Help with google redirect / possible spyware

higenbs1 · 2006/10/09

Hi

I'm new here and desperate for help. When using IE, every time I do a google search, the first result takes me to some crappy wesbite, instead of what I was searching for i.e. freewirelessworld.com etc.

I've tried various spyware programs (AVG/Spbot/Adaware) but the problem still persists.

Have attached a HjT log - any help would be greatly appreciated.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 22:34:48, on 09/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\BenQ\QMusic2\QMAgent.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\system32\GSICON.EXE
D:\WINDOWS\system32\dslagent.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Nebula\DigiTV\DigiTV.exe
D:\Program Files\Nebula\DigiTV\DigiTV.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Administrator\Desktop\HijackThis.exe
D:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] "D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe "
O4 - HKLM\..\Run: [QMusic] "D:\Program Files\BenQ\QMusic2\QMAgent.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] "dslagent.exe" USB
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [SpySweeperUninstallSurvey] http://products.webroot.com/disp020...685476&lang=en&loc=GBR&opi=2&omj=5&omn=1&rsc=
O4 - Startup: DigiTV.lnk = D:\Program Files\Nebula\DigiTV\DigiTV.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/19027b33eb59fe38a406/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142760996374
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142795221140
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECDCFDCE-FAAF-4BE6-84C6-A1D1958D05F8}: NameServer = 85.255.113.92 85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED758180-274F-4422-AC95-1099B179C9CF}: NameServer = 85.255.113.92,85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{FAEB1714-27A4-4A81-8964-57CD464CCC1E}: NameServer = 85.255.113.92,85.255.112.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.92 85.255.112.13
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.92 85.255.112.13
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe

TeMerc · 2006/10/09

Hello and welcome to WindowsBBS Forums.

I'm not seeing any major indicators of malware but there is some. Can you give us a better example of what sites you're being redirected to, if they are any which repeat or point towards any specific app. In many cases these small details can point us in the right direction.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/19027b33...p/RdxIE601.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{ECDCFDCE-FAAF-4BE6-84C6-A1D1958D05F8}: NameServer = 85.255.113.92 85.255.112.13

O17 - HKLM\System\CCS\Services\Tcpip\..\{ED758180-274F-4422-AC95-1099B179C9CF}: NameServer = 85.255.113.92,85.255.112.13

O17 - HKLM\System\CCS\Services\Tcpip\..\{FAEB1714-27A4-4A81-8964-57CD464CCC1E}: NameServer = 85.255.113.92,85.255.112.13

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.92 85.255.112.13

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.92 85.255.112.13

Reboot post a new HJT log back into this thread please.

higenbs1 · 2006/10/11

Thanks for responding. Have removed as suggested and it looks like an 017 has reappeared. Other redirects are adfarm/media, casinocaesar and monstermarketplace (they all tend to look the same)

Thanks once again:

Logfile of HijackThis v1.99.1
Scan saved at 22:29:18, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\CTHELPER.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\BenQ\QMusic2\QMAgent.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\system32\GSICON.EXE
D:\WINDOWS\system32\dslagent.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Nebula\DigiTV\DigiTV.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Nebula\DigiTV\DigiTV.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe
D:\Program Files\Outlook Express\msimn.exe
D:\WINDOWS\system32\wuauclt.exe
D:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] "D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe "
O4 - HKLM\..\Run: [QMusic] "D:\Program Files\BenQ\QMusic2\QMAgent.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] "dslagent.exe" USB
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: DigiTV.lnk = D:\Program Files\Nebula\DigiTV\DigiTV.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142760996374
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142795221140
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECDCFDCE-FAAF-4BE6-84C6-A1D1958D05F8}: NameServer = 85.255.113.92 85.255.112.13
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe

TeMerc · 2006/10/11

Hmmm....ok we need to dig a little bit deeper, something is hiding.

First we'll run a scan tool, then get a start up list using HJT.

Download combofix.exe

Double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Then:
Open HJT, click the 'None of the above, just start the program' button.
Then click the 'Config' button in the lower right hand of the program.
Then select the 'Misc Tools' button.
In the upper left hand side of the program tick the two boxes 'List also minor sections (full)' button and the 'List empty sections (complete)' button and select 'Yes' when promted by the dialog box. The resultant scan will produce a notepad log file, please paste that log file back here for me to review along with the ComboFix log.

higenbs1 · 2006/10/12

Cheers again:

Combofix:

Administrator - 06-10-12 18:49:44.43 Service Pack 2
ComboFix 06.10.12 - Running from: "D:\Documents and Settings\Administrator\Desktop "

