Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

web searches hijacked

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

web searches hijacked

Unread postby ErikG » January 28th, 2009, 7:23 pm

It doesn't seem to matter the search engine, the returns are hijacked. Below is my HijackThis log followed by Malwarebytes' Anti-Malware log. Thanks in advance for your help.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:16 PM, on 1/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1108502796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9239124796
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O21 - SSODL: UoiKTDG - {74D31DD4-DE79-B77E-69A2-1FE883FF91BC} - C:\WINDOWS\system32\jc.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12008 bytes





Malwarebytes' Anti-Malware 1.33
Database version: 1698
Windows 5.1.2600 Service Pack 3

1/27/2009 1:42:05 AM
mbam-log-2009-01-27 (01-42-05).txt

Scan type: Quick Scan
Objects scanned: 60323
Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\WINDOWS\system32\regscan.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inetchk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regscan (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regscan.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
ErikG
Active Member
 
Posts: 13
Joined: January 27th, 2009, 3:00 am
Advertisement
Register to Remove

Search returns hijacked

Unread postby ErikG » February 5th, 2009, 6:32 pm

It doesn't seem to matter the search engine, the returns are hijacked. At a glance the returns look normal (though they take much longer than usual to display), but the accompanying addresses link to completely unrelated sites. Below is my HijackThis log followed by Malwarebytes' Anti-Malware log. Thanks in advance for your help.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:16 PM, on 1/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1108502796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9239124796
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O21 - SSODL: UoiKTDG - {74D31DD4-DE79-B77E-69A2-1FE883FF91BC} - C:\WINDOWS\system32\jc.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12008 bytes





Malwarebytes' Anti-Malware 1.33
Database version: 1698
Windows 5.1.2600 Service Pack 3

1/27/2009 1:42:05 AM
mbam-log-2009-01-27 (01-42-05).txt

Scan type: Quick Scan
Objects scanned: 60323
Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\WINDOWS\system32\regscan.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inetchk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regscan (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\cpbrkpie.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regscan.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
ErikG
Active Member
 
Posts: 13
Joined: January 27th, 2009, 3:00 am

Re: Search returns hijacked

Unread postby Bio-Hazard » February 5th, 2009, 11:10 pm

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • I f you don't know or understand something please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.

No Reply Within 5 Days Will Result In Your Topic Being Closed!!
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Search returns hijacked

Unread postby Bio-Hazard » February 5th, 2009, 11:16 pm

Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

HOW TO USE COMBOFIX

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Image


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Image

  • Click on Yes, to continue scanning for malware.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Combofix should never take more that 20 minutes including the reboot if malware is detected.


Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: web searches hijacked

Unread postby Bio-Hazard » February 9th, 2009, 8:16 am

Hello!

Do you still need help?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: web searches hijacked

Unread postby ErikG » February 10th, 2009, 5:09 am

Hi. Yes, unfortuntately, I'm still in need of some assistance. Thanks so much for your help. As requested, here's the ComboFix log followed by a new HijackThis log.

ComboFix 09-02-08.02 - HP_Owner 2009-02-10 3:50:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.200 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\wdmaud.sys
D:\Autorun.inf
L:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.

