muck66
asked on
rundll.exe and explorer.exe shell?
I seem to be infected, a process runs either called explorer.exe or rundll.exe (obviously shells) that take 99% resource. ALso I have seen purity scan reported by various spyware tools for example trend, pest patrol, lavasoft.
Attached is a HJT log, can somebody help?
Logfile of HijackThis v1.99.1
Scan saved at 09:53:19, on 30/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\csrss. exe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Intel\Wireless\Bin\E vtEng.exe
C:\Program Files\Intel\Wireless\Bin\S 24EvMon.ex e
C:\Program Files\Intel\Wireless\Bin\W LKeeper.ex e
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\NetScreen\NetScreen- Remote\Ire IKE.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\SCardS vr.exe
C:\Program Files\AccessManager\Client \AMBroker. exe
C:\WINDOWS\system32\basfip m.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\cisvc. exe
C:\PROGRA~1\SYMANT~1\SYMAN T~1\DefWat ch.exe
C:\Program Files\NetScreen\NetScreen- Remote\IPS ecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti. exe
C:\Program Files\Intel\Wireless\Bin\Z cfgSvc.exe
C:\PROGRA~1\Intel\Wireless \Bin\1XCon fig.exe
C:\Program Files\Dell\NICCONFIGSVC\NI CCONFIGSVC .exe
C:\PROGRA~1\SYMANT~1\SYMAN T~1\Rtvsca n.exe
C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\AccessManager\PMAC\s p_SWIns.ex e
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\wdfmgr .exe
C:\WINDOWS\system32\fxssvc .exe
C:\WINDOWS\system32\wbem\w miprvse.ex e
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\i frmewrk.ex e
C:\WINDOWS\system32\dla\tf swctrl.exe
C:\PROGRA~1\SYMANT~1\SYMAN T~1\vptray .exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\system32\LVCOMS X.EXE
C:\WINDOWS\system32\rundll 32.exe
C:\WINDOWS\system32\hkcmd. exe
C:\WINDOWS\system32\igfxpe rs.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\igfxsr vc.exe
C:\WINDOWS\System32\alg.ex e
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\WINDOWS\system32\hpnra. exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex. exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetec tion.exe
C:\WINDOWS\system32\ctfmon .exe
C:\PROGRA~1\SPYWAR~1\swdoc tor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl. exe
C:\Program Files\NetScreen\NetScreen- Remote\Saf eCfg.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\MANTEC~1\rundll 32.exe
C:\WINDOWS\system32\wbem\w miapsrv.ex e
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\lotus\notes\NLNOTES. EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\lotus\notes\ntaskldr .EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaem on.exe
C:\Program Files\Symantec_Client_Secu rity\Syman tec AntiVirus\VPC32.EXE
C:\WINDOWS\system32\?asks\ ??plorer.e xe
C:\PROGRA~1\WINZIP\winzip3 2.exe
C:\Documents and Settings\mbuckingham\Local Settings\Temp\wz2626\Hijac kThis.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.google.ch/
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - {06317603-B19C-B330-BD27-9 8ABB83FB4C B} - C:\WINDOWS\system32\nvjazi tk.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-F CE54AD9C20 8} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {06317603-B19C-B330-BD27-9 8ABB83FB4C B} - C:\WINDOWS\system32\nvjazi tk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-7 80F756DC9C E} - C:\WINDOWS\system32\BHOMan ager.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D 426709BBFE B} - C:\PROGRA~1\SPYWAR~1\tools \iesdsg.dl l
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.5.0_06\bin \ssv.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B 493D130C95 9} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0 445EE16191 0} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-1 7DF180C71A C} - C:\PROGRA~1\SPYWAR~1\tools \iesdpb.dl l
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D 2AAB95CABE 3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\i frmewrk.ex e /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf swctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMAN T~1\vptray .exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMS X.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAg ent] rundll32.exe bthprops.cpl,,BluetoothAut henticatio nAgent
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs ync.exe /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr ay.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd. exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe rs.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1 \LAUNCH~1. EXE -startup
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra. exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetec tion.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoc tor.exe /Q
O4 - HKCU\..\Run: [Vwok] C:\Program Files\Common Files\??crosoft\r?ndll.exe
O4 - HKCU\..\Run: [Kfg] C:\WINDOWS\system32\?asks\ ??plorer.e xe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\NetScreen\NetScreen- Remote\Saf eCfg.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECaptureS elLinks.ht ml
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppendSe lLinks.htm l
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_06\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_06\bin \ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4 C56B4E14E8 4} - C:\PROGRA~1\SPYWAR~1\tools \iesdpb.dl l
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6 C1E5056965 5} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.offshoreclicks.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0 E3A5CAA8CD 8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205E7068-6D03-4566-AD06-A 146B592FBA 5} (Loader Class v2) - http://172.16.10.19/tdbin/Spider80.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129229929578
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142239872421
O16 - DPF: {917623D1-D8E5-11D2-BE8B-0 0104B06BDE 3} - http://paris.tourismeville.wanadoo.fr/activex/AxisCamControl.cab
O16 - DPF: {CAFECAFE-0013-0001-0009-A BCDEFABCDE F} (JInitiator 1.3.1.9) - http://62.187.136.10/jinitiator/jinit1319.exe
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = antalis.corp
O17 - HKLM\Software\..\Telephony : DomainName = "antalis.corp"
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = antalis.fr
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = antalis.corp
O17 - HKLM\System\CS2\Services\T cpip\Param eters: SearchList = antalis.corp,antalis.fr
O17 - HKLM\System\CS3\Services\T cpip\Param eters: Domain = antalis.corp
O17 - HKLM\System\CS3\Services\T cpip\Param eters: SearchList = antalis.corp,antalis.fr
O17 - HKLM\System\CCS\Services\T cpip\Param eters: SearchList = antalis.corp,antalis.fr
O18 - Protocol: Festoon - (no CLSID) - (no file)
O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-0 72D326A58F 1} - ielpview.dll (file missing)
O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-0 0010219EB2 2} - VFSProtocol.dll (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~ 1\GOEC62~1 .DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxde v.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\L gNotify.dl l
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog on.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc. exe
O23 - Service: Access Manager Configuration Service (AMBroker) - Unknown owner - C:\Program Files\AccessManager\Client \AMBroker. exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfip m.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - WorldCom - C:\Program Files\AccessManager\Client \DAPlugin. exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMAN T~1\DefWat ch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E vtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NetScreen\NetScreen- Remote\IPS ecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\NetScreen\NetScreen- Remote\Ire IKE.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti. exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI CCONFIGSVC .exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMAN T~1\Rtvsca n.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\ DRIVERS\W3 2X86\3\HPZ ipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S 24EvMon.ex e
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\Ser viceLayer. exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\s p_SWIns.ex e
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\s pi_da.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\W LKeeper.ex e
Attached is a HJT log, can somebody help?
