free access
Showcase your knowledge
No credit card required
Sign Up to Answer

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...

Question

Infected by recurring Virus. Need help interpreting HijackThis logfile.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

Known malware site

Operating Systems Network Security

Network Software Firewalls

Networking Hardware Firewalls

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Need individual assistance?

Our experts are ready to help.

Want to learn from the best?

Read articles from industry experts.

Working on a long term project?

Store your work and research.

What Makes Experts Exchange Unique?

Trusted by the world's most respected brands.

Faithfully serving IT professionals since 1996.

Related Solutions

Free Tech Articles

Cloud Class Webinars

Join the Community

Give a Little. Get a Lot.

Answers

3 Ways to Join

The Experts

The Experts

Testimonials

Testimonials

Testimonials

Business Clients

Business Clients

In the Press

In the Press

In the Press