2220-12-13 19:07 . 2220-12-13 19:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2220-12-13 19:06 . 2220-12-13 19:06 <DIR> d-------- c:\program files\Yahoo!
2009-01-28 18:13 . 2009-01-28 18:13 <DIR> d-------- c:\program files\Trend Micro
2009-01-27 01:32 . 2009-01-27 01:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-27 01:32 . 2009-01-27 01:32 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-01-27 01:32 . 2009-01-27 01:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-27 01:32 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-27 01:32 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-26 22:47 . 2009-01-18 16:35 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-01-26 22:34 . 2009-01-18 16:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-01-26 22:33 . 2009-01-26 22:33 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-26 22:32 . 2009-01-26 22:32 <DIR> d-------- c:\program files\Lavasoft
2009-01-26 22:32 . 2009-01-26 22:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-10 08:25 --------- d-----w c:\documents and settings\HP_Owner\Application Data\HPAppData
2009-02-10 08:19 62,902 ----a-w c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2009-02-05 15:37 3,645 ----a-w c:\windows\viassary-hp.reg
2009-02-05 15:37 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-09-12 18:39 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091220080913\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2005-07-08 17675304]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-21 118784]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-10-21 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-06-04 286720]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2002-04-12 1536000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-10-21 98304]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-09-16 52848]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-09 509784]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-06 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-06 c:\windows\ALCWZRD.EXE]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-10-21 36864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-15 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2007-06-22 1078]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-10-21 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"= wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27424:TCP"= 27424:TCP:PORT_27424
"55895:TCP"= 55895:TCP:PORT_55895
"22351:TCP"= 22351:TCP:PORT_22351
"37832:TCP"= 37832:TCP:PORT_37832
"63582:TCP"= 63582:TCP:PORT_63582
"39023:TCP"= 39023:TCP:PORT_39023
"33086:TCP"= 33086:TCP:PORT_33086
"14641:TCP"= 14641:TCP:PORT_14641
"44266:TCP"= 44266:TCP:PORT_44266
"43820:TCP"= 43820:TCP:PORT_43820
"25645:TCP"= 25645:TCP:PORT_25645
"20461:TCP"= 20461:TCP:PORT_20461
"18211:TCP"= 18211:TCP:PORT_18211
"48976:TCP"= 48976:TCP:PORT_48976
"45492:TCP"= 45492:TCP:PORT_45492
"25414:TCP"= 25414:TCP:PORT_25414
"23466:TCP"= 23466:TCP:PORT_23466
"40663:TCP"= 40663:TCP:PORT_40663
"38785:TCP"= 38785:TCP:PORT_38785
"62895:TCP"= 62895:TCP:PORT_62895
"39778:TCP"= 39778:TCP:PORT_39778
"5670:TCP"= 5670:TCP:PORT_5670
"35461:TCP"= 35461:TCP:PORT_35461
"43537:TCP"= 43537:TCP:PORT_43537
"50867:TCP"= 50867:TCP:PORT_50867
"16004:TCP"= 16004:TCP:PORT_16004
"28320:TCP"= 28320:TCP:PORT_28320
"45618:TCP"= 45618:TCP:PORT_45618
"11551:TCP"= 11551:TCP:PORT_11551
"7211:TCP"= 7211:TCP:PORT_7211
"43683:TCP"= 43683:TCP:PORT_43683
"21410:TCP"= 21410:TCP:PORT_21410
"53527:TCP"= 53527:TCP:PORT_53527
"51996:TCP"= 51996:TCP:PORT_51996
"48067:TCP"= 48067:TCP:PORT_48067
"23958:TCP"= 23958:TCP:PORT_23958
"48293:TCP"= 48293:TCP:PORT_48293
"7000:TCP"= 7000:TCP:PORT_7000
"8606:TCP"= 8606:TCP:PORT_8606
"6220:TCP"= 6220:TCP:PORT_6220
"48733:TCP"= 48733:TCP:PORT_48733
"49148:TCP"= 49148:TCP:PORT_49148
"46273:TCP"= 46273:TCP:PORT_46273
"25055:TCP"= 25055:TCP:PORT_25055
"41324:TCP"= 41324:TCP:PORT_41324
"54851:TCP"= 54851:TCP:PORT_54851
"53098:TCP"= 53098:TCP:PORT_53098
"47023:TCP"= 47023:TCP:PORT_47023
"22574:TCP"= 22574:TCP:PORT_22574
"53406:TCP"= 53406:TCP:PORT_53406
"50938:TCP"= 50938:TCP:PORT_50938
"50555:TCP"= 50555:TCP:PORT_50555
"47746:TCP"= 47746:TCP:PORT_47746
"26230:TCP"= 26230:TCP:PORT_26230
"24658:TCP"= 24658:TCP:PORT_24658
"55805:TCP"= 55805:TCP:PORT_55805
"31295:TCP"= 31295:TCP:PORT_31295
"25226:TCP"= 25226:TCP:PORT_25226
"27105:TCP"= 27105:TCP:PORT_27105
"45789:TCP"= 45789:TCP:PORT_45789
"31305:TCP"= 31305:TCP:PORT_31305
"15532:TCP"= 15532:TCP:PORT_15532
"25136:TCP"= 25136:TCP:PORT_25136
"61636:TCP"= 61636:TCP:PORT_61636
"8004:TCP"= 8004:TCP:PORT_8004
"48328:TCP"= 48328:TCP:PORT_48328
"34872:TCP"= 34872:TCP:PORT_34872
"45434:TCP"= 45434:TCP:PORT_45434
"31465:TCP"= 31465:TCP:PORT_31465
"34688:TCP"= 34688:TCP:PORT_34688
"29824:TCP"= 29824:TCP:PORT_29824
"61523:TCP"= 61523:TCP:PORT_61523
"36036:TCP"= 36036:TCP:PORT_36036
"30395:TCP"= 30395:TCP:PORT_30395
"7633:TCP"= 7633:TCP:PORT_7633
"48270:TCP"= 48270:TCP:PORT_48270
"30664:TCP"= 30664:TCP:PORT_30664
"48051:TCP"= 48051:TCP:PORT_48051
"11278:TCP"= 11278:TCP:PORT_11278
"47801:TCP"= 47801:TCP:PORT_47801
"36293:TCP"= 36293:TCP:PORT_36293
"47386:TCP"= 47386:TCP:PORT_47386
"25933:TCP"= 25933:TCP:PORT_25933
"9476:TCP"= 9476:TCP:PORT_9476
"15340:TCP"= 15340:TCP:PORT_15340
"26652:TCP"= 26652:TCP:PORT_26652
"6981:TCP"= 6981:TCP:PORT_6981
"24011:TCP"= 24011:TCP:PORT_24011
"29161:TCP"= 29161:TCP:PORT_29161
"58258:TCP"= 58258:TCP:PORT_58258
"28613:TCP"= 28613:TCP:PORT_28613
"31078:TCP"= 31078:TCP:PORT_31078
"47511:TCP"= 47511:TCP:PORT_47511
"56277:TCP"= 56277:TCP:PORT_56277
"59636:TCP"= 59636:TCP:PORT_59636
"11048:TCP"= 11048:TCP:PORT_11048
"40133:TCP"= 40133:TCP:PORT_40133
"59914:TCP"= 59914:TCP:PORT_59914
"46566:TCP"= 46566:TCP:PORT_46566
"60981:TCP"= 60981:TCP:PORT_60981
"51164:TCP"= 51164:TCP:PORT_51164
"9598:TCP"= 9598:TCP:PORT_9598
"35016:TCP"= 35016:TCP:PORT_35016
"8763:TCP"= 8763:TCP:PORT_8763
"37996:TCP"= 37996:TCP:PORT_37996
"27808:TCP"= 27808:TCP:PORT_27808
"24313:TCP"= 24313:TCP:PORT_24313
"38348:TCP"= 38348:TCP:PORT_38348
"43793:TCP"= 43793:TCP:PORT_43793
"24852:TCP"= 24852:TCP:PORT_24852
"56688:TCP"= 56688:TCP:PORT_56688
"23136:TCP"= 23136:TCP:PORT_23136
"29961:TCP"= 29961:TCP:PORT_29961
"18638:TCP"= 18638:TCP:PORT_18638
"60242:TCP"= 60242:TCP:PORT_60242
"34958:TCP"= 34958:TCP:PORT_34958
"40730:TCP"= 40730:TCP:PORT_40730
"39824:TCP"= 39824:TCP:PORT_39824
"14976:TCP"= 14976:TCP:PORT_14976
"24656:TCP"= 24656:TCP:PORT_24656
"56650:TCP"= 56650:TCP:PORT_56650
"31539:TCP"= 31539:TCP:PORT_31539
"10863:TCP"= 10863:TCP:PORT_10863
"21636:TCP"= 21636:TCP:PORT_21636
"64797:TCP"= 64797:TCP:PORT_64797
"36652:TCP"= 36652:TCP:PORT_36652
"14098:TCP"= 14098:TCP:PORT_14098
"40043:TCP"= 40043:TCP:PORT_40043
"55871:TCP"= 55871:TCP:PORT_55871
"13356:TCP"= 13356:TCP:PORT_13356
"30886:TCP"= 30886:TCP:PORT_30886
"35676:TCP"= 35676:TCP:PORT_35676
"62489:TCP"= 62489:TCP:PORT_62489
"36236:TCP"= 36236:TCP:PORT_36236
"19542:TCP"= 19542:TCP:PORT_19542
"31736:TCP"= 31736:TCP:PORT_31736
"6153:TCP"= 6153:TCP:PORT_6153
"53695:TCP"= 53695:TCP:PORT_53695
"31871:TCP"= 31871:TCP:PORT_31871
"39175:TCP"= 39175:TCP:PORT_39175
"28508:TCP"= 28508:TCP:PORT_28508
"46386:TCP"= 46386:TCP:PORT_46386
"55183:TCP"= 55183:TCP:PORT_55183
"42371:TCP"= 42371:TCP:PORT_42371
"17836:TCP"= 17836:TCP:PORT_17836
"40579:TCP"= 40579:TCP:PORT_40579
"10614:TCP"= 10614:TCP:PORT_10614
"29191:TCP"= 29191:TCP:PORT_29191
"19851:TCP"= 19851:TCP:PORT_19851
"19020:TCP"= 19020:TCP:PORT_19020
"12645:TCP"= 12645:TCP:PORT_12645
"14611:TCP"= 14611:TCP:PORT_14611
"18066:TCP"= 18066:TCP:PORT_18066
"9481:TCP"= 9481:TCP:PORT_9481
"41590:TCP"= 41590:TCP:PORT_41590
"34815:TCP"= 34815:TCP:PORT_34815
"35680:TCP"= 35680:TCP:PORT_35680
"42523:TCP"= 42523:TCP:PORT_42523
"22848:TCP"= 22848:TCP:PORT_22848
"62680:TCP"= 62680:TCP:PORT_62680
"48886:TCP"= 48886:TCP:PORT_48886
"57289:TCP"= 57289:TCP:PORT_57289
"60508:TCP"= 60508:TCP:PORT_60508
"58293:TCP"= 58293:TCP:PORT_58293
"5676:TCP"= 5676:TCP:PORT_5676
"59148:TCP"= 59148:TCP:PORT_59148
"6680:TCP"= 6680:TCP:PORT_6680
"5961:TCP"= 5961:TCP:PORT_5961
"46324:TCP"= 46324:TCP:PORT_46324
"18598:TCP"= 18598:TCP:PORT_18598
"17113:TCP"= 17113:TCP:PORT_17113
"63183:TCP"= 63183:TCP:PORT_63183
"21988:TCP"= 21988:TCP:PORT_21988
"9164:TCP"= 9164:TCP:PORT_9164
"34398:TCP"= 34398:TCP:PORT_34398
"10023:TCP"= 10023:TCP:PORT_10023
"25294:TCP"= 25294:TCP:PORT_25294
"53708:TCP"= 53708:TCP:PORT_53708
"7809:TCP"= 7809:TCP:PORT_7809
"5898:TCP"= 5898:TCP:PORT_5898
"17094:TCP"= 17094:TCP:PORT_17094
"21351:TCP"= 21351:TCP:PORT_21351
"18633:TCP"= 18633:TCP:PORT_18633
"19320:TCP"= 19320:TCP:PORT_19320
"63793:TCP"= 63793:TCP:PORT_63793
"57761:TCP"= 57761:TCP:PORT_57761
"26579:TCP"= 26579:TCP:PORT_26579
"64008:TCP"= 64008:TCP:PORT_64008
"57223:TCP"= 57223:TCP:PORT_57223
"6508:TCP"= 6508:TCP:PORT_6508
"36070:TCP"= 36070:TCP:PORT_36070
"30402:TCP"= 30402:TCP:PORT_30402
"13398:TCP"= 13398:TCP:PORT_13398
"7961:TCP"= 7961:TCP:PORT_7961
"36449:TCP"= 36449:TCP:PORT_36449
"23941:TCP"= 23941:TCP:PORT_23941
"58398:TCP"= 58398:TCP:PORT_58398
"14664:TCP"= 14664:TCP:PORT_14664
"25004:TCP"= 25004:TCP:PORT_25004
"24086:TCP"= 24086:TCP:PORT_24086
"27098:TCP"= 27098:TCP:PORT_27098
"35316:TCP"= 35316:TCP:PORT_35316
"54543:TCP"= 54543:TCP:PORT_54543
"6711:TCP"= 6711:TCP:PORT_6711
"51016:TCP"= 51016:TCP:PORT_51016
"43074:TCP"= 43074:TCP:PORT_43074
"5117:TCP"= 5117:TCP:PORT_5117
"51574:TCP"= 51574:TCP:PORT_51574
"35383:TCP"= 35383:TCP:PORT_35383
"58230:TCP"= 58230:TCP:PORT_58230
"47192:TCP"= 47192:TCP:PORT_47192
"56730:TCP"= 56730:TCP:PORT_56730
"22395:TCP"= 22395:TCP:PORT_22395
"36043:TCP"= 36043:TCP:PORT_36043
"9173:TCP"= 9173:TCP:PORT_9173
"64023:TCP"= 64023:TCP:PORT_64023
"17039:TCP"= 17039:TCP:PORT_17039
"51730:TCP"= 51730:TCP:PORT_51730
"12325:TCP"= 12325:TCP:PORT_12325
"49965:TCP"= 49965:TCP:PORT_49965
"57996:TCP"= 57996:TCP:PORT_57996
"50883:TCP"= 50883:TCP:PORT_50883
"58715:TCP"= 58715:TCP:PORT_58715
"59345:TCP"= 59345:TCP:PORT_59345
"61465:TCP"= 61465:TCP:PORT_61465
"26336:TCP"= 26336:TCP:PORT_26336
"54333:TCP"= 54333:TCP:PORT_54333
"9314:TCP"= 9314:TCP:PORT_9314
"63325:TCP"= 63325:TCP:PORT_63325
"33516:TCP"= 33516:TCP:PORT_33516
"28258:TCP"= 28258:TCP:PORT_28258
"28407:TCP"= 28407:TCP:PORT_28407
"64871:TCP"= 64871:TCP:PORT_64871
"23985:TCP"= 23985:TCP:PORT_23985
"10117:TCP"= 10117:TCP:PORT_10117
"46882:TCP"= 46882:TCP:PORT_46882
"32086:TCP"= 32086:TCP:PORT_32086
"10289:TCP"= 10289:TCP:PORT_10289
"46398:TCP"= 46398:TCP:PORT_46398
"38433:TCP"= 38433:TCP:PORT_38433
"37238:TCP"= 37238:TCP:PORT_37238
"8570:TCP"= 8570:TCP:PORT_8570
"6485:TCP"= 6485:TCP:PORT_6485
"41615:TCP"= 41615:TCP:PORT_41615
"20051:TCP"= 20051:TCP:PORT_20051
"34717:TCP"= 34717:TCP:PORT_34717
"18101:TCP"= 18101:TCP:PORT_18101
"31645:TCP"= 31645:TCP:PORT_31645
"14329:TCP"= 14329:TCP:PORT_14329
"52371:TCP"= 52371:TCP:PORT_52371
"58211:TCP"= 58211:TCP:PORT_58211
"21418:TCP"= 21418:TCP:PORT_21418
"53574:TCP"= 53574:TCP:PORT_53574
"6048:TCP"= 6048:TCP:PORT_6048
"64152:TCP"= 64152:TCP:PORT_64152
"12231:TCP"= 12231:TCP:PORT_12231
"14133:TCP"= 14133:TCP:PORT_14133
"44386:TCP"= 44386:TCP:PORT_44386
"53250:TCP"= 53250:TCP:PORT_53250
"49061:TCP"= 49061:TCP:PORT_49061
"49433:TCP"= 49433:TCP:PORT_49433
"16357:TCP"= 16357:TCP:PORT_16357
"33011:TCP"= 33011:TCP:PORT_33011
