Nick Wolf
asked on
HijackThis Scan Log Check
What of the items in the log below needs to be fixed?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:15 PM, on 8/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Fortinet\FortiClient \scheduler .exe
C:\Program Files\Fortinet\FortiClient \FCDBLog.e xe
C:\Program Files\Fortinet\FortiClient \fortifw.e xe
C:\Program Files\Fortinet\FortiClient \fortiwf.e xe
C:\Program Files\Fortinet\FortiClient \FortiProx y.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Broadcom\ASFIPMon\As fIpMon.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\LogMeIn\x86\RaMaint. exe
C:\Program Files\LogMeIn\x86\LogMeIn. exe
C:\Program Files\LogMeIn\x86\LMIGuard ian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Dell\QuickSet\NICCON FIGSVC.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\rpcnet .exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService .exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
C:\WINDOWS\System32\WLTRYS VC.EXE
C:\WINDOWS\System32\bcmwlt ry.exe
C:\WINDOWS\system32\msiexe c.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSCM.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\LogMeIn\x86\LogMeInS ystray.exe
C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr. exe
C:\Program Files\Fortinet\FortiClient \FortiTray .exe
C:\WINDOWS\system32\WLTRAY .exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy. exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\LogMeIn\x86\LMIGuard ian.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon .exe
C:\PROGRA~1\MI3AA1~1\rapim gr.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma ngr.exe
C:\Program Files\Yahoo!\Messenger\yms gr_tray.ex e
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\LogMeIn\x86\LogMeIn. exe
C:\Program Files\LogMeIn\x86\LMIGuard ian.exe
C:\Program Files\Fortinet\FortiClient \fmon.exe
C:\WINDOWS\system32\mmc.ex e
C:\WINDOWS\system32\DfrgNt fs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\PROGRA~1\Yahoo!\Compani on\Install s\cpn\yt.d ll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7 695ECA0567 0} - C:\PROGRA~1\Yahoo!\Compani on\Install s\cpn\yt.d ll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-7 68834316C6 1} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhanc er.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-5 8F732D338C 0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.d ll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-3 45BE45BC91 1} - C:\Program Files\Yahoo!\Search\YSearc hSuggest.d ll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2 FC0DE4A789 7} - C:\Program Files\Yahoo!\Common\yiesrv c.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0 445EE16191 0} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\PROGRA~1\Yahoo!\Compani on\Install s\cpn\yt.d ll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs ync.exe /logon
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInS ystray.exe "
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe"
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr. exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY .exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy. exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr ay.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd. exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpe rs.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\Yah ooMessenge r.exe" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR OS~1\DW\dw trig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR OS~1\DW\dw trig20.exe " -t (User 'Default user')
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma ngr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MI3AA1~1\INetR epl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MI3AA1~1\INetR epl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MI3AA1~1\INetR epl.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-1 0282ABF65E 7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions. dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2 FC0DE4A789 7} - C:\Program Files\Yahoo!\Common\yiesrv c.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3 250410481E 8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions. dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprov au.dll
O15 - Trusted Zone: *.3mhs.com
O15 - Trusted Zone: *.3mhs.net
O15 - Trusted Zone: *.tmhsi.com
O15 - Trusted Zone: *.tmhsi.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-9 63509EAE56 B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-0 0104BD12D9 4} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {49232000-16E4-426C-A231-6 2846947304 B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193123984531
O16 - DPF: {9732FB42-C321-11D1-836F-0 0A0C993F12 5} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{1 3BC78CE-3A AD-4125-B5 79-DDE6991 C0620}: Domain = bw.local
O17 - HKLM\System\CCS\Services\T cpip\..\{8 310580D-1D 19-45F9-AC B5-AC214C4 9BB22}: NameServer = 172.21.1.1;192.168.1.254