((((((((((((((((((((((((((((((( Files Created from 2006-09-12 to 2006-10-12 ))))))))))))))))))))))))))))))))))

2006-10-09 21:28 3,968 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-09-16 23:20 11,648 --a------ D:\WINDOWS\system32\drivers\pxscrmbl.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-12 18:48 -------- d-------- D:\Program Files\Mozilla Firefox
2006-10-11 22:10 -------- d-------- D:\Program Files\eMule
2006-10-09 21:28 -------- d-------- D:\Program Files\Grisoft
2006-10-09 21:17 -------- d-------- D:\Program Files\Lavasoft
2006-10-09 21:17 -------- d-------- D:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-10-06 19:29 -------- d-------- D:\Program Files\ImTOO
2006-10-06 18:47 18312 --a------ D:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-09-29 08:16 778656 --a------ D:\WINDOWS\system32\drivers\avg7core.sys
2006-09-20 19:35 -------- d--h----- D:\Program Files\InstallShield Installation Information
2006-09-20 19:35 -------- d-------- D:\Program Files\iPod
2006-09-19 22:40 -------- d-------- D:\Program Files\Google
2006-09-19 22:40 -------- d-------- D:\Documents and Settings\Administrator\Application Data\Google
2006-09-17 11:37 -------- d-------- D:\Program Files\Roguescanfix
2006-08-26 16:25 -------- d-------- D:\Documents and Settings\Administrator\Application Data\dvdcss
2006-08-26 14:36 -------- d-------- D:\Program Files\Magicbit
2006-08-25 16:45 617472 --a------ D:\WINDOWS\system32\comctl32.dll
2006-08-22 22:27 -------- d-------- D:\Documents and Settings\Administrator\Application Data\Ahead
2006-08-22 21:06 -------- d-------- D:\Program Files\GrabIt
2006-08-21 13:21 16896 --a------ D:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ D:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14 128896 --------- D:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-13 17:01 -------- d-------- D:\Program Files\NCBuy
2006-08-13 17:00 -------- d-------- D:\Program Files\Common Files\SWF Studio
2006-08-13 17:00 -------- d-------- D:\Program Files\Common Files
2006-08-12 20:52 -------- d-------- D:\Program Files\Internet Explorer
2006-08-12 08:17 27904 --a------ D:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-27 14:24 679424 --a------ D:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ D:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "D:\\WINDOWS\\system32\\ctfmon.exe "
"MSMSGS "= "\ "D:\\Program Files\\Messenger\\msmsgs.exe\" /background "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC "= "\ "D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP "
"TkBellExe "= "\ "D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot "
"NvCplDaemon "= "\ "RUNDLL32.EXE\" D:\\WINDOWS\\System32\\NvCpl.dll,NvStartup "
"nwiz "= "\ "nwiz.exe\" /install "
"NvMediaCenter "= "\ "RUNDLL32.EXE\" D:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit "
"CTHelper "= "CTHELPER.EXE "
"UpdReg "= "D:\\WINDOWS\\UpdReg.EXE "
"Jet Detection "= "\ "D:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\" "
"NeroFilterCheck "= "\ "D:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe\" "
"QMusic "= "\ "D:\\Program Files\\BenQ\\QMusic2\\QMAgent.exe\" "
"SunJavaUpdateSched "= "\ "D:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe\" "
"iTunesHelper "= "\ "D:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"QuickTime Task "= "\ "D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"GSICONEXE "= "GSICON.EXE "
"DSLAGENTEXE "= "\ "dslagent.exe\" USB "
"!AVG Anti-Spyware "= "\ "D:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "
"!AVG Anti-Spyware "= "\ "D:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "D:\\WINDOWS\\System32\\CTFMON.EXE "
"AVG7_Run "= "D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "D:\\WINDOWS\\System32\\CTFMON.EXE "
"AVG7_Run "= "D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061011-222005-158
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.92 85.255.112.13
backup-20061011-222005-169
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECDCFDCE-FAAF-4BE6-84C6-A1D1958D05F8}: NameServer = 85.255.113.92 85.255.112.13
backup-20061011-222005-344
O17 - HKLM\System\CCS\Services\Tcpip\..\{FAEB1714-27A4-4A81-8964-57CD464CCC1E}: NameServer = 85.255.113.92,85.255.112.13
backup-20061011-222005-949
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED758180-274F-4422-AC95-1099B179C9CF}: NameServer = 85.255.113.92,85.255.112.13
backup-20061011-222005-981
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.92 85.255.112.13
backup-20061011-222004-804
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/19027b33eb59fe38a406/netzip/RdxIE601.cab