"26911:TCP"= 26911:TCP:PORT_26911
"12001:TCP"= 12001:TCP:PORT_12001
"21695:TCP"= 21695:TCP:PORT_21695
"12316:TCP"= 12316:TCP:PORT_12316
"37465:TCP"= 37465:TCP:PORT_37465
"7164:TCP"= 7164:TCP:PORT_7164
"62527:TCP"= 62527:TCP:PORT_62527
"56523:TCP"= 56523:TCP:PORT_56523
"47235:TCP"= 47235:TCP:PORT_47235
"45886:TCP"= 45886:TCP:PORT_45886
"5450:TCP"= 5450:TCP:PORT_5450
"19004:TCP"= 19004:TCP:PORT_19004
"36011:TCP"= 36011:TCP:PORT_36011
"58000:TCP"= 58000:TCP:PORT_58000
"47481:TCP"= 47481:TCP:PORT_47481
"42230:TCP"= 42230:TCP:PORT_42230
"22207:TCP"= 22207:TCP:PORT_22207
"21075:TCP"= 21075:TCP:PORT_21075
"16653:TCP"= 16653:TCP:PORT_16653
"7769:TCP"= 7769:TCP:PORT_7769
"57563:TCP"= 57563:TCP:PORT_57563
"44324:TCP"= 44324:TCP:PORT_44324
"43606:TCP"= 43606:TCP:PORT_43606
"52266:TCP"= 52266:TCP:PORT_52266
"35816:TCP"= 35816:TCP:PORT_35816
"31760:TCP"= 31760:TCP:PORT_31760
"33145:TCP"= 33145:TCP:PORT_33145
"33383:TCP"= 33383:TCP:PORT_33383
"40028:TCP"= 40028:TCP:PORT_40028
"40871:TCP"= 40871:TCP:PORT_40871
"38485:TCP"= 38485:TCP:PORT_38485
"6660:TCP"= 6660:TCP:PORT_6660
"47136:TCP"= 47136:TCP:PORT_47136
"61105:TCP"= 61105:TCP:PORT_61105
"47735:TCP"= 47735:TCP:PORT_47735
"15898:TCP"= 15898:TCP:PORT_15898
"22762:TCP"= 22762:TCP:PORT_22762
"24045:TCP"= 24045:TCP:PORT_24045
"56398:TCP"= 56398:TCP:PORT_56398
"39308:TCP"= 39308:TCP:PORT_39308
"39950:TCP"= 39950:TCP:PORT_39950
"17395:TCP"= 17395:TCP:PORT_17395
"32652:TCP"= 32652:TCP:PORT_32652
"37007:TCP"= 37007:TCP:PORT_37007
"37329:TCP"= 37329:TCP:PORT_37329
"52246:TCP"= 52246:TCP:PORT_52246
"31895:TCP"= 31895:TCP:PORT_31895
"40996:TCP"= 40996:TCP:PORT_40996
"38903:TCP"= 38903:TCP:PORT_38903
"44293:TCP"= 44293:TCP:PORT_44293
"44255:TCP"= 44255:TCP:PORT_44255
"47980:TCP"= 47980:TCP:PORT_47980
"63430:TCP"= 63430:TCP:PORT_63430
"51965:TCP"= 51965:TCP:PORT_51965
"23879:TCP"= 23879:TCP:PORT_23879
"27324:TCP"= 27324:TCP:PORT_27324
"39235:TCP"= 39235:TCP:PORT_39235
"57213:TCP"= 57213:TCP:PORT_57213
"29539:TCP"= 29539:TCP:PORT_29539
"23033:TCP"= 23033:TCP:PORT_23033
"61090:TCP"= 61090:TCP:PORT_61090
"16981:TCP"= 16981:TCP:PORT_16981
"55523:TCP"= 55523:TCP:PORT_55523
"46715:TCP"= 46715:TCP:PORT_46715
"65250:TCP"= 65250:TCP:PORT_65250
"55800:TCP"= 55800:TCP:PORT_55800
"25461:TCP"= 25461:TCP:PORT_25461
"10758:TCP"= 10758:TCP:PORT_10758
"59402:TCP"= 59402:TCP:PORT_59402
"34833:TCP"= 34833:TCP:PORT_34833
"39626:TCP"= 39626:TCP:PORT_39626
"10184:TCP"= 10184:TCP:PORT_10184
"44757:TCP"= 44757:TCP:PORT_44757
"58574:TCP"= 58574:TCP:PORT_58574
"47324:TCP"= 47324:TCP:PORT_47324
"21654:TCP"= 21654:TCP:PORT_21654
"59355:TCP"= 59355:TCP:PORT_59355
"20762:TCP"= 20762:TCP:PORT_20762
"10930:TCP"= 10930:TCP:PORT_10930
"54398:TCP"= 54398:TCP:PORT_54398
"42746:TCP"= 42746:TCP:PORT_42746
"6793:TCP"= 6793:TCP:PORT_6793
"55918:TCP"= 55918:TCP:PORT_55918
"44636:TCP"= 44636:TCP:PORT_44636
"28123:TCP"= 28123:TCP:PORT_28123
"56121:TCP"= 56121:TCP:PORT_56121
"10676:TCP"= 10676:TCP:PORT_10676
"53594:TCP"= 53594:TCP:PORT_53594
"14723:TCP"= 14723:TCP:PORT_14723
"17805:TCP"= 17805:TCP:PORT_17805
"5606:TCP"= 5606:TCP:PORT_5606
"47135:TCP"= 47135:TCP:PORT_47135
"41808:TCP"= 41808:TCP:PORT_41808
"51418:TCP"= 51418:TCP:PORT_51418
"48039:TCP"= 48039:TCP:PORT_48039
"10226:TCP"= 10226:TCP:PORT_10226
"18158:TCP"= 18158:TCP:PORT_18158
"48636:TCP"= 48636:TCP:PORT_48636
"56136:TCP"= 56136:TCP:PORT_56136
"49246:TCP"= 49246:TCP:PORT_49246
"44892:TCP"= 44892:TCP:PORT_44892
"7785:TCP"= 7785:TCP:PORT_7785
"54760:TCP"= 54760:TCP:PORT_54760
"43208:TCP"= 43208:TCP:PORT_43208
"50705:TCP"= 50705:TCP:PORT_50705
"58758:TCP"= 58758:TCP:PORT_58758
"5726:TCP"= 5726:TCP:PORT_5726
"47500:TCP"= 47500:TCP:PORT_47500
"8121:TCP"= 8121:TCP:PORT_8121
"20676:TCP"= 20676:TCP:PORT_20676
"37642:TCP"= 37642:TCP:PORT_37642
"12795:TCP"= 12795:TCP:PORT_12795
"19195:TCP"= 19195:TCP:PORT_19195
"49019:TCP"= 49019:TCP:PORT_49019
"30871:TCP"= 30871:TCP:PORT_30871
"23254:TCP"= 23254:TCP:PORT_23254
"15938:TCP"= 15938:TCP:PORT_15938
"18332:TCP"= 18332:TCP:PORT_18332
"61633:TCP"= 61633:TCP:PORT_61633
"56879:TCP"= 56879:TCP:PORT_56879
"56961:TCP"= 56961:TCP:PORT_56961
"45485:TCP"= 45485:TCP:PORT_45485
"40797:TCP"= 40797:TCP:PORT_40797
"15816:TCP"= 15816:TCP:PORT_15816
"56719:TCP"= 56719:TCP:PORT_56719
"63648:TCP"= 63648:TCP:PORT_63648
"45954:TCP"= 45954:TCP:PORT_45954
"55836:TCP"= 55836:TCP:PORT_55836
"50758:TCP"= 50758:TCP:PORT_50758
"43645:TCP"= 43645:TCP:PORT_43645
"13863:TCP"= 13863:TCP:PORT_13863
"23906:TCP"= 23906:TCP:PORT_23906
"5760:TCP"= 5760:TCP:PORT_5760
"26000:TCP"= 26000:TCP:PORT_26000
"41363:TCP"= 41363:TCP:PORT_41363
"6926:TCP"= 6926:TCP:PORT_6926
"9316:TCP"= 9316:TCP:PORT_9316
"55680:TCP"= 55680:TCP:PORT_55680
"61557:TCP"= 61557:TCP:PORT_61557
"22180:TCP"= 22180:TCP:PORT_22180
"37160:TCP"= 37160:TCP:PORT_37160
"30391:TCP"= 30391:TCP:PORT_30391
"34356:TCP"= 34356:TCP:PORT_34356
"50196:TCP"= 50196:TCP:PORT_50196
"41752:TCP"= 41752:TCP:PORT_41752
"17738:TCP"= 17738:TCP:PORT_17738
"55213:TCP"= 55213:TCP:PORT_55213
"65320:TCP"= 65320:TCP:PORT_65320
"16040:TCP"= 16040:TCP:PORT_16040
"18266:TCP"= 18266:TCP:PORT_18266
"63215:TCP"= 63215:TCP:PORT_63215
"12755:TCP"= 12755:TCP:PORT_12755
"12441:TCP"= 12441:TCP:PORT_12441
"18770:TCP"= 18770:TCP:PORT_18770
"42724:TCP"= 42724:TCP:PORT_42724
"54410:TCP"= 54410:TCP:PORT_54410
"6982:TCP"= 6982:TCP:PORT_6982
"55720:TCP"= 55720:TCP:PORT_55720
"64885:TCP"= 64885:TCP:PORT_64885
"25008:TCP"= 25008:TCP:PORT_25008
"6141:TCP"= 6141:TCP:PORT_6141
"30247:TCP"= 30247:TCP:PORT_30247
"56391:TCP"= 56391:TCP:PORT_56391
"24422:TCP"= 24422:TCP:PORT_24422
"36004:TCP"= 36004:TCP:PORT_36004
"19875:TCP"= 19875:TCP:PORT_19875
"46060:TCP"= 46060:TCP:PORT_46060
"21716:TCP"= 21716:TCP:PORT_21716
"41524:TCP"= 41524:TCP:PORT_41524
"18885:TCP"= 18885:TCP:PORT_18885
"18848:TCP"= 18848:TCP:PORT_18848
"13106:TCP"= 13106:TCP:PORT_13106
"35073:TCP"= 35073:TCP:PORT_35073
"27810:TCP"= 27810:TCP:PORT_27810
"38329:TCP"= 38329:TCP:PORT_38329
"24070:TCP"= 24070:TCP:PORT_24070
"23220:TCP"= 23220:TCP:PORT_23220
"50141:TCP"= 50141:TCP:PORT_50141
"36050:TCP"= 36050:TCP:PORT_36050
"23727:TCP"= 23727:TCP:PORT_23727
"54086:TCP"= 54086:TCP:PORT_54086
"41316:TCP"= 41316:TCP:PORT_41316
"60266:TCP"= 60266:TCP:PORT_60266
"54586:TCP"= 54586:TCP:PORT_54586
"36582:TCP"= 36582:TCP:PORT_36582
"42326:TCP"= 42326:TCP:PORT_42326
"23045:TCP"= 23045:TCP:PORT_23045
"46563:TCP"= 46563:TCP:PORT_46563
"11000:TCP"= 11000:TCP:PORT_11000
"64570:TCP"= 64570:TCP:PORT_64570
"44473:TCP"= 44473:TCP:PORT_44473
"5004:TCP"= 5004:TCP:PORT_5004
"56383:TCP"= 56383:TCP:PORT_56383
"37785:TCP"= 37785:TCP:PORT_37785
"27594:TCP"= 27594:TCP:PORT_27594
"53825:TCP"= 53825:TCP:PORT_53825
"62933:TCP"= 62933:TCP:PORT_62933
"43351:TCP"= 43351:TCP:PORT_43351
"59242:TCP"= 59242:TCP:PORT_59242
"26379:TCP"= 26379:TCP:PORT_26379
"52242:TCP"= 52242:TCP:PORT_52242
"46907:TCP"= 46907:TCP:PORT_46907
"35326:TCP"= 35326:TCP:PORT_35326
"10535:TCP"= 10535:TCP:PORT_10535
"9063:TCP"= 9063:TCP:PORT_9063
"44851:TCP"= 44851:TCP:PORT_44851
"52070:TCP"= 52070:TCP:PORT_52070
"61211:TCP"= 61211:TCP:PORT_61211
"40645:TCP"= 40645:TCP:PORT_40645
"50523:TCP"= 50523:TCP:PORT_50523
"27082:TCP"= 27082:TCP:PORT_27082
"8352:TCP"= 8352:TCP:PORT_8352
"52207:TCP"= 52207:TCP:PORT_52207
"20613:TCP"= 20613:TCP:PORT_20613
"21985:TCP"= 21985:TCP:PORT_21985
"6575:TCP"= 6575:TCP:PORT_6575
"35482:TCP"= 35482:TCP:PORT_35482
"36832:TCP"= 36832:TCP:PORT_36832
"56086:TCP"= 56086:TCP:PORT_56086
"41164:TCP"= 41164:TCP:PORT_41164
"40504:TCP"= 40504:TCP:PORT_40504
"43223:TCP"= 43223:TCP:PORT_43223
"20629:TCP"= 20629:TCP:PORT_20629
"41008:TCP"= 41008:TCP:PORT_41008
"24887:TCP"= 24887:TCP:PORT_24887
"40164:TCP"= 40164:TCP:PORT_40164
"38383:TCP"= 38383:TCP:PORT_38383
"20533:TCP"= 20533:TCP:PORT_20533
"59716:TCP"= 59716:TCP:PORT_59716
"21606:TCP"= 21606:TCP:PORT_21606
"56570:TCP"= 56570:TCP:PORT_56570
"57819:TCP"= 57819:TCP:PORT_57819
"10235:TCP"= 10235:TCP:PORT_10235
"6473:TCP"= 6473:TCP:PORT_6473
"55728:TCP"= 55728:TCP:PORT_55728
"33841:TCP"= 33841:TCP:PORT_33841
"43301:TCP"= 43301:TCP:PORT_43301
"47320:TCP"= 47320:TCP:PORT_47320
"32352:TCP"= 32352:TCP:PORT_32352
"30591:TCP"= 30591:TCP:PORT_30591
"22844:TCP"= 22844:TCP:PORT_22844
"17754:TCP"= 17754:TCP:PORT_17754
"61605:TCP"= 61605:TCP:PORT_61605
"29066:TCP"= 29066:TCP:PORT_29066
"53930:TCP"= 53930:TCP:PORT_53930
"30455:TCP"= 30455:TCP:PORT_30455
"26665:TCP"= 26665:TCP:PORT_26665
"48430:TCP"= 48430:TCP:PORT_48430
"44008:TCP"= 44008:TCP:PORT_44008
"60238:TCP"= 60238:TCP:PORT_60238
"27488:TCP"= 27488:TCP:PORT_27488
"49649:TCP"= 49649:TCP:PORT_49649
"34165:TCP"= 34165:TCP:PORT_34165
"16466:TCP"= 16466:TCP:PORT_16466
"29548:TCP"= 29548:TCP:PORT_29548
"51148:TCP"= 51148:TCP:PORT_51148
"57523:TCP"= 57523:TCP:PORT_57523
"37423:TCP"= 37423:TCP:PORT_37423
"34853:TCP"= 34853:TCP:PORT_34853
"24216:TCP"= 24216:TCP:PORT_24216
"16743:TCP"= 16743:TCP:PORT_16743
"62973:TCP"= 62973:TCP:PORT_62973
"33919:TCP"= 33919:TCP:PORT_33919
"19461:TCP"= 19461:TCP:PORT_19461
"48415:TCP"= 48415:TCP:PORT_48415
"21805:TCP"= 21805:TCP:PORT_21805
"61848:TCP"= 61848:TCP:PORT_61848
"5681:TCP"= 5681:TCP:PORT_5681
"60450:TCP"= 60450:TCP:PORT_60450
"56992:TCP"= 56992:TCP:PORT_56992
"45716:TCP"= 45716:TCP:PORT_45716
"28670:TCP"= 28670:TCP:PORT_28670
"36903:TCP"= 36903:TCP:PORT_36903
"45482:TCP"= 45482:TCP:PORT_45482
"9766:TCP"= 9766:TCP:PORT_9766
"47785:TCP"= 47785:TCP:PORT_47785
"26766:TCP"= 26766:TCP:PORT_26766
"61770:TCP"= 61770:TCP:PORT_61770
"6285:TCP"= 6285:TCP:PORT_6285
"47226:TCP"= 47226:TCP:PORT_47226
"17850:TCP"= 17850:TCP:PORT_17850
"14703:TCP"= 14703:TCP:PORT_14703
"12379:TCP"= 12379:TCP:PORT_12379
"42395:TCP"= 42395:TCP:PORT_42395
"11328:TCP"= 11328:TCP:PORT_11328
"30598:TCP"= 30598:TCP:PORT_30598
"13270:TCP"= 13270:TCP:PORT_13270
"38219:TCP"= 38219:TCP:PORT_38219
"23926:TCP"= 23926:TCP:PORT_23926
"32000:TCP"= 32000:TCP:PORT_32000
"56867:TCP"= 56867:TCP:PORT_56867
"65477:TCP"= 65477:TCP:PORT_65477
"40129:TCP"= 40129:TCP:PORT_40129
"30969:TCP"= 30969:TCP:PORT_30969
"58164:TCP"= 58164:TCP:PORT_58164
"51672:TCP"= 51672:TCP:PORT_51672
"27551:TCP"= 27551:TCP:PORT_27551
"25844:TCP"= 25844:TCP:PORT_25844
"22918:TCP"= 22918:TCP:PORT_22918
"62000:TCP"= 62000:TCP:PORT_62000
"12363:TCP"= 12363:TCP:PORT_12363
"31379:TCP"= 31379:TCP:PORT_31379
"51360:TCP"= 51360:TCP:PORT_51360
"60600:TCP"= 60600:TCP:PORT_60600
"60633:TCP"= 60633:TCP:PORT_60633
"50516:TCP"= 50516:TCP:PORT_50516
"34747:TCP"= 34747:TCP:PORT_34747
"60648:TCP"= 60648:TCP:PORT_60648
"55848:TCP"= 55848:TCP:PORT_55848
"22430:TCP"= 22430:TCP:PORT_22430
"34547:TCP"= 34547:TCP:PORT_34547
"44887:TCP"= 44887:TCP:PORT_44887
"8613:TCP"= 8613:TCP:PORT_8613
"11488:TCP"= 11488:TCP:PORT_11488
"46383:TCP"= 46383:TCP:PORT_46383
"32281:TCP"= 32281:TCP:PORT_32281
"44820:TCP"= 44820:TCP:PORT_44820
"48786:TCP"= 48786:TCP:PORT_48786
"57747:TCP"= 57747:TCP:PORT_57747
"10969:TCP"= 10969:TCP:PORT_10969
"63523:TCP"= 63523:TCP:PORT_63523
"44735:TCP"= 44735:TCP:PORT_44735
"34102:TCP"= 34102:TCP:PORT_34102
"20938:TCP"= 20938:TCP:PORT_20938
"55246:TCP"= 55246:TCP:PORT_55246
"55575:TCP"= 55575:TCP:PORT_55575
"62173:TCP"= 62173:TCP:PORT_62173
"34020:TCP"= 34020:TCP:PORT_34020
"7051:TCP"= 7051:TCP:PORT_7051
"54770:TCP"= 54770:TCP:PORT_54770
"58023:TCP"= 58023:TCP:PORT_58023
"35685:TCP"= 35685:TCP:PORT_35685
"28881:TCP"= 28881:TCP:PORT_28881
"40011:TCP"= 40011:TCP:PORT_40011
"38180:TCP"= 38180:TCP:PORT_38180