O17 - HKLM\System\CCS\Services\T cpip\..\{B E92AEF9-9D 5E-40D1-98 86-52E362E AB1F1}: NameServer = 172.21.1.1
O17 - HKLM\System\CCS\Services\T cpip\..\{E 5D481B5-E0 FC-479B-BD 51-2CEAEFB 2CF5F}: NameServer = 68.28.146.92 68.28.154.92
O17 - HKLM\System\CCS\Services\T cpip\..\{F 11F6C25-64 7D-4368-98 61-A73983F 18B7B}: NameServer = 172.21.1.1
O17 - HKLM\System\CS1\Services\T cpip\Param eters: SearchList = bw.local
O17 - HKLM\System\CS1\Services\T cpip\..\{1 3BC78CE-3A AD-4125-B5 79-DDE6991 C0620}: Domain = bw.local
O17 - HKLM\System\CS2\Services\T cpip\Param eters: SearchList = bw.local
O17 - HKLM\System\CS2\Services\T cpip\..\{1 3BC78CE-3A AD-4125-B5 79-DDE6991 C0620}: Domain = bw.local
O17 - HKLM\System\CCS\Services\T cpip\Param eters: SearchList = bw.local
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\As fIpMon.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc. exe
O23 - Service: Fortinet Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Program Files\Fortinet\FortiClient \scheduler .exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint. exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn. exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCON FIGSVC.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet .exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService .exe
O23 - Service: NTRU Hybrid TSS v2.0.7 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYS VC.EXE
--
End of file - 11895 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:15 PM, on 8/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\Program Files\Fortinet\FortiClient
C:\Program Files\Fortinet\FortiClient
C:\Program Files\Fortinet\FortiClient
C:\Program Files\Fortinet\FortiClient
C:\Program Files\Fortinet\FortiClient
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Broadcom\ASFIPMon\As
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\WINDOWS\system32\svchos
C:\Program Files\LogMeIn\x86\RaMaint.
C:\Program Files\LogMeIn\x86\LogMeIn.
C:\Program Files\LogMeIn\x86\LMIGuard
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchos
C:\Program Files\Dell\QuickSet\NICCON
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\rpcnet
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService
C:\WINDOWS\system32\svchos
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
C:\WINDOWS\System32\WLTRYS
C:\WINDOWS\System32\bcmwlt
C:\WINDOWS\system32\msiexe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSCM.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\LogMeIn\x86\LogMeInS
C:\Program Files\CyberLink\PowerDVD\D
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.
C:\Program Files\Fortinet\FortiClient
C:\WINDOWS\system32\WLTRAY
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\LogMeIn\x86\LMIGuard
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon
C:\PROGRA~1\MI3AA1~1\rapim
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
C:\Program Files\Yahoo!\Messenger\yms
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\LogMeIn\x86\LogMeIn.
C:\Program Files\LogMeIn\x86\LMIGuard
C:\Program Files\Fortinet\FortiClient
C:\WINDOWS\system32\mmc.ex
C:\WINDOWS\system32\DfrgNt
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-7
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-5
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-3
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInS
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\D
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\Yah
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-0
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-1
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprov
O15 - Trusted Zone: *.3mhs.com
O15 - Trusted Zone: *.3mhs.net
O15 - Trusted Zone: *.tmhsi.com
O15 - Trusted Zone: *.tmhsi.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-9
O16 - DPF: {0E5F0222-96B9-11D3-8997-0
O16 - DPF: {49232000-16E4-426C-A231-6
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {9732FB42-C321-11D1-836F-0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CCS\Services\T
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\As
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.
O23 - Service: Fortinet Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Program Files\Fortinet\FortiClient
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCON
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService
O23 - Service: NTRU Hybrid TSS v2.0.7 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYS
--
End of file - 11895 bytes
ASKER
Hi IndiGenus,
 The AV software is FortiClient. A PCPitstop scan says it found spyware, but I didn't find any traces of the registry keys they mention, although they say to take the message "very seriously" which is why I am asking for a 2nd opinion:
http://www.pcpitstop.com/betapit/tips/WinSpy.asp?conid=20768715Â
"AutoUpdate; AproposMedia is the advert-showing part of the 'PeopleOnPage' program, an Internet Explorer sidebar which claims to show a list of other users of the current site."