Logfile of HijackThis v1.99.1
Scan saved at 09:53:19, on 30/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\csrss.
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Intel\Wireless\Bin\E
C:\Program Files\Intel\Wireless\Bin\S
C:\Program Files\Intel\Wireless\Bin\W
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\Program Files\NetScreen\NetScreen-
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\SCardS
C:\Program Files\AccessManager\Client
C:\WINDOWS\system32\basfip
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\cisvc.
C:\PROGRA~1\SYMANT~1\SYMAN
C:\Program Files\NetScreen\NetScreen-
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.
C:\Program Files\Intel\Wireless\Bin\Z
C:\PROGRA~1\Intel\Wireless
C:\Program Files\Dell\NICCONFIGSVC\NI
C:\PROGRA~1\SYMANT~1\SYMAN
C:\Program Files\Intel\Wireless\Bin\R
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\AccessManager\PMAC\s
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\wdfmgr
C:\WINDOWS\system32\fxssvc
C:\WINDOWS\system32\wbem\w
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\i
C:\WINDOWS\system32\dla\tf
C:\PROGRA~1\SYMANT~1\SYMAN
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\system32\LVCOMS
C:\WINDOWS\system32\rundll
C:\WINDOWS\system32\hkcmd.
C:\WINDOWS\system32\igfxpe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\igfxsr
C:\WINDOWS\System32\alg.ex
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\WINDOWS\system32\hpnra.
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetec
C:\WINDOWS\system32\ctfmon
C:\PROGRA~1\SPYWAR~1\swdoc
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.
C:\Program Files\NetScreen\NetScreen-
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\MANTEC~1\rundll
C:\WINDOWS\system32\wbem\w
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\lotus\notes\NLNOTES.
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\lotus\notes\ntaskldr
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaem
C:\Program Files\Symantec_Client_Secu
C:\WINDOWS\system32\?asks\
C:\PROGRA~1\WINZIP\winzip3
C:\Documents and Settings\mbuckingham\Local
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {06317603-B19C-B330-BD27-9
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-F
O2 - BHO: (no name) - {06317603-B19C-B330-BD27-9
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-7
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-1
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\i
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMAN
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMS
O4 - HKLM\..\Run: [BluetoothAuthenticationAg
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\system32\hpnra.
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetec
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoc
O4 - HKCU\..\Run: [Vwok] C:\Program Files\Common Files\??crosoft\r?ndll.exe
O4 - HKCU\..\Run: [Kfg] C:\WINDOWS\system32\?asks\
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\NetScreen\NetScreen-
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O15 - Trusted Zone: *.offshoreclicks.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {205E7068-6D03-4566-AD06-A
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {917623D1-D8E5-11D2-BE8B-0
O16 - DPF: {CAFECAFE-0013-0001-0009-A
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS3\Services\T
O17 - HKLM\System\CS3\Services\T
O17 - HKLM\System\CCS\Services\T
O18 - Protocol: Festoon - (no CLSID) - (no file)
O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-0
O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-0
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxde
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\L
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.
O23 - Service: Access Manager Configuration Service (AMBroker) - Unknown owner - C:\Program Files\AccessManager\Client
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfip
O23 - Service: Visual Insight DA Plugin (DAPlugin) - WorldCom - C:\Program Files\AccessManager\Client
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMAN
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NetScreen\NetScreen-
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\NetScreen\NetScreen-
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMAN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\Ser
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\s
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\s
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\W
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
After you uninstall OIN or run their OIUninstaller, some of those entries I listed won't be there so don't worry if you can't find them when you next run hijackthis.
The high cpu processes of explorer.exe and rundll.exe are all caused by purityscan, so after you uninstall it you should be fine.
ASKER
So here is the latest one:
http://www.hijackthis.de/logfiles/4055f0980b6edeb707769220dd3f7532.html
I presume it is now all OK.
Thanks for you help.
http://www.hijackthis.de/logfiles/4055f0980b6edeb707769220dd3f7532.html
I presume it is now all OK.
Thanks for you help.
it still has "possible nasties" review the content, looks like you recognize the programs? if not, fix them.. worst case a few software will not work.. just reinstall them.
cool. thank you