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-26 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-05-09 24652]
S3 epstw2k;SCM Parallel Port SCSI Driver;c:\windows\system32\drivers\epstw2k.sys [2005-01-25 114944]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2005-01-25 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-09 22:34]

2007-05-17 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-09-09 13:21]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-VTTimer - VTTimer.exe
SSODL-UoiKTDG-{74D31DD4-DE79-B77E-69A2-1FE883FF91BC} - c:\windows\system32\jc.dll


.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyServer = hxxp://proxy/:8080
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com \*.update
Trusted Zone: windowsupdate.com
Trusted Zone: windowsupdate.com \download
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 03:56:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
tgcmd = "c:\program files\Support.com\bin\tgcmd.exe" /server?cmd.exe" /server

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-130975665-589280043-1178334690-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-02-10 3:58:36
ComboFix-quarantined-files.txt 2009-02-10 08:58:33

Pre-Run: 9,790,160,896 bytes free
Post-Run: 10,486,177,792 bytes free

772 --- E O F --- 2009-01-14 08:05:22




Now for the HijackThis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:33 AM, on 2/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
c:\Program Files\Sonic RecordNow!\RecordNow.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1108502796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9239124796
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11447 bytes
ErikG
Active Member
 
Posts: 13
Joined: January 27th, 2009, 3:00 am

Re: web searches hijacked

Unread postby Bio-Hazard » February 10th, 2009, 6:43 pm

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

Code: Select all
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"= -


Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)


Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.


ATF-Cleaner

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.
  • Click Exit on the Main menu to close the program.


Eset online scannner

Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason it's extremely important that you keep the program up to date and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 12.
  • Go to HERE
  • Click on the link named Java Runtime Environment (JRE) 6 Update 12
  • Click on the radio button to Accept License Agreement
  • Click on Windows Offline Installation Multi-language and save the downloaded file to your hard disk
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 2 Runtime Environment JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file and follow the on-screen instructions.
  • Reboot your computer



Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • ESET log
  • New HijackThis log
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: web searches hijacked

Unread postby ErikG » February 12th, 2009, 6:44 am

I was unable to get ESET to run a scan. After selecting "Install" in answer to the warning, "Publisher could not be verified. Are you sure you want to install this software?" a new box (empty) on the page with a red X in the upper left corner quickly appeared -- followed by nothing. Otherwise, the computer is performing well. Web searches now yield legitimate returns (thank you!). Below you'll find the ComboFix log followed by another Hijack this log.