Contents of the 'Scheduled Tasks' folder
D:\WINDOWS\tasks\DigiTV Wakeup - 12-10-2006, 2055.job

Completion time: 06-10-12 18:52:45.89
ComboFix.txt

and...

higenbs1 · 2006/10/12

HJT:

StartupList report, 12/10/2006, 19:04:59
StartupList version: 1.52.2
Started from : D:\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\system32\CTHELPER.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\BenQ\QMusic2\QMAgent.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\system32\GSICON.EXE
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\system32\dslagent.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Nebula\DigiTV\DigiTV.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Nebula\DigiTV\DigiTV.exe
D:\Program Files\Outlook Express\msimn.exe
D:\WINDOWS\system32\wuauclt.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\HJT\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[D:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
DigiTV.lnk = D:\Program Files\Nebula\DigiTV\DigiTV.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[D:\Documents and Settings\All Users\Start Menu\Programs\Startup]
InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = D:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG7_CC = "D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
TkBellExe = "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
NvCplDaemon = "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = "nwiz.exe" /install
NvMediaCenter = "RUNDLL32.EXE" D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
CTHelper = CTHELPER.EXE
UpdReg = D:\WINDOWS\UpdReg.EXE
Jet Detection = "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
NeroFilterCheck = "D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe "
QMusic = "D:\Program Files\BenQ\QMusic2\QMAgent.exe "
SunJavaUpdateSched = "D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
iTunesHelper = "D:\Program Files\iTunes\iTunesHelper.exe "
QuickTime Task = "D:\Program Files\QuickTime\qttask.exe" -atboottime
GSICONEXE = GSICON.EXE
DSLAGENTEXE = "dslagent.exe" USB
!AVG Anti-Spyware = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = D:\WINDOWS\system32\ctfmon.exe
MSMSGS = "D:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = D:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = D:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from D:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from D:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=D:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

D:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
D:\WINDOWS\Explorer\Explorer.exe: not present
D:\WINDOWS\System\Explorer.exe: not present
D:\WINDOWS\System32\Explorer.exe: not present
D:\WINDOWS\Command\Explorer.exe: not present
D:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in D:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - D:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

DigiTV Wakeup - 12-10-2006, 2055.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = D:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[MSSecurityAdvisor Class]
InProcServer32 = D:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1142763705701

[WUWebControl Class]
InProcServer32 = D:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142760996374

[MUWebControl Class]
InProcServer32 = D:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142795221140

[Java Plug-in]
InProcServer32 = D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[Java Plug-in]
InProcServer32 = D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = D:\WINDOWS\System32\Macromed\Flash\Flash8a.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: D:\WINDOWS\System32\mswsock.dll
NameSpace #2: D:\WINDOWS\System32\winrnr.dll
NameSpace #3: D:\WINDOWS\System32\mswsock.dll
Protocol #1: D:\WINDOWS\system32\mswsock.dll
Protocol #2: D:\WINDOWS\system32\mswsock.dll
Protocol #3: D:\WINDOWS\system32\mswsock.dll
Protocol #4: D:\WINDOWS\system32\rsvpsp.dll
Protocol #5: D:\WINDOWS\system32\rsvpsp.dll
Protocol #6: D:\WINDOWS\system32\mswsock.dll
Protocol #7: D:\WINDOWS\system32\mswsock.dll
Protocol #8: D:\WINDOWS\system32\mswsock.dll
Protocol #9: D:\WINDOWS\system32\mswsock.dll
Protocol #10: D:\WINDOWS\system32\mswsock.dll
Protocol #11: D:\WINDOWS\system32\mswsock.dll
Protocol #12: D:\WINDOWS\system32\mswsock.dll
Protocol #13: D:\WINDOWS\system32\mswsock.dll
Protocol #14: D:\WINDOWS\system32\mswsock.dll
Protocol #15: D:\WINDOWS\system32\mswsock.dll
Protocol #16: D:\WINDOWS\system32\mswsock.dll
Protocol #17: D:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

higenbs1 · 2006/10/12

HJT Part two:

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
Aspi32: System32\drivers\aspi32.sys (autostart)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG Anti-Spyware Driver: \??\D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG7 Alert Manager Server: D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
AVG E-mail Scanner: D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
cel90xbe: \??\D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cel90xbe.sys (manual start)
Indexing Service: D:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: D:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Creative Service for CDROM Access: D:\WINDOWS\System32\CTsvcCDA.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Creative AC3 Software Decoder: System32\drivers\ctac32k.sys (manual start)
Creative Audio Driver (WDM): system32\drivers\ctaud2k.sys (manual start)
Creative DVD-Audio Device Driver: System32\drivers\ctdvda2k.sys (manual start)
Creative SBLive! Gameport: System32\DRIVERS\ctljystk.sys (manual start)
Creative Proxy Driver: System32\drivers\ctprxy2k.sys (manual start)
Creative SoundFont Management Device Driver: System32\drivers\ctsfm2k.sys (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
E-mu Plug-in Architecture Driver: System32\drivers\emupia2k.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: D:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
D-Link DSL-200 USB ADSL Loader: system32\DRIVERS\gafwload.sys (autostart)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Creative Hardware Abstract Layer Driver: system32\drivers\ha10kx2k.sys (manual start)
Creative P16V HAL Driver: System32\drivers\hap16v2k.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: D:\WINDOWS\System32\imapi.exe (manual start)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: D:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Jukebox3: system32\DRIVERS\ctpdusb.sys (manual start)
Sony Ericsson 750 driver (WDM): system32\DRIVERS\k750bus.sys (manual start)
Sony Ericsson 750 USB WMC Modem Filter: system32\DRIVERS\k750mdfl.sys (manual start)
Sony Ericsson 750 USB WMC Modem Drivers: system32\DRIVERS\k750mdm.sys (manual start)
Sony Ericsson 750 USB WMC Device Management Drivers: system32\DRIVERS\k750mgmt.sys (manual start)
Sony Ericsson 750 USB WMC OBEX Interface Drivers: system32\DRIVERS\k750obex.sys (manual start)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: D:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: D:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: D:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NebAudio, WDM Audio/MPEG2 Capture: System32\DRIVERS\nebaudio.sys (autostart)
NebVideo, WDM Video Capture: System32\DRIVERS\nebvideo.sys (autostart)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NEC FireWarden OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Creative OS Services Driver: system32\drivers\ctoss2k.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PfModNT: \??\D:\WINDOWS\system32\drivers\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: D:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: D:\WINDOWS\System32\dllhost.exe /Processid:{45FFD119-5D8E-4B96-AC8D-99B174021567} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: D:\WINDOWS\System32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microsoft AGPv3.5 Filter: System32\DRIVERS\uagp35.sys (system)
Windows User Mode Driver Framework: D:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Data Cable: system32\DRIVERS\usb2vcom.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
VIA USB Host Controller Lower Filter: \SystemRoot\System32\Drivers\vulfnth.sys (manual start)
VIA USB Roothub Lower Filter: \SystemRoot\System32\Drivers\vulfntr.sys (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
D-Link DSL-200 USB ADSL Modem(WAN): System32\DRIVERS\gwausb.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WMDM PMSP Service: D:\WINDOWS\System32\MsPMSPSv.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: D:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
xmasbus: system32\DRIVERS\xmasbus.sys (system)
xmasscsi: System32\Drivers\xmasscsi.sys (system)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: D:\WINDOWS\system32\SHELL32.dll
CDBurn: D:\WINDOWS\system32\SHELL32.dll
WebCheck: D:\WINDOWS\System32\webcheck.dll
SysTray: D:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 36,255 bytes
Report generated in 0.250 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

TeMerc · 2006/10/12

OK, I only found one item which I can't get a real description of.

I need you to check the properties of a service for me.

Go to: Start > Run > type " services.msc ", then click OK

Scroll down to the cel90xbe service.

Click it to highlight it, then <right-click> and select: Properties

Let me know what info is contained in the 'General' tab.

Then search for the file, right-click it, select properties and let me know what it says there in regards to any company info, version or whatever.

Can't say I see anything else.

higenbs1 · 2006/10/13

Can't find cel90xe on the list. Have tried repeating the problem and then checking if it's there, but still nothing.

TeMerc · 2006/10/13

higenbs1 said:

Can't find cel90xe on the list. Have tried repeating the problem and then checking if it's there, but still nothing.
Click to expand...

Are you saying there are no more re-directs?

higenbs1 · 2006/10/16

No I mean I'm still unable to get cel90xe to appear after repeating the problem??

Thanks

TeMerc · 2006/10/16

higenbs1 said:

No I mean I'm still unable to get cel90xe to appear after repeating the problem??

Thanks
Click to expand...

And you're still having re-directs?

If so, please rename hijackthis.exe to something else, anything, rerun it, post a log, I'm curious if it reveals anything.