 The AV software is FortiClient. A PCPitstop scan says it found spyware, but I didn't find any traces of the registry keys they mention, although they say to take the message "very seriously" which is why I am asking for a 2nd opinion:
http://www.pcpitstop.com/betapit/tips/WinSpy.asp?conid=20768715Â
"AutoUpdate; AproposMedia is the advert-showing part of the 'PeopleOnPage' program, an Internet Explorer sidebar which claims to show a list of other users of the current site."
I don't see any evidence of it in your HJT log, although that doesn't mean there isn't a trace somewhere. I certainly trust PC Pitstop and would advise you go through and check for each of those registry entries and files.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
IndiGenus: Thank you. I will scan with Malwarebytes' program asap, probably later today. I will post my results.
ASKER
IndiGenus: Thank you! Great suggestion. Malwarebytes found items and removed them successfully.
Malwarebytes' Anti-Malware 1.24
Database version: 1030
Windows 5.1.2600 Service Pack 2
9:26:55 PM 8/6/2008
mbam-log-8-6-2008 (21-26-55).txt
Scan type: Full Scan (C:\|)
Objects scanned: 89389
Time elapsed: 26 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 10
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{1 47a976f-ee e1-4377-8e a7-4716e4c dd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9 afb8248-61 7f-460d-93 66-d71cded a3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a 4730ebe-43 a6-443e-97 76-36915d3 23ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interfac e\{2e9937f c-cf2f-4f5 6-af54-5a6 a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interfac e\{741de82 5-a6f0-449 7-9aa6-802 3cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWAR E\MyWebSea rch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Multimed ia\WMPlaye r\Schemes\ f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWAR E\FunWebPr oducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWAR E\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE \MyWebSear ch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWAR E\FocusInt eractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE \Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Hist ory (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Sett ings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\PopSw atr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\PopSw atr\Histor y (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Scree nSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Scree nSaver\Ima ges (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Share d (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\PDF417Encoder. dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Hist ory\search 2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Sett ings\setti ng2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Sett ings\setti ngs.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Sett ings\s_pid .dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\PopSw atr\Histor y\allowed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\PopSw atr\Histor y\notallow (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Scree nSaver\Ima ges\008672 94.urr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.24
Database version: 1030
Windows 5.1.2600 Service Pack 2
9:26:55 PM 8/6/2008
mbam-log-8-6-2008 (21-26-55).txt
Scan type: Full Scan (C:\|)
Objects scanned: 89389
Time elapsed: 26 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 10
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{1
HKEY_CLASSES_ROOT\CLSID\{9
HKEY_CLASSES_ROOT\CLSID\{a
HKEY_CLASSES_ROOT\Interfac
HKEY_CLASSES_ROOT\Interfac
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_CURRENT_USER\SOFTWARE
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_CURRENT_USER\SOFTWARE
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Hist
C:\Program Files\MyWebSearch\bar\Sett
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\PopSw
C:\Program Files\FunWebProducts\PopSw
C:\Program Files\FunWebProducts\Scree
C:\Program Files\FunWebProducts\Scree
C:\Program Files\FunWebProducts\Share
Files Infected:
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\PDF417Encoder.
C:\Program Files\MyWebSearch\bar\Hist
C:\Program Files\MyWebSearch\bar\Sett
C:\Program Files\MyWebSearch\bar\Sett
C:\Program Files\MyWebSearch\bar\Sett
C:\Program Files\FunWebProducts\PopSw
C:\Program Files\FunWebProducts\PopSw
C:\Program Files\FunWebProducts\Scree
Great, glad it worked out and thanks for the grade and points.
Regards,
Dave
Regards,
Dave
Are you having some kind of issue here? Not seeing anything malicious there at first glance. One thing I DON'T see is Anti-virus. Is that so? If so why no AV?