ComboFix 09-02-08.02 - HP_Owner 2009-02-12 4:09:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.168 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2220-12-13 19:07 . 2220-12-13 19:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2220-12-13 19:06 . 2220-12-13 19:06 <DIR> d-------- c:\program files\Yahoo!
2009-01-28 18:13 . 2009-01-28 18:13 <DIR> d-------- c:\program files\Trend Micro
2009-01-27 01:32 . 2009-01-27 01:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-27 01:32 . 2009-01-27 01:32 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-01-27 01:32 . 2009-01-27 01:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-27 01:32 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-27 01:32 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-26 22:47 . 2009-01-18 16:35 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-01-26 22:34 . 2009-01-18 16:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-01-26 22:33 . 2009-01-26 22:33 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-26 22:32 . 2009-01-26 22:32 <DIR> d-------- c:\program files\Lavasoft
2009-01-26 22:32 . 2009-01-26 22:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 09:06 --------- d-----w c:\documents and settings\HP_Owner\Application Data\HPAppData
2009-02-12 08:56 3,645 ----a-w c:\windows\viassary-hp.reg
2009-02-12 08:56 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-02-12 08:54 63,320 ----a-w c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-09-12 18:39 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091220080913\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-10_ 3.57.39.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 20:38:34 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2008-10-16 20:38:34 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2008-10-16 20:38:34 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2008-10-16 20:38:35 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2008-10-16 20:38:35 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2008-10-16 13:11:09 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2008-10-16 20:38:35 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2008-10-16 20:38:35 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2008-10-15 07:04:53 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2008-10-16 20:38:35 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2008-10-16 20:38:35 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2008-10-16 20:38:37 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2008-10-16 20:38:37 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2008-10-16 20:38:37 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2008-10-16 20:38:37 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2008-10-16 20:38:37 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2008-10-16 20:38:38 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2008-10-16 20:38:38 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2008-10-16 20:38:39 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2008-10-16 20:38:39 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2008-10-16 20:38:39 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2008-10-16 20:38:39 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2008-10-16 20:38:39 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2008-10-16 20:38:40 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
- 2009-01-14 08:05:07 12,288 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-02-12 08:51:34 12,288 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2009-01-14 08:05:07 135,168 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-02-12 08:51:34 135,168 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2009-01-14 08:05:07 11,264 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-02-12 08:51:34 11,264 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2009-01-14 08:05:07 27,136 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-02-12 08:51:34 27,136 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-01-14 08:05:07 4,096 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-02-12 08:51:34 4,096 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2009-01-14 08:05:07 794,624 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2009-02-12 08:51:34 794,624 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-01-14 08:05:07 249,856 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-02-12 08:51:34 249,856 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2009-01-14 08:05:07 23,040 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-02-12 08:51:34 23,040 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-01-14 08:05:07 286,720 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-02-12 08:51:34 286,720 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2009-01-14 08:05:07 409,600 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-02-12 08:51:34 409,600 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-10-16 20:38:34 124,928 -c--a-w c:\windows\system32\dllcache\advpack.dll
+ 2008-12-20 23:15:11 124,928 -c--a-w c:\windows\system32\dllcache\advpack.dll
- 2008-10-16 20:38:34 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-10-16 20:38:35 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-12-20 23:15:13 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2008-10-16 20:38:35 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
+ 2008-12-20 23:15:13 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
- 2008-10-16 13:11:09 70,656 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
- 2008-10-16 20:38:35 230,400 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
- 2008-10-15 07:04:53 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2008-12-19 05:23:56 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
- 2008-10-16 20:38:35 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 -c----w c:\windows\system32\dllcache\ieframe.dll
- 2008-10-16 20:38:37 44,544 -c--a-w c:\windows\system32\dllcache\iernonce.dll
+ 2008-12-20 23:15:21 44,544 -c--a-w c:\windows\system32\dllcache\iernonce.dll
- 2008-10-16 20:38:37 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
+ 2008-12-20 23:15:22 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
- 2008-10-16 13:11:09 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
- 2008-10-15 07:06:26 633,632 -c--a-w c:\windows\system32\dllcache\iexplore.exe
+ 2008-12-19 05:25:25 634,024 -c--a-w c:\windows\system32\dllcache\iexplore.exe
- 2008-10-16 20:38:37 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2008-10-16 20:38:37 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
- 2008-10-16 20:38:37 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-17 02:35:14 3,594,752 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-10-16 20:38:38 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-10-16 20:38:38 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-12-20 23:15:31 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2008-10-16 20:38:39 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-12-20 23:15:32 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2008-10-16 20:38:39 102,912 -c--a-w c:\windows\system32\dllcache\occache.dll
+ 2008-12-20 23:15:38 102,912 -c--a-w c:\windows\system32\dllcache\occache.dll
- 2008-10-16 20:38:39 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-10-16 20:38:39 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
+ 2008-12-20 23:15:39 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
- 2008-10-16 20:38:39 1,160,192 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-10-16 20:38:39 233,472 -c--a-w c:\windows\system32\dllcache\webcheck.dll
+ 2008-12-20 23:15:40 233,472 -c--a-w c:\windows\system32\dllcache\webcheck.dll
- 2008-10-16 20:38:40 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-12-20 23:15:41 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ----a-w c:\windows\system32\extmgr.dll
- 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-10-16 13:11:09 70,656 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\ieframe.dll
- 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-03 23:21:12 21,244,864 ----a-w c:\windows\system32\MRT.exe
- 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2009-01-17 02:35:14 3,594,752 ----a-w c:\windows\system32\mshtml.dll
- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\msrating.dll
+ 2008-12-20 23:15:31 193,024 ----a-w c:\windows\system32\msrating.dll
- 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\mstime.dll
+ 2008-12-20 23:15:32 671,232 ----a-w c:\windows\system32\mstime.dll
- 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\occache.dll
+ 2008-12-20 23:15:38 102,912 ----a-w c:\windows\system32\occache.dll
- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\webcheck.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2005-07-08 17675304]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-21 118784]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-10-21 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-06-04 286720]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2002-04-12 1536000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-10-21 98304]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-09-16 52848]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-09 509784]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-06 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-06 c:\windows\ALCWZRD.EXE]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
HP Organize.lnk - c:\program files\Hewlett-Packard\HP Organize\bin\displayAgent.exe [2004-10-21 36864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-15 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2007-06-22 1078]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-10-21 45056]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27424:TCP"= 27424:TCP:PORT_27424
"55895:TCP"= 55895:TCP:PORT_55895
"22351:TCP"= 22351:TCP:PORT_22351
"37832:TCP"= 37832:TCP:PORT_37832
"63582:TCP"= 63582:TCP:PORT_63582
"39023:TCP"= 39023:TCP:PORT_39023
"33086:TCP"= 33086:TCP:PORT_33086
"14641:TCP"= 14641:TCP:PORT_14641
"44266:TCP"= 44266:TCP:PORT_44266
"43820:TCP"= 43820:TCP:PORT_43820
"25645:TCP"= 25645:TCP:PORT_25645
"20461:TCP"= 20461:TCP:PORT_20461
"18211:TCP"= 18211:TCP:PORT_18211
"48976:TCP"= 48976:TCP:PORT_48976
"45492:TCP"= 45492:TCP:PORT_45492
"25414:TCP"= 25414:TCP:PORT_25414
"23466:TCP"= 23466:TCP:PORT_23466
"40663:TCP"= 40663:TCP:PORT_40663
"38785:TCP"= 38785:TCP:PORT_38785
"62895:TCP"= 62895:TCP:PORT_62895
"39778:TCP"= 39778:TCP:PORT_39778
"5670:TCP"= 5670:TCP:PORT_5670
"35461:TCP"= 35461:TCP:PORT_35461
"43537:TCP"= 43537:TCP:PORT_43537
"50867:TCP"= 50867:TCP:PORT_50867
"16004:TCP"= 16004:TCP:PORT_16004
"28320:TCP"= 28320:TCP:PORT_28320
"45618:TCP"= 45618:TCP:PORT_45618
"11551:TCP"= 11551:TCP:PORT_11551
"7211:TCP"= 7211:TCP:PORT_7211
"43683:TCP"= 43683:TCP:PORT_43683
"21410:TCP"= 21410:TCP:PORT_21410
"53527:TCP"= 53527:TCP:PORT_53527
"51996:TCP"= 51996:TCP:PORT_51996
"48067:TCP"= 48067:TCP:PORT_48067
"23958:TCP"= 23958:TCP:PORT_23958
"48293:TCP"= 48293:TCP:PORT_48293
"7000:TCP"= 7000:TCP:PORT_7000
"8606:TCP"= 8606:TCP:PORT_8606
"6220:TCP"= 6220:TCP:PORT_6220
"48733:TCP"= 48733:TCP:PORT_48733
"49148:TCP"= 49148:TCP:PORT_49148
"46273:TCP"= 46273:TCP:PORT_46273
"25055:TCP"= 25055:TCP:PORT_25055
"41324:TCP"= 41324:TCP:PORT_41324
"54851:TCP"= 54851:TCP:PORT_54851
"53098:TCP"= 53098:TCP:PORT_53098
"47023:TCP"= 47023:TCP:PORT_47023
"22574:TCP"= 22574:TCP:PORT_22574
"53406:TCP"= 53406:TCP:PORT_53406
"50938:TCP"= 50938:TCP:PORT_50938
"50555:TCP"= 50555:TCP:PORT_50555
"47746:TCP"= 47746:TCP:PORT_47746
"26230:TCP"= 26230:TCP:PORT_26230
"24658:TCP"= 24658:TCP:PORT_24658
"55805:TCP"= 55805:TCP:PORT_55805
"31295:TCP"= 31295:TCP:PORT_31295
"25226:TCP"= 25226:TCP:PORT_25226
"27105:TCP"= 27105:TCP:PORT_27105
"45789:TCP"= 45789:TCP:PORT_45789
"31305:TCP"= 31305:TCP:PORT_31305
"15532:TCP"= 15532:TCP:PORT_15532
"25136:TCP"= 25136:TCP:PORT_25136
"61636:TCP"= 61636:TCP:PORT_61636
"8004:TCP"= 8004:TCP:PORT_8004
"48328:TCP"= 48328:TCP:PORT_48328
"34872:TCP"= 34872:TCP:PORT_34872
"45434:TCP"= 45434:TCP:PORT_45434
"31465:TCP"= 31465:TCP:PORT_31465
"34688:TCP"= 34688:TCP:PORT_34688
"29824:TCP"= 29824:TCP:PORT_29824
"61523:TCP"= 61523:TCP:PORT_61523
"36036:TCP"= 36036:TCP:PORT_36036
"30395:TCP"= 30395:TCP:PORT_30395
"7633:TCP"= 7633:TCP:PORT_7633
"48270:TCP"= 48270:TCP:PORT_48270
"30664:TCP"= 30664:TCP:PORT_30664
"48051:TCP"= 48051:TCP:PORT_48051
"11278:TCP"= 11278:TCP:PORT_11278
"47801:TCP"= 47801:TCP:PORT_47801
"36293:TCP"= 36293:TCP:PORT_36293
"47386:TCP"= 47386:TCP:PORT_47386
"25933:TCP"= 25933:TCP:PORT_25933
"9476:TCP"= 9476:TCP:PORT_9476
"15340:TCP"= 15340:TCP:PORT_15340
"26652:TCP"= 26652:TCP:PORT_26652
"6981:TCP"= 6981:TCP:PORT_6981
"24011:TCP"= 24011:TCP:PORT_24011
"29161:TCP"= 29161:TCP:PORT_29161
"58258:TCP"= 58258:TCP:PORT_58258
"28613:TCP"= 28613:TCP:PORT_28613
"31078:TCP"= 31078:TCP:PORT_31078
"47511:TCP"= 47511:TCP:PORT_47511
"56277:TCP"= 56277:TCP:PORT_56277
"59636:TCP"= 59636:TCP:PORT_59636
"11048:TCP"= 11048:TCP:PORT_11048
"40133:TCP"= 40133:TCP:PORT_40133
"59914:TCP"= 59914:TCP:PORT_59914
"46566:TCP"= 46566:TCP:PORT_46566
"60981:TCP"= 60981:TCP:PORT_60981
"51164:TCP"= 51164:TCP:PORT_51164
"9598:TCP"= 9598:TCP:PORT_9598
"35016:TCP"= 35016:TCP:PORT_35016
"8763:TCP"= 8763:TCP:PORT_8763
"37996:TCP"= 37996:TCP:PORT_37996
"27808:TCP"= 27808:TCP:PORT_27808
"24313:TCP"= 24313:TCP:PORT_24313
"38348:TCP"= 38348:TCP:PORT_38348
"43793:TCP"= 43793:TCP:PORT_43793
"24852:TCP"= 24852:TCP:PORT_24852
"56688:TCP"= 56688:TCP:PORT_56688
"23136:TCP"= 23136:TCP:PORT_23136
"29961:TCP"= 29961:TCP:PORT_29961
"18638:TCP"= 18638:TCP:PORT_18638
"60242:TCP"= 60242:TCP:PORT_60242
"34958:TCP"= 34958:TCP:PORT_34958
"40730:TCP"= 40730:TCP:PORT_40730
"39824:TCP"= 39824:TCP:PORT_39824
"14976:TCP"= 14976:TCP:PORT_14976
"24656:TCP"= 24656:TCP:PORT_24656
"56650:TCP"= 56650:TCP:PORT_56650
"31539:TCP"= 31539:TCP:PORT_31539
"10863:TCP"= 10863:TCP:PORT_10863
"21636:TCP"= 21636:TCP:PORT_21636
"64797:TCP"= 64797:TCP:PORT_64797
"36652:TCP"= 36652:TCP:PORT_36652
"14098:TCP"= 14098:TCP:PORT_14098
"40043:TCP"= 40043:TCP:PORT_40043
"55871:TCP"= 55871:TCP:PORT_55871
"13356:TCP"= 13356:TCP:PORT_13356
"30886:TCP"= 30886:TCP:PORT_30886
"35676:TCP"= 35676:TCP:PORT_35676
"62489:TCP"= 62489:TCP:PORT_62489
"36236:TCP"= 36236:TCP:PORT_36236
"19542:TCP"= 19542:TCP:PORT_19542
"31736:TCP"= 31736:TCP:PORT_31736
"6153:TCP"= 6153:TCP:PORT_6153
"53695:TCP"= 53695:TCP:PORT_53695
"31871:TCP"= 31871:TCP:PORT_31871
"39175:TCP"= 39175:TCP:PORT_39175
"28508:TCP"= 28508:TCP:PORT_28508
"46386:TCP"= 46386:TCP:PORT_46386
"55183:TCP"= 55183:TCP:PORT_55183
"42371:TCP"= 42371:TCP:PORT_42371
"17836:TCP"= 17836:TCP:PORT_17836
"40579:TCP"= 40579:TCP:PORT_40579
"10614:TCP"= 10614:TCP:PORT_10614
"29191:TCP"= 29191:TCP:PORT_29191
"19851:TCP"= 19851:TCP:PORT_19851
"19020:TCP"= 19020:TCP:PORT_19020
"12645:TCP"= 12645:TCP:PORT_12645
"14611:TCP"= 14611:TCP:PORT_14611
"18066:TCP"= 18066:TCP:PORT_18066