Some newer infections have been making themselves hidden from HJT, renaming the tool, overrides the block.

higenbs1 · 2006/10/17

Yes, am still getting redirects. Renamed Hjt to Tempfile as below

Thanks for all your help:

Logfile of HijackThis v1.99.1
Scan saved at 07:53:07, on 17/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\CTHELPER.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\BenQ\QMusic2\QMAgent.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\system32\GSICON.EXE
D:\WINDOWS\system32\dslagent.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\iPod\bin\iPodService.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Nebula\DigiTV\DigiTV.exe
D:\Program Files\Nebula\DigiTV\DigiTV.exe
D:\Program Files\Outlook Express\msimn.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\HJT\TempFile.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] "D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe "
O4 - HKLM\..\Run: [QMusic] "D:\Program Files\BenQ\QMusic2\QMAgent.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] "dslagent.exe" USB
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: DigiTV.lnk = D:\Program Files\Nebula\DigiTV\DigiTV.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142760996374
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142795221140
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECDCFDCE-FAAF-4BE6-84C6-A1D1958D05F8}: NameServer = 85.255.113.92 85.255.112.13
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe

TeMerc · 2006/10/17

OK, guess we need to dig around some more.

Please download SilentRunners from here

Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop.

Please post the entire contents of this logfile created back into this thread for me to see.

Please download RootKitRevealer from here

Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire log file back into this thread for me to view.

higenbs1 · 2006/10/17

Silent Runners:

"Silent Runners.vbs ", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++} "

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "D:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = " "D:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"AVG7_CC" = " "D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP" [ "GRISOFT, s.r.o."]
"TkBellExe" = " "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [ "RealNetworks, Inc."]
"NvCplDaemon" = " "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = " "nwiz.exe" /install" [ "NVIDIA Corporation"]
"NvMediaCenter" = " "RUNDLL32.EXE" D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"CTHelper" = "CTHELPER.EXE" [ "Creative Technology Ltd"]
"UpdReg" = "D:\WINDOWS\UpdReg.EXE" [ "Creative Technology Ltd."]
"Jet Detection" = " "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" " [empty string]
"NeroFilterCheck" = " "D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" " [ "Nero AG"]
"QMusic" = " "D:\Program Files\BenQ\QMusic2\QMAgent.exe" " [empty string]
"SunJavaUpdateSched" = " "D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" " [ "Sun Microsystems, Inc."]
"iTunesHelper" = " "D:\Program Files\iTunes\iTunesHelper.exe" " [ "Apple Computer, Inc."]
"QuickTime Task" = " "D:\Program Files\QuickTime\qttask.exe" -atboottime" [ "Apple Computer, Inc."]
"GSICONEXE" = "GSICON.EXE" [ "GlobeSpan, Inc."]
"DSLAGENTEXE" = " "dslagent.exe" USB" [null data]
"!AVG Anti-Spyware" = " "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" [ "Anti-Malware Development a.s."]
"dmsxi.exe" = "D:\WINDOWS\system32\dmsxi.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class "
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\PROGRA~1\SPYBOT~1\SDHelper.dll" [ "Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class "
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" [ "Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension "
-> {HKLM...CLSID} = "AVG7 Shell Extension Class "
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" [ "GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension "
-> {HKLM...CLSID} = "AVG7 Find Extension Class "
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" [ "GRISOFT, s.r.o."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player "
-> {HKLM...CLSID} = "RealOne Player Context Menu Class "
\InProcServer32\(Default) = "D:\Program Files\Real\RealPlayer\rpshell.dll" [ "RealNetworks, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class "
-> {HKLM...CLSID} = "DesktopContext Class "
\InProcServer32\(Default) = "D:\WINDOWS\System32\nvcpl.dll" [ "NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper "
-> {HKLM...CLSID} = "NVIDIA CPL Extension "
\InProcServer32\(Default) = "D:\WINDOWS\System32\nvcpl.dll" [ "NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer "
-> {HKLM...CLSID} = "Desktop Explorer "
\InProcServer32\(Default) = "D:\WINDOWS\System32\nvshell.dll" [ "NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\WINDOWS\System32\nvshell.dll" [ "NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu "
-> {HKLM...CLSID} = "nView Desktop Context Menu "
\InProcServer32\(Default) = "D:\WINDOWS\System32\nvshell.dll" [ "NVIDIA Corporation"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu "
-> {HKLM...CLSID} = "Portable Media Devices Menu "
\InProcServer32\(Default) = "D:\WINDOWS\System32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler "
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class "
\InProcServer32\(Default) = "D:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" [ "Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler "
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class "
\InProcServer32\(Default) = "D:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" [ "Nero AG"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes "
-> {HKLM...CLSID} = "iTunes "
\InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" [ "Apple Computer, Inc."]
"{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5}" = "Context Menu Shell Extension "
-> {HKLM...CLSID} = "Context Menu Shell Extension "
\InProcServer32\(Default) = "D:\PROGRA~1\TAGREN~1\TRshell.dll" [ "Softpointer Inc"]
"{A68865DD-EE3C-4442-9BE9-1BAB2576E3FA}" = "NOMAD Explorer "
-> {HKLM...CLSID} = "NOMAD Explorer "
\InProcServer32\(Default) = "D:\Program Files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL" [ "Creative Technology Ltd"]
"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "My Phones "
-> {HKLM...CLSID} = "My Phones "
\InProcServer32\(Default) = "D:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" [ "Sony Ericsson Mobile Communications AB"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing LP"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx "
-> {HKLM...CLSID} = "AlcoholShellEx "
\InProcServer32\(Default) = "D:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" [ "Alcohol Soft Development Team"]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration "
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration "
\InProcServer32\(Default) = "D:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5 "
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object "
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [ "Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "System" = "csowx.exe" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" [file not found]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler "
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class "
\InProcServer32\(Default) = "D:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" [ "Nero AG"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920} "
-> {HKLM...CLSID} = "CContextScan Object "
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" [ "Anti-Malware Development a.s."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "
-> {HKLM...CLSID} = "AVG7 Shell Extension Class "
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" [ "GRISOFT, s.r.o."]
TagRename_ContextMenu\(Default) = "{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5} "
-> {HKLM...CLSID} = "Context Menu Shell Extension "
\InProcServer32\(Default) = "D:\PROGRA~1\TAGREN~1\TRshell.dll" [ "Softpointer Inc"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000} "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing LP"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920} "
-> {HKLM...CLSID} = "CContextScan Object "
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" [ "Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000} "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing LP"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "
-> {HKLM...CLSID} = "AVG7 Shell Extension Class "
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" [ "GRISOFT, s.r.o."]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B} "
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration "
\InProcServer32\(Default) = "D:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" [file not found]
TagRename_ContextMenu\(Default) = "{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5} "
-> {HKLM...CLSID} = "Context Menu Shell Extension "
\InProcServer32\(Default) = "D:\PROGRA~1\TAGREN~1\TRshell.dll" [ "Softpointer Inc"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000} "
-> {HKLM...CLSID} = "WinZip "
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing LP"]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B} "
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration "
\InProcServer32\(Default) = "D:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" [file not found]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "D:\WINDOWS\System32\logon.scr" [MS]

Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

D:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"DigiTV" -> shortcut to: "D:\Program Files\Nebula\DigiTV\DigiTV.exe SLEEP" [ "Nebula Electronics Ltd"]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
"InterVideo WinCinema Manager" -> shortcut to: "D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" [ "InterVideo Inc."]
"Microsoft Office" -> shortcut to: "D:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"WinZip Quick Pick" -> shortcut to: "D:\Program Files\WinZip\WZQKPICK.EXE" [ "WinZip Computing LP"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console "
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} "
-> {HKCU...CLSID} = "Java Plug-in "
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" [ "Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06 "
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" [ "Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger "
"MenuText" = "Windows Messenger "
"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" [ "Anti-Malware Development a.s."]
AVG E-mail Scanner, AVGEMS, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [ "GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" [ "GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" [ "GRISOFT, s.r.o."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "D:\WINDOWS\System32\CTsvcCDA.exe" [ "Creative Technology Ltd"]
iPodService, iPodService, "D:\Program Files\iPod\bin\iPodService.exe" [ "Apple Computer, Inc."]
NVIDIA Display Driver Service, NVSvc, "D:\WINDOWS\System32\nvsvc32.exe" [ "NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\System32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "D:\WINDOWS\System32\MsPMSPSv.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" [ "SEIKO EPSON CORPORATION"]

----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 60 seconds, including 17 seconds for message boxes)

RootKitReveal:

SOFTWARE 01/01/1601 01:00 0 bytes Error dumping hive: The system cannot find the file specified.
D:\Documents and Settings\Administrator\Application Data\Real\RealPlayer\History\Star Stories 3.lnk 17/10/2006 22:03 1.79 KB Hidden from Windows API.
D:\Documents and Settings\Administrator\Application Data\Real\RealPlayer\History\Wife Swap.lnk 17/10/2006 22:03 1.77 KB Hidden from Windows API.
D:\Documents and Settings\Administrator\Desktop\IMAG0002.JPG 01/01/2002 00:00 1.10 MB Visible in Windows API, MFT, but not in directory index.
D:\Documents and Settings\Administrator\Desktop\IMAG0003.JPG 01/01/2002 00:00 1.07 MB Visible in Windows API, MFT, but not in directory index.
D:\Documents and Settings\Administrator\Desktop\IMAG0004.JPG 01/01/2002 00:00 1.11 MB Visible in Windows API, MFT, but not in directory index.
D:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\4hs5e7ue.default\Cache\79D12FC8d01 17/10/2006 22:12 16.17 KB Hidden from Windows API.
D:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\4hs5e7ue.default\Cache\82E64EB5d01 17/10/2006 22:12 69.46 KB Hidden from Windows API.
D:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\4hs5e7ue.default\Cache\C954ED65d01 17/10/2006 22:12 22.30 KB Hidden from Windows API.
D:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\4hs5e7ue.default\Cache\F0B640A8d01 17/10/2006 22:12 86.06 KB Hidden from Windows API.
D:\Documents and Settings\Administrator\Recent\3.lnk 11/10/2006 22:37 374 bytes Visible in Windows API, but not in MFT or directory index.
D:\Documents and Settings\Administrator\Recent\4.lnk 11/10/2006 22:37 374 bytes Visible in Windows API, but not in MFT or directory index.
D:\Documents and Settings\Administrator\Recent\Star Stories 3.lnk 17/10/2006 22:03 476 bytes Hidden from Windows API.
D:\Documents and Settings\Administrator\Recent\Wife Swap.lnk 17/10/2006 22:02 461 bytes Hidden from Windows API.
D:\RECYCLER\S-1-5-21-2025429265-448539723-725345543-500\Dd10.JPG 01/01/2002 00:00 1.10 MB Visible in directory index, but not Windows API or MFT.
D:\RECYCLER\S-1-5-21-2025429265-448539723-725345543-500\Dd11.JPG 01/01/2002 00:00 1.07 MB Visible in directory index, but not Windows API or MFT.
D:\RECYCLER\S-1-5-21-2025429265-448539723-725345543-500\Dd12.JPG 01/01/2002 00:00 1.11 MB Visible in directory index, but not Windows API or MFT.
D:\RECYCLER\S-1-5-21-2025429265-448539723-725345543-500\Dd2.exe 17/10/2006 07:55 177.52 KB Visible in Windows API, but not in MFT or directory index.
D:\RECYCLER\S-1-5-21-2025429265-448539723-725345543-500\Dd3.exe 17/10/2006 07:55 25.50 KB Visible in Windows API, but not in MFT or directory index.
D:\RECYCLER\S-1-5-21-2025429265-448539723-725345543-500\Dd4.EXE 17/10/2006 07:55 5.18 KB Visible in Windows API, but not in MFT or directory index.
D:\RECYCLER\S-1-5-21-2025429265-448539723-725345543-500\Dd5.exe 17/10/2006 07:55 38.27 KB Visible in Windows API, but not in MFT or directory index.
D:\RECYCLER\S-1-5-21-2025429265-448539723-725345543-500\Dd6.exe 17/10/2006 07:55 8.00 KB Visible in Windows API, but not in MFT or directory index.
D:\RECYCLER\S-1-5-21-2025429265-448539723-725345543-500\Dd7.exe 17/10/2006 07:55 30.50 KB Visible in Windows API, but not in MFT or directory index.
D:\RECYCLER\S-1-5-21-2025429265-448539723-725345543-500\Dd8.exe 17/10/2006 07:55 41.50 KB Visible in Windows API, but not in MFT or directory index.
D:\RECYCLER\S-1-5-21-2025429265-448539723-725345543-500\Dd9.exe 12/10/2006 18:49 270.87 KB Visible in Windows API, but not in MFT or directory index.
D:\RECYCLER\S-1-5-21-2025429265-448539723-725345543-500\desktop.ini 17/10/2006 22:12 65 bytes Hidden from Windows API.
D:\System Volume Information\_restore{C94B6332-62DD-4E69-945E-1F2D73455B0C}\RP245\A0026583.exe 17/10/2006 22:12 177.52 KB Hidden from Windows API.
D:\System Volume Information\_restore{C94B6332-62DD-4E69-945E-1F2D73455B0C}\RP245\A0026584.exe 17/10/2006 22:12 25.50 KB Hidden from Windows API.
D:\System Volume Information\_restore{C94B6332-62DD-4E69-945E-1F2D73455B0C}\RP245\A0026585.EXE 17/10/2006 22:12 5.18 KB Hidden from Windows API.
D:\System Volume Information\_restore{C94B6332-62DD-4E69-945E-1F2D73455B0C}\RP245\A0026586.exe 17/10/2006 22:12 38.27 KB Hidden from Windows API.
D:\System Volume Information\_restore{C94B6332-62DD-4E69-945E-1F2D73455B0C}\RP245\A0026587.exe 17/10/2006 22:12 8.00 KB Hidden from Windows API.
D:\System Volume Information\_restore{C94B6332-62DD-4E69-945E-1F2D73455B0C}\RP245\A0026588.exe 17/10/2006 22:12 30.50 KB Hidden from Windows API.
D:\System Volume Information\_restore{C94B6332-62DD-4E69-945E-1F2D73455B0C}\RP245\A0026589.exe 17/10/2006 22:12 41.50 KB Hidden from Windows API.
D:\System Volume Information\_restore{C94B6332-62DD-4E69-945E-1F2D73455B0C}\RP245\A0026590.exe 17/10/2006 22:12 270.87 KB Hidden from Windows API.
D:\System Volume Information\_restore{C94B6332-62DD-4E69-945E-1F2D73455B0C}\RP245\A0026592.ini 12/10/2006 19:15 116 bytes Visible in directory index, but not Windows API or MFT.
D:\WINDOWS\Tasks\DigiTV Wakeup - 18-10-2006, 2325.job 17/10/2006 22:04 332 bytes Hidden from Windows API.

TeMerc · 2006/10/17

AHA!!

Found the file that should be causing the problems.

1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
D:\WINDOWS\system32\dmsxi.exe

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Reboot, let me know how things are.

Kambiz · 2006/10/17

It doesn't work because KillBox cannot find the file.

I used Registry Explorer (http://www.regxplor.com) to be able to delete the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
"dm???.exe" = "C:\WINDOWS\system32\dm???.exe "

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = "cs???.exe "

Question marks (?) in the file names stand for random characters.

Then, I rebooted. In the next start-up, I looked for the following files and deleted them:

C:\WINDOWS\system32\dm???.exe (61 KB)
C:\WINDOWS\system32\cs???.exe (51 KB)

Before these files were hidden even to RootkitRevealer.

TeMerc · 2006/10/18

Kambiz said:

It doesn't work because KillBox cannot find the file.

I used Registry Explorer (http://www.regxplor.com) to be able to delete the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
"dm???.exe" = "C:\WINDOWS\system32\dm???.exe "

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = "cs???.exe "

Question marks (?) in the file names stand for random characters.

Then, I rebooted. In the next start-up, I looked for the following files and deleted them:

C:\WINDOWS\system32\dm???.exe (61 KB)
C:\WINDOWS\system32\cs???.exe (51 KB)

Before these files were hidden even to RootkitRevealer.
Click to expand...

Kambiz, your thread is here:
http://www.windowsbbs.com/showthread.php?t=58629

Lets please do as I asked there. Do not post back into this thread again.

higenbs1 · 2006/10/18

TeMerc, you sir are a genius. All sorted - thanks very much

TeMerc · 2006/10/18

Excellent, glad things are straightened out now.

We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

Log in or Sign up

Help with google redirect / possible spyware

higenbs1 Inactive Thread Starter

TeMerc Inactive Alumni

higenbs1 Inactive Thread Starter

TeMerc Inactive Alumni

higenbs1 Inactive Thread Starter

higenbs1 Inactive Thread Starter

higenbs1 Inactive Thread Starter

TeMerc Inactive Alumni

higenbs1 Inactive Thread Starter

TeMerc Inactive Alumni

higenbs1 Inactive Thread Starter

TeMerc Inactive Alumni

higenbs1 Inactive Thread Starter

TeMerc Inactive Alumni

higenbs1 Inactive Thread Starter

TeMerc Inactive Alumni

Kambiz Inactive

TeMerc Inactive Alumni

higenbs1 Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Log in or Sign up

Help with google redirect / possible spyware

higenbs1 Inactive Thread Starter

TeMerc Inactive Alumni

higenbs1 Inactive Thread Starter

TeMerc Inactive Alumni

higenbs1 Inactive Thread Starter

higenbs1 Inactive Thread Starter

higenbs1 Inactive Thread Starter

TeMerc Inactive Alumni

higenbs1 Inactive Thread Starter

TeMerc Inactive Alumni

higenbs1 Inactive Thread Starter

TeMerc Inactive Alumni

higenbs1 Inactive Thread Starter

TeMerc Inactive Alumni

higenbs1 Inactive Thread Starter

TeMerc Inactive Alumni

Kambiz Inactive

TeMerc Inactive Alumni

higenbs1 Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Useful Searches