"9481:TCP"= 9481:TCP:PORT_9481
"41590:TCP"= 41590:TCP:PORT_41590
"34815:TCP"= 34815:TCP:PORT_34815
"35680:TCP"= 35680:TCP:PORT_35680
"42523:TCP"= 42523:TCP:PORT_42523
"22848:TCP"= 22848:TCP:PORT_22848
"62680:TCP"= 62680:TCP:PORT_62680
"48886:TCP"= 48886:TCP:PORT_48886
"57289:TCP"= 57289:TCP:PORT_57289
"60508:TCP"= 60508:TCP:PORT_60508
"58293:TCP"= 58293:TCP:PORT_58293
"5676:TCP"= 5676:TCP:PORT_5676
"59148:TCP"= 59148:TCP:PORT_59148
"6680:TCP"= 6680:TCP:PORT_6680
"5961:TCP"= 5961:TCP:PORT_5961
"46324:TCP"= 46324:TCP:PORT_46324
"18598:TCP"= 18598:TCP:PORT_18598
"17113:TCP"= 17113:TCP:PORT_17113
"63183:TCP"= 63183:TCP:PORT_63183
"21988:TCP"= 21988:TCP:PORT_21988
"9164:TCP"= 9164:TCP:PORT_9164
"34398:TCP"= 34398:TCP:PORT_34398
"10023:TCP"= 10023:TCP:PORT_10023
"25294:TCP"= 25294:TCP:PORT_25294
"53708:TCP"= 53708:TCP:PORT_53708
"7809:TCP"= 7809:TCP:PORT_7809
"5898:TCP"= 5898:TCP:PORT_5898
"17094:TCP"= 17094:TCP:PORT_17094
"21351:TCP"= 21351:TCP:PORT_21351
"18633:TCP"= 18633:TCP:PORT_18633
"19320:TCP"= 19320:TCP:PORT_19320
"63793:TCP"= 63793:TCP:PORT_63793
"57761:TCP"= 57761:TCP:PORT_57761
"26579:TCP"= 26579:TCP:PORT_26579
"64008:TCP"= 64008:TCP:PORT_64008
"57223:TCP"= 57223:TCP:PORT_57223
"6508:TCP"= 6508:TCP:PORT_6508
"36070:TCP"= 36070:TCP:PORT_36070
"30402:TCP"= 30402:TCP:PORT_30402
"13398:TCP"= 13398:TCP:PORT_13398
"7961:TCP"= 7961:TCP:PORT_7961
"36449:TCP"= 36449:TCP:PORT_36449
"23941:TCP"= 23941:TCP:PORT_23941
"58398:TCP"= 58398:TCP:PORT_58398
"14664:TCP"= 14664:TCP:PORT_14664
"25004:TCP"= 25004:TCP:PORT_25004
"24086:TCP"= 24086:TCP:PORT_24086
"27098:TCP"= 27098:TCP:PORT_27098
"35316:TCP"= 35316:TCP:PORT_35316
"54543:TCP"= 54543:TCP:PORT_54543
"6711:TCP"= 6711:TCP:PORT_6711
"51016:TCP"= 51016:TCP:PORT_51016
"43074:TCP"= 43074:TCP:PORT_43074
"5117:TCP"= 5117:TCP:PORT_5117
"51574:TCP"= 51574:TCP:PORT_51574
"35383:TCP"= 35383:TCP:PORT_35383
"58230:TCP"= 58230:TCP:PORT_58230
"47192:TCP"= 47192:TCP:PORT_47192
"56730:TCP"= 56730:TCP:PORT_56730
"22395:TCP"= 22395:TCP:PORT_22395
"36043:TCP"= 36043:TCP:PORT_36043
"9173:TCP"= 9173:TCP:PORT_9173
"64023:TCP"= 64023:TCP:PORT_64023
"17039:TCP"= 17039:TCP:PORT_17039
"51730:TCP"= 51730:TCP:PORT_51730
"12325:TCP"= 12325:TCP:PORT_12325
"49965:TCP"= 49965:TCP:PORT_49965
"57996:TCP"= 57996:TCP:PORT_57996
"50883:TCP"= 50883:TCP:PORT_50883
"58715:TCP"= 58715:TCP:PORT_58715
"59345:TCP"= 59345:TCP:PORT_59345
"61465:TCP"= 61465:TCP:PORT_61465
"26336:TCP"= 26336:TCP:PORT_26336
"54333:TCP"= 54333:TCP:PORT_54333
"9314:TCP"= 9314:TCP:PORT_9314
"63325:TCP"= 63325:TCP:PORT_63325
"33516:TCP"= 33516:TCP:PORT_33516
"28258:TCP"= 28258:TCP:PORT_28258
"28407:TCP"= 28407:TCP:PORT_28407
"64871:TCP"= 64871:TCP:PORT_64871
"23985:TCP"= 23985:TCP:PORT_23985
"10117:TCP"= 10117:TCP:PORT_10117
"46882:TCP"= 46882:TCP:PORT_46882
"32086:TCP"= 32086:TCP:PORT_32086
"10289:TCP"= 10289:TCP:PORT_10289
"46398:TCP"= 46398:TCP:PORT_46398
"38433:TCP"= 38433:TCP:PORT_38433
"37238:TCP"= 37238:TCP:PORT_37238
"8570:TCP"= 8570:TCP:PORT_8570
"6485:TCP"= 6485:TCP:PORT_6485
"41615:TCP"= 41615:TCP:PORT_41615
"20051:TCP"= 20051:TCP:PORT_20051
"34717:TCP"= 34717:TCP:PORT_34717
"18101:TCP"= 18101:TCP:PORT_18101
"31645:TCP"= 31645:TCP:PORT_31645
"14329:TCP"= 14329:TCP:PORT_14329
"52371:TCP"= 52371:TCP:PORT_52371
"58211:TCP"= 58211:TCP:PORT_58211
"21418:TCP"= 21418:TCP:PORT_21418
"53574:TCP"= 53574:TCP:PORT_53574
"6048:TCP"= 6048:TCP:PORT_6048
"64152:TCP"= 64152:TCP:PORT_64152
"12231:TCP"= 12231:TCP:PORT_12231
"14133:TCP"= 14133:TCP:PORT_14133
"44386:TCP"= 44386:TCP:PORT_44386
"53250:TCP"= 53250:TCP:PORT_53250
"49061:TCP"= 49061:TCP:PORT_49061
"49433:TCP"= 49433:TCP:PORT_49433
"16357:TCP"= 16357:TCP:PORT_16357
"33011:TCP"= 33011:TCP:PORT_33011
"26911:TCP"= 26911:TCP:PORT_26911
"12001:TCP"= 12001:TCP:PORT_12001
"21695:TCP"= 21695:TCP:PORT_21695
"12316:TCP"= 12316:TCP:PORT_12316
"37465:TCP"= 37465:TCP:PORT_37465
"7164:TCP"= 7164:TCP:PORT_7164
"62527:TCP"= 62527:TCP:PORT_62527
"56523:TCP"= 56523:TCP:PORT_56523
"47235:TCP"= 47235:TCP:PORT_47235
"45886:TCP"= 45886:TCP:PORT_45886
"5450:TCP"= 5450:TCP:PORT_5450
"19004:TCP"= 19004:TCP:PORT_19004
"36011:TCP"= 36011:TCP:PORT_36011
"58000:TCP"= 58000:TCP:PORT_58000
"47481:TCP"= 47481:TCP:PORT_47481
"42230:TCP"= 42230:TCP:PORT_42230
"22207:TCP"= 22207:TCP:PORT_22207
"21075:TCP"= 21075:TCP:PORT_21075
"16653:TCP"= 16653:TCP:PORT_16653
"7769:TCP"= 7769:TCP:PORT_7769
"57563:TCP"= 57563:TCP:PORT_57563
"44324:TCP"= 44324:TCP:PORT_44324
"43606:TCP"= 43606:TCP:PORT_43606
"52266:TCP"= 52266:TCP:PORT_52266
"35816:TCP"= 35816:TCP:PORT_35816
"31760:TCP"= 31760:TCP:PORT_31760
"33145:TCP"= 33145:TCP:PORT_33145
"33383:TCP"= 33383:TCP:PORT_33383
"40028:TCP"= 40028:TCP:PORT_40028
"40871:TCP"= 40871:TCP:PORT_40871
"38485:TCP"= 38485:TCP:PORT_38485
"6660:TCP"= 6660:TCP:PORT_6660
"47136:TCP"= 47136:TCP:PORT_47136
"61105:TCP"= 61105:TCP:PORT_61105
"47735:TCP"= 47735:TCP:PORT_47735
"15898:TCP"= 15898:TCP:PORT_15898
"22762:TCP"= 22762:TCP:PORT_22762
"24045:TCP"= 24045:TCP:PORT_24045
"56398:TCP"= 56398:TCP:PORT_56398
"39308:TCP"= 39308:TCP:PORT_39308
"39950:TCP"= 39950:TCP:PORT_39950
"17395:TCP"= 17395:TCP:PORT_17395
"32652:TCP"= 32652:TCP:PORT_32652
"37007:TCP"= 37007:TCP:PORT_37007
"37329:TCP"= 37329:TCP:PORT_37329
"52246:TCP"= 52246:TCP:PORT_52246
"31895:TCP"= 31895:TCP:PORT_31895
"40996:TCP"= 40996:TCP:PORT_40996
"38903:TCP"= 38903:TCP:PORT_38903
"44293:TCP"= 44293:TCP:PORT_44293
"44255:TCP"= 44255:TCP:PORT_44255
"47980:TCP"= 47980:TCP:PORT_47980
"63430:TCP"= 63430:TCP:PORT_63430
"51965:TCP"= 51965:TCP:PORT_51965
"23879:TCP"= 23879:TCP:PORT_23879
"27324:TCP"= 27324:TCP:PORT_27324
"39235:TCP"= 39235:TCP:PORT_39235
"57213:TCP"= 57213:TCP:PORT_57213
"29539:TCP"= 29539:TCP:PORT_29539
"23033:TCP"= 23033:TCP:PORT_23033
"61090:TCP"= 61090:TCP:PORT_61090
"16981:TCP"= 16981:TCP:PORT_16981
"55523:TCP"= 55523:TCP:PORT_55523
"46715:TCP"= 46715:TCP:PORT_46715
"65250:TCP"= 65250:TCP:PORT_65250
"55800:TCP"= 55800:TCP:PORT_55800
"25461:TCP"= 25461:TCP:PORT_25461
"10758:TCP"= 10758:TCP:PORT_10758
"59402:TCP"= 59402:TCP:PORT_59402
"34833:TCP"= 34833:TCP:PORT_34833
"39626:TCP"= 39626:TCP:PORT_39626
"10184:TCP"= 10184:TCP:PORT_10184
"44757:TCP"= 44757:TCP:PORT_44757
"58574:TCP"= 58574:TCP:PORT_58574
"47324:TCP"= 47324:TCP:PORT_47324
"21654:TCP"= 21654:TCP:PORT_21654
"59355:TCP"= 59355:TCP:PORT_59355
"20762:TCP"= 20762:TCP:PORT_20762
"10930:TCP"= 10930:TCP:PORT_10930
"54398:TCP"= 54398:TCP:PORT_54398
"42746:TCP"= 42746:TCP:PORT_42746
"6793:TCP"= 6793:TCP:PORT_6793
"55918:TCP"= 55918:TCP:PORT_55918
"44636:TCP"= 44636:TCP:PORT_44636
"28123:TCP"= 28123:TCP:PORT_28123
"56121:TCP"= 56121:TCP:PORT_56121
"10676:TCP"= 10676:TCP:PORT_10676
"53594:TCP"= 53594:TCP:PORT_53594
"14723:TCP"= 14723:TCP:PORT_14723
"17805:TCP"= 17805:TCP:PORT_17805
"5606:TCP"= 5606:TCP:PORT_5606
"47135:TCP"= 47135:TCP:PORT_47135
"41808:TCP"= 41808:TCP:PORT_41808
"51418:TCP"= 51418:TCP:PORT_51418
"48039:TCP"= 48039:TCP:PORT_48039
"10226:TCP"= 10226:TCP:PORT_10226
"18158:TCP"= 18158:TCP:PORT_18158
"48636:TCP"= 48636:TCP:PORT_48636
"56136:TCP"= 56136:TCP:PORT_56136
"49246:TCP"= 49246:TCP:PORT_49246
"44892:TCP"= 44892:TCP:PORT_44892
"7785:TCP"= 7785:TCP:PORT_7785
"54760:TCP"= 54760:TCP:PORT_54760
"43208:TCP"= 43208:TCP:PORT_43208
"50705:TCP"= 50705:TCP:PORT_50705
"58758:TCP"= 58758:TCP:PORT_58758
"5726:TCP"= 5726:TCP:PORT_5726
"47500:TCP"= 47500:TCP:PORT_47500
"8121:TCP"= 8121:TCP:PORT_8121
"20676:TCP"= 20676:TCP:PORT_20676
"37642:TCP"= 37642:TCP:PORT_37642
"12795:TCP"= 12795:TCP:PORT_12795
"19195:TCP"= 19195:TCP:PORT_19195
"49019:TCP"= 49019:TCP:PORT_49019
"30871:TCP"= 30871:TCP:PORT_30871
"23254:TCP"= 23254:TCP:PORT_23254
"15938:TCP"= 15938:TCP:PORT_15938
"18332:TCP"= 18332:TCP:PORT_18332
"61633:TCP"= 61633:TCP:PORT_61633
"56879:TCP"= 56879:TCP:PORT_56879
"56961:TCP"= 56961:TCP:PORT_56961
"45485:TCP"= 45485:TCP:PORT_45485
"40797:TCP"= 40797:TCP:PORT_40797
"15816:TCP"= 15816:TCP:PORT_15816
"56719:TCP"= 56719:TCP:PORT_56719
"63648:TCP"= 63648:TCP:PORT_63648
"45954:TCP"= 45954:TCP:PORT_45954
"55836:TCP"= 55836:TCP:PORT_55836
"50758:TCP"= 50758:TCP:PORT_50758
"43645:TCP"= 43645:TCP:PORT_43645
"13863:TCP"= 13863:TCP:PORT_13863
"23906:TCP"= 23906:TCP:PORT_23906
"5760:TCP"= 5760:TCP:PORT_5760
"26000:TCP"= 26000:TCP:PORT_26000
"41363:TCP"= 41363:TCP:PORT_41363
"6926:TCP"= 6926:TCP:PORT_6926
"9316:TCP"= 9316:TCP:PORT_9316
"55680:TCP"= 55680:TCP:PORT_55680
"61557:TCP"= 61557:TCP:PORT_61557
"22180:TCP"= 22180:TCP:PORT_22180
"37160:TCP"= 37160:TCP:PORT_37160
"30391:TCP"= 30391:TCP:PORT_30391
"34356:TCP"= 34356:TCP:PORT_34356
"50196:TCP"= 50196:TCP:PORT_50196
"41752:TCP"= 41752:TCP:PORT_41752
"17738:TCP"= 17738:TCP:PORT_17738
"55213:TCP"= 55213:TCP:PORT_55213
"65320:TCP"= 65320:TCP:PORT_65320
"16040:TCP"= 16040:TCP:PORT_16040
"18266:TCP"= 18266:TCP:PORT_18266
"63215:TCP"= 63215:TCP:PORT_63215
"12755:TCP"= 12755:TCP:PORT_12755
"12441:TCP"= 12441:TCP:PORT_12441
"18770:TCP"= 18770:TCP:PORT_18770
"42724:TCP"= 42724:TCP:PORT_42724
"54410:TCP"= 54410:TCP:PORT_54410
"6982:TCP"= 6982:TCP:PORT_6982
"55720:TCP"= 55720:TCP:PORT_55720
"64885:TCP"= 64885:TCP:PORT_64885
"25008:TCP"= 25008:TCP:PORT_25008
"6141:TCP"= 6141:TCP:PORT_6141
"30247:TCP"= 30247:TCP:PORT_30247
"56391:TCP"= 56391:TCP:PORT_56391
"24422:TCP"= 24422:TCP:PORT_24422
"36004:TCP"= 36004:TCP:PORT_36004
"19875:TCP"= 19875:TCP:PORT_19875
"46060:TCP"= 46060:TCP:PORT_46060
"21716:TCP"= 21716:TCP:PORT_21716
"41524:TCP"= 41524:TCP:PORT_41524
"18885:TCP"= 18885:TCP:PORT_18885
"18848:TCP"= 18848:TCP:PORT_18848
"13106:TCP"= 13106:TCP:PORT_13106
"35073:TCP"= 35073:TCP:PORT_35073
"27810:TCP"= 27810:TCP:PORT_27810
"38329:TCP"= 38329:TCP:PORT_38329
"24070:TCP"= 24070:TCP:PORT_24070
"23220:TCP"= 23220:TCP:PORT_23220
"50141:TCP"= 50141:TCP:PORT_50141
"36050:TCP"= 36050:TCP:PORT_36050
"23727:TCP"= 23727:TCP:PORT_23727
"54086:TCP"= 54086:TCP:PORT_54086
"41316:TCP"= 41316:TCP:PORT_41316
"60266:TCP"= 60266:TCP:PORT_60266
"54586:TCP"= 54586:TCP:PORT_54586
"36582:TCP"= 36582:TCP:PORT_36582
"42326:TCP"= 42326:TCP:PORT_42326
"23045:TCP"= 23045:TCP:PORT_23045
"46563:TCP"= 46563:TCP:PORT_46563
"11000:TCP"= 11000:TCP:PORT_11000
"64570:TCP"= 64570:TCP:PORT_64570
"44473:TCP"= 44473:TCP:PORT_44473
"5004:TCP"= 5004:TCP:PORT_5004
"56383:TCP"= 56383:TCP:PORT_56383
"37785:TCP"= 37785:TCP:PORT_37785
"27594:TCP"= 27594:TCP:PORT_27594
"53825:TCP"= 53825:TCP:PORT_53825
"62933:TCP"= 62933:TCP:PORT_62933
"43351:TCP"= 43351:TCP:PORT_43351
"59242:TCP"= 59242:TCP:PORT_59242
"26379:TCP"= 26379:TCP:PORT_26379
"52242:TCP"= 52242:TCP:PORT_52242
"46907:TCP"= 46907:TCP:PORT_46907
"35326:TCP"= 35326:TCP:PORT_35326
"10535:TCP"= 10535:TCP:PORT_10535
"9063:TCP"= 9063:TCP:PORT_9063
"44851:TCP"= 44851:TCP:PORT_44851
"52070:TCP"= 52070:TCP:PORT_52070
"61211:TCP"= 61211:TCP:PORT_61211
"40645:TCP"= 40645:TCP:PORT_40645
"50523:TCP"= 50523:TCP:PORT_50523
"27082:TCP"= 27082:TCP:PORT_27082
"8352:TCP"= 8352:TCP:PORT_8352
"52207:TCP"= 52207:TCP:PORT_52207
"20613:TCP"= 20613:TCP:PORT_20613
"21985:TCP"= 21985:TCP:PORT_21985
"6575:TCP"= 6575:TCP:PORT_6575
"35482:TCP"= 35482:TCP:PORT_35482
"36832:TCP"= 36832:TCP:PORT_36832
"56086:TCP"= 56086:TCP:PORT_56086
"41164:TCP"= 41164:TCP:PORT_41164
"40504:TCP"= 40504:TCP:PORT_40504
"43223:TCP"= 43223:TCP:PORT_43223
"20629:TCP"= 20629:TCP:PORT_20629
"41008:TCP"= 41008:TCP:PORT_41008
"24887:TCP"= 24887:TCP:PORT_24887
"40164:TCP"= 40164:TCP:PORT_40164
"38383:TCP"= 38383:TCP:PORT_38383
"20533:TCP"= 20533:TCP:PORT_20533
"59716:TCP"= 59716:TCP:PORT_59716
"21606:TCP"= 21606:TCP:PORT_21606
"56570:TCP"= 56570:TCP:PORT_56570
"57819:TCP"= 57819:TCP:PORT_57819
"10235:TCP"= 10235:TCP:PORT_10235
"6473:TCP"= 6473:TCP:PORT_6473
"55728:TCP"= 55728:TCP:PORT_55728
"33841:TCP"= 33841:TCP:PORT_33841
"43301:TCP"= 43301:TCP:PORT_43301
"47320:TCP"= 47320:TCP:PORT_47320
"32352:TCP"= 32352:TCP:PORT_32352
"30591:TCP"= 30591:TCP:PORT_30591
"22844:TCP"= 22844:TCP:PORT_22844
"17754:TCP"= 17754:TCP:PORT_17754
"61605:TCP"= 61605:TCP:PORT_61605
"29066:TCP"= 29066:TCP:PORT_29066
"53930:TCP"= 53930:TCP:PORT_53930
"30455:TCP"= 30455:TCP:PORT_30455
"26665:TCP"= 26665:TCP:PORT_26665
"48430:TCP"= 48430:TCP:PORT_48430
"44008:TCP"= 44008:TCP:PORT_44008
"60238:TCP"= 60238:TCP:PORT_60238
"27488:TCP"= 27488:TCP:PORT_27488
"49649:TCP"= 49649:TCP:PORT_49649
"34165:TCP"= 34165:TCP:PORT_34165
"16466:TCP"= 16466:TCP:PORT_16466
"29548:TCP"= 29548:TCP:PORT_29548
"51148:TCP"= 51148:TCP:PORT_51148
"57523:TCP"= 57523:TCP:PORT_57523
"37423:TCP"= 37423:TCP:PORT_37423
"34853:TCP"= 34853:TCP:PORT_34853
"24216:TCP"= 24216:TCP:PORT_24216
"16743:TCP"= 16743:TCP:PORT_16743
"62973:TCP"= 62973:TCP:PORT_62973
"33919:TCP"= 33919:TCP:PORT_33919
"19461:TCP"= 19461:TCP:PORT_19461
"48415:TCP"= 48415:TCP:PORT_48415
"21805:TCP"= 21805:TCP:PORT_21805
"61848:TCP"= 61848:TCP:PORT_61848
"5681:TCP"= 5681:TCP:PORT_5681
"60450:TCP"= 60450:TCP:PORT_60450
"56992:TCP"= 56992:TCP:PORT_56992
"45716:TCP"= 45716:TCP:PORT_45716
"28670:TCP"= 28670:TCP:PORT_28670
"36903:TCP"= 36903:TCP:PORT_36903
"45482:TCP"= 45482:TCP:PORT_45482
"9766:TCP"= 9766:TCP:PORT_9766
"47785:TCP"= 47785:TCP:PORT_47785
"26766:TCP"= 26766:TCP:PORT_26766
"61770:TCP"= 61770:TCP:PORT_61770
"6285:TCP"= 6285:TCP:PORT_6285
"47226:TCP"= 47226:TCP:PORT_47226
"17850:TCP"= 17850:TCP:PORT_17850
"14703:TCP"= 14703:TCP:PORT_14703
"12379:TCP"= 12379:TCP:PORT_12379
"42395:TCP"= 42395:TCP:PORT_42395
"11328:TCP"= 11328:TCP:PORT_11328
"30598:TCP"= 30598:TCP:PORT_30598
"13270:TCP"= 13270:TCP:PORT_13270
"38219:TCP"= 38219:TCP:PORT_38219
"23926:TCP"= 23926:TCP:PORT_23926
"32000:TCP"= 32000:TCP:PORT_32000
"56867:TCP"= 56867:TCP:PORT_56867
"65477:TCP"= 65477:TCP:PORT_65477
"40129:TCP"= 40129:TCP:PORT_40129
"30969:TCP"= 30969:TCP:PORT_30969
"58164:TCP"= 58164:TCP:PORT_58164
"51672:TCP"= 51672:TCP:PORT_51672
"27551:TCP"= 27551:TCP:PORT_27551
"25844:TCP"= 25844:TCP:PORT_25844
"22918:TCP"= 22918:TCP:PORT_22918
"62000:TCP"= 62000:TCP:PORT_62000
"12363:TCP"= 12363:TCP:PORT_12363
"31379:TCP"= 31379:TCP:PORT_31379
"51360:TCP"= 51360:TCP:PORT_51360
"60600:TCP"= 60600:TCP:PORT_60600
"60633:TCP"= 60633:TCP:PORT_60633
"50516:TCP"= 50516:TCP:PORT_50516
"34747:TCP"= 34747:TCP:PORT_34747
"60648:TCP"= 60648:TCP:PORT_60648
"55848:TCP"= 55848:TCP:PORT_55848
"22430:TCP"= 22430:TCP:PORT_22430
"34547:TCP"= 34547:TCP:PORT_34547
"44887:TCP"= 44887:TCP:PORT_44887
"8613:TCP"= 8613:TCP:PORT_8613
"11488:TCP"= 11488:TCP:PORT_11488
"46383:TCP"= 46383:TCP:PORT_46383
"32281:TCP"= 32281:TCP:PORT_32281
"44820:TCP"= 44820:TCP:PORT_44820
"48786:TCP"= 48786:TCP:PORT_48786
"57747:TCP"= 57747:TCP:PORT_57747
"10969:TCP"= 10969:TCP:PORT_10969
"63523:TCP"= 63523:TCP:PORT_63523
"44735:TCP"= 44735:TCP:PORT_44735
"34102:TCP"= 34102:TCP:PORT_34102
"20938:TCP"= 20938:TCP:PORT_20938
"55246:TCP"= 55246:TCP:PORT_55246
"55575:TCP"= 55575:TCP:PORT_55575
"62173:TCP"= 62173:TCP:PORT_62173
"34020:TCP"= 34020:TCP:PORT_34020
"7051:TCP"= 7051:TCP:PORT_7051
"54770:TCP"= 54770:TCP:PORT_54770
"58023:TCP"= 58023:TCP:PORT_58023
"35685:TCP"= 35685:TCP:PORT_35685
"28881:TCP"= 28881:TCP:PORT_28881
"40011:TCP"= 40011:TCP:PORT_40011
"38180:TCP"= 38180:TCP:PORT_38180

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-26 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-05-09 24652]
S3 epstw2k;SCM Parallel Port SCSI Driver;c:\windows\system32\drivers\epstw2k.sys [2005-01-25 114944]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2005-01-25 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-09 22:34]

2007-05-17 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-09-09 13:21]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyServer = hxxp://proxy/:8080
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com \*.update
Trusted Zone: windowsupdate.com
Trusted Zone: windowsupdate.com \download
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 04:14:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
tgcmd = "c:\program files\Support.com\bin\tgcmd.exe" /server?cmd.exe" /server

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-130975665-589280043-1178334690-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-02-12 4:17:10
ComboFix-quarantined-files.txt 2009-02-12 09:16:50
ComboFix2.txt 2009-02-10 08:58:37

Pre-Run: 10,180,710,400 bytes free
Post-Run: 10,246,742,016 bytes free

932 --- E O F --- 2009-02-12 08:53:51



And now the HijackThis log.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:00 AM, on 2/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1108502796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9239124796
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD7/JSCDL/ ... 586-jc.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11804 bytes
ErikG
Active Member
 
Posts: 13
Joined: January 27th, 2009, 3:00 am

Re: web searches hijacked

Unread postby Bio-Hazard » February 12th, 2009, 6:04 pm

Hello!

Lets try this online scan instead of ESET.

Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.



Update Adobe Reader

Please uninstall older version of Adobe Reader before installing the latest version

  • Click Start
  • Control Panel
  • Double clicking on Add/Remove Programs
  • Locate older version of Adobe Reader and click on Change/Remove to uninstall it
  • Click HERE to download the latest version of Adobe Acrobat Reader.
  • Select your Windows version and click on Download. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
  • Close your Internet browser and open it again.


Optional Fix

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything bad. This may change,read Viewpoint to Plunge Into Adware.

I recommend that you remove the Viewpoint products; however, decide for yourself.

To uninstall the the Viewpoint components :
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.


    How to prevent it from being recreated every time you run the AOL software:
    • Open AOL
    • Go to Help on the toolbar
    • Select About AOL
    • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.


Next Reply

Please reply with:
  • Kaspersky Log
  • New HijackThis log
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: web searches hijacked

Unread postby ErikG » February 13th, 2009, 8:00 am

Well, after 4 1/2 hours and at 97% completed the Kaspersky scan stalled and wouldn't reactivate. I guess due to this the "scan report" was blank. At the time it shut down (nearly 306,000 files scanned) the scan in progress was displaying 6 "Threat Names" and 15 "Infected Objects" as having been detected. When it locked up the display showed

"Now scanning: DRIVER.CAB
Location: G:\WINDOWS\1386"

The G drive is an internal backup.

I updated Adobe and got rid of Viewpoint. The computer is running fine. The only problem I was having was with web search returns, and those are no longer links to ridiculously unrelated sites. The requested HijackThis log follows. Thanks again for all your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:50 AM, on 2/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Uninstall getPlus(R) for Adobe] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1108502796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9239124796
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD7/JSCDL/ ... 586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 11944 bytes
ErikG
Active Member
 
Posts: 13
Joined: January 27th, 2009, 3:00 am

Re: web searches hijacked

Unread postby ErikG » February 13th, 2009, 6:12 pm

Glory!! A second attempt on Kaspersky produced a complete scan. Here are those results plus another HijackThis log.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, February 13, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, February 13, 2009 11:16:42
Records in database: 1792002
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\

Scan statistics:
Files scanned: 333033
Threat name: 7
Infected objects: 21
Suspicious objects: 0
Duration of the scan: 04:55:16


File name / Threat name / Threats count
C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe Infected: Trojan.Win32.Patched.cx 1
C:\WINDOWS\$NtServicePackUninstall$\lsass.exe Infected: Trojan.Win32.Patched.cx 1
C:\WINDOWS\$NtServicePackUninstall$\services.exe Infected: Trojan.Win32.Patched.cx 1
C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe Infected: Trojan.Win32.Patched.cx 1
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe Infected: Trojan.Win32.Patched.cx 1
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe Infected: Trojan.Win32.Patched.cx 1
G:\Documents and Settings\HP_Owner\Local Settings\Temp\ms1210243290.exe Infected: Trojan-Dropper.Win32.Agent.rky 1
G:\Documents and Settings\HP_Owner\Local Settings\Temp\rsyncini.exe Infected: Trojan.Win32.Shutdowner.em 1
G:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\HN4UQB91\c3dWbVdVVXl0Sm9BQUQ5Qjd2SUFBQUxy[1].wmf Infected: Trojan-Downloader.Win32.Agent.acd 1
G:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\HN4UQB91\d3VQNUZrVXl0Sm9BQURNT0ZOQUFBQUdL[1].wmf Infected: Trojan-Downloader.Win32.Agent.acd 1
G:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\NQ6QYBUT\eTY5b1NVVXl0Sm9BQUVRek9lY0FBQUQ3[1].wmf Infected: Trojan-Downloader.Win32.Agent.acd 1
G:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
G:\WINDOWS\cpbrkpie.ocx Infected: not-a-virus:AdWare.Win32.Coupons.h 1
G:\WINDOWS\explorer.exe Infected: Trojan.Win32.Patched.cx 1
G:\WINDOWS\system32\lsass.exe Infected: Trojan.Win32.Patched.cx 1
G:\WINDOWS\system32\services.exe Infected: Trojan.Win32.Patched.cx 1
G:\WINDOWS\system32\spoolsv.exe Infected: Trojan.Win32.Patched.cx 1
G:\WINDOWS\system32\svchost.exe Infected: Trojan.Win32.Patched.cx 1
G:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.cx 1
G:\WINDOWS\system32\~.exe Infected: Trojan-Dropper.Win32.Agent.bgh 1

The selected area was scanned.


Now the HijackThis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:11:23 PM, on 2/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Uninstall getPlus(R) for Adobe] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1108502796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9239124796
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD7/JSCDL/ ... 586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 12029 bytes
ErikG
Active Member
 
Posts: 13
Joined: January 27th, 2009, 3:00 am

Re: web searches hijacked

Unread postby Bio-Hazard » February 14th, 2009, 4:18 am

Hello!

Kaspersky scan found some more things that we need to sort out.


Remove HijackThis entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.


OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
:files
G:\WINDOWS\system32\~.exe
G:\WINDOWS\cpbrkpie.ocx
G:\Documents and Settings\HP_Owner\Local Settings\Temp\ms1210243290.exe
G:\Documents and Settings\HP_Owner\Local Settings\Temp\rsyncini.exe
G:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\HN4UQB91\c3dWbVdVVXl0Sm9BQUQ5Qjd2SUFBQUxy[1].wmf
G:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\HN4UQB91\d3VQNUZrVXl0Sm9BQURNT0ZOQUFBQUdL[1].wmf
G:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\NQ6QYBUT\eTY5b1NVVXl0Sm9BQUVRek9lY0FBQUQ3[1].wmf
:commands
[EmptyTemp]

  • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3


Dr.Web CureIt

Download to the desktop:Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan-tab, remove the mark at Heuristic analysis.
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    Image
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • OTMoveIt Log
  • Dr Web Log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: web searches hijacked

Unread postby ErikG » February 14th, 2009, 2:28 pm

The computer seems to be behaving just fine. Web searches produce legitimate returns, and everything else seems to be in perfect running order. :)
Here are the requested logs, beginning with OTMoveIt.

========== FILES ==========
G:\WINDOWS\system32\~.exe moved successfully.
G:\WINDOWS\cpbrkpie.ocx unregistered successfully.
G:\WINDOWS\cpbrkpie.ocx moved successfully.
G:\Documents and Settings\HP_Owner\Local Settings\Temp\ms1210243290.exe moved successfully.
G:\Documents and Settings\HP_Owner\Local Settings\Temp\rsyncini.exe moved successfully.
G:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\HN4UQB91\c3dWbVdVVXl0Sm9BQUQ5Qjd2SUFBQUxy[1].wmf moved successfully.
G:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\HN4UQB91\d3VQNUZrVXl0Sm9BQURNT0ZOQUFBQUdL[1].wmf moved successfully.
G:\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\NQ6QYBUT\eTY5b1NVVXl0Sm9BQUVRek9lY0FBQUQ3[1].wmf moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_688.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02142009_053328

Files moved on Reboot...
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\hpodvd09.log moved successfully.
DllUnregisterServer procedure not found in C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll NOT unregistered.
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_688.dat not found!


Now the DrWeb log.

ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\HP_Owner\Desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\HP_Owner\Desktop;Container contains infected objects;Moved.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Moved.;
A0108944.exe;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP745;Win32.HLLW.Gavir.119;Deleted.;
A0113002.exe;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP761;Adware.Cfd;Moved.;
A0114001.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP761\A0114001.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP761;Archive contains infected objects;;
A0114001.exe;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP761;Container contains infected objects;Moved.;
explorer.exe;C:\WINDOWS\$NtServicePackUninstall$;Trojan.Starter.384;Cured.;
lsass.exe;C:\WINDOWS\$NtServicePackUninstall$;Trojan.Starter.384;Cured.;
services.exe;C:\WINDOWS\$NtServicePackUninstall$;Trojan.Starter.384;Cured.;
spoolsv.exe;C:\WINDOWS\$NtServicePackUninstall$;Trojan.Starter.384;Cured.;
svchost.exe;C:\WINDOWS\$NtServicePackUninstall$;Trojan.Starter.384;Cured.;
winlogon.exe;C:\WINDOWS\$NtServicePackUninstall$;Trojan.Starter.384;Cured.;
ms1210243290.exe;C:\_OTMoveIt\MovedFiles\02142009_053328\Documents and Settings\HP_Owner\Local Settings\Temp;Trojan.DownLoad.920;Deleted.;
rsyncini.exe;C:\_OTMoveIt\MovedFiles\02142009_053328\Documents and Settings\HP_Owner\Local Settings\Temp;Trojan.DownLoad.138;Deleted.;
c3dWbVdVVXl0Sm9BQUQ5Qjd2SUFBQUxy[1].wmf;C:\_OTMoveIt\MovedFiles\02142009_053328\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE;Exploit.MS05-053;Deleted.;
d3VQNUZrVXl0Sm9BQURNT0ZOQUFBQUdL[1].wmf;C:\_OTMoveIt\MovedFiles\02142009_053328\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE;Exploit.MS05-053;Deleted.;
eTY5b1NVVXl0Sm9BQUVRek9lY0FBQUQ3[1].wmf;C:\_OTMoveIt\MovedFiles\02142009_053328\Documents and Settings\HP_Owner\Local Settings\Temp\Temporary Internet Files\Content.IE;Exploit.MS05-053;Deleted.;
cpbrkpie.ocx;C:\_OTMoveIt\MovedFiles\02142009_053328\WINDOWS;Adware.Coupons;Moved.;
~.exe;C:\_OTMoveIt\MovedFiles\02142009_053328\WINDOWS\system32;Win32.HLLW.Gavir.119;Deleted.;
KillWind.exe;G:\hp\bin;Tool.ProcessKill;Moved.;
CFD.exe;G:\Program Files\BroadJump\Client Foundation;Adware.Cfd;Moved.;
A0112970.exe;G:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP761;Win32.HLLW.Gavir.119;Deleted.;
A0112971.ocx;G:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP761;Adware.Coupons;Moved.;
A0112972.exe;G:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP761;Trojan.DownLoad.920;Deleted.;
A0112973.exe;G:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP761;Trojan.DownLoad.138;Deleted.;
explorer.exe;G:\WINDOWS;Trojan.Starter.384;Cured.;
lsass.exe;G:\WINDOWS\system32;Trojan.Starter.384;Cured.;
regscan.exe;G:\WINDOWS\system32;Trojan.Packed.1229;Deleted.;
services.exe;G:\WINDOWS\system32;Trojan.Starter.384;Cured.;
spoolsv.exe;G:\WINDOWS\system32;Trojan.Starter.384;Cured.;
svchost.exe;G:\WINDOWS\system32;Trojan.Starter.384;Cured.;
winlogon.exe;G:\WINDOWS\system32;Trojan.Starter.384;Cured.;


And another HijackThis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:18 PM, on 2/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1108502796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9239124796
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD7/JSCDL/ ... 586-jc.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 11582 bytes
ErikG
Active Member
 
Posts: 13
Joined: January 27th, 2009, 3:00 am

Re: web searches hijacked

Unread postby ErikG » February 15th, 2009, 3:34 am

I'm going to be out of town and away from the computer for a few days. I'll be back no later than Thursday. Wanted to let you know, so you wouldn't think I'd concluded everything was cleaned up and virus free. Again, I greatly appreciate all your help!
ErikG
Active Member
 
Posts: 13
Joined: January 27th, 2009, 3:00 am

Re: web searches hijacked

Unread postby Bio-Hazard » February 15th, 2009, 10:05 am

Hello!

Thank you for letting me know.

On your Combofix log there is a lot of ports open in your computer. Have you set them up? Do you play any online games?

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27424:TCP"= 27424:TCP:PORT_27424
"55895:TCP"= 55895:TCP:PORT_55895
"22351:TCP"= 22351:TCP:PORT_22351
"37832:TCP"= 37832:TCP:PORT_37832
"63582:TCP"= 63582:TCP:PORT_63582
"39023:TCP"= 39023:TCP:PORT_39023
"33086:TCP"= 33086:TCP:PORT_33086
"14641:TCP"= 14641:TCP:PORT_14641
"44266:TCP"= 44266:TCP:PORT_44266
"43820:TCP"= 43820:TCP:PORT_43820
"25645:TCP"= 25645:TCP:PORT_25645
"20461:TCP"= 20461:TCP:PORT_20461
"18211:TCP"= 18211:TCP:PORT_18211
"48976:TCP"= 48976:TCP:PORT_48976

list goes on
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 311 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware