Hello everyone. Today I ran a Spybot scan which showed a single instance of the trojan Hupigon13 on my machine. I'd never heard of it before, and upon Googling learned how malignant it is -- yuck. I hadn't noticed anything amiss with my PC at the time, and in fact had done a Spybot scan earlier in the week with no trace of the Hupigon13, so I don't believe I've had it more than a few days. I haven't downloaded any new programs during that time period, and make it a habit to scan anything incoming with both my anti-virus and anti-spyware programs. Clearly, though, it wasn't enough, because this had to come from somewhere. The only thing I can think of off the top of my head is that my firewall has been on medium for the internet zone for a bit, but that's now been remedied.

After I got the Spybot result, I used Spybot to delete it (which it claimed to have done successfully) mostly just to see if it reappeared after a reboot and a second Spybot scan -- I didn't think it would actually get rid of it, and it didn't. The single instance was still there, located in the HKEY_LOCAL_MACHINE branch of the registry. I've done the prework, and here are my logs:



Deckard's System Scanner v20071014.68
Run by Rebecca on 2008-08-02 03:58:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-08-02 10:58:20 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Rebecca.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:33 AM, on 8/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\MSNAccel.exe
C:\Documents and Settings\Rebecca\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rebecca.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:9022
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper Class - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: FloatBar Class - {75B1A646-CDCE-4C06-B52F-84F4463B4FC8} - C:\Program Files\PimpFish\FloatBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: PimpFish Basic - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe " /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: PimpFish Basic - Grab movies on this page - C:\Program Files\PimpFish\GRABPAGEMOVIES.HTM
O8 - Extra context menu item: PimpFish Basic - Grab pictures on this page - C:\Program Files\PimpFish\GRABPAGEPICS.HTM
O8 - Extra context menu item: PimpFish Basic - Grab pictures this page links to - C:\Program Files\PimpFish\GRABPAGELINKS.HTM
O8 - Extra context menu item: PimpFish Basic - Grab Target File - C:\Program Files\PimpFish\GRABLINK.HTM
O8 - Extra context menu item: PimpFish Basic - Grab This Picture - C:\Program Files\PimpFish\GRABPIC.HTM
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC16C610-928C-481B-8C5F-3B01A9DF019C}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9648 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 snapman (Acronis Snapshots Manager) - c:\windows\system32\drivers\snapman.sys <Not Verified; Acronis; Acronis Snapshot API>
R0 timounter (Acronis TrueImage Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SbcpHid - c:\windows\system32\drivers\sbcphid.sys
R2 tifsfilter (Acronis TrueImage FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; TrueImage>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S1 MPFIREWL - c:\windows\system32\drivers\mpfirewall.sys (file missing)
S3 BOCDRIVE (BOClean Kernel Monitor.) - c:\program files\comodo\cboclean\bocdrive.sys (file missing)
S3 StMp3Rec (Player Recovery Device Control Driver) - c:\windows\system32\drivers\stmp3rec.sys <Not Verified; Generic; Generic MP3 Player>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AcrSch2Svc (Acronis Scheduler2 Service) - "c:\program files\common files\acronis\schedule2\schedul2.exe" <Not Verified; Acronis; Acronis Scheduler 2>
R2 AntiVirScheduler (Avira AntiVir Personal – Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-01 16:16:19 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-07-02 and 2008-08-02 -----------------------------

2008-07-30 21:29:42 0 d-------- C:\Program Files\DVD Audio Extractor
2008-07-27 19:34:43 0 d-------- C:\Program Files\Panda Security
2008-07-26 02:27:59 0 dr------- C:\Documents and Settings\NetworkService\My Documents
2008-07-26 02:27:58 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-07-26 02:26:39 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-07-24 13:22:11 0 d-------- C:\Documents and Settings\Rebecca\Application Data\MSNInstaller
2008-07-23 03:04:33 0 d-------- C:\Program Files\Western Digital Technologies
2008-07-17 19:41:52 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-17 14:50:12 240640 --a------ C:\WINDOWS\system32\imgman31.dll <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2008-07-17 14:46:18 0 d-------- C:\Documents and Settings\Rebecca\Application Data\Acoustica
2008-07-17 14:41:49 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-07-17 14:41:10 0 d-------- C:\Program Files\NCH Software
2008-07-09 18:58:56 0 d-------- C:\Documents and Settings\Rebecca\Application Data\MSNInstaller(3)
2008-07-05 02:48:49 0 d-------- C:\Program Files\SpywareBlaster
2008-07-04 17:16:29 0 d-------- C:\Program Files\iPod
2008-07-04 17:16:09 0 d-------- C:\Program Files\iTunes
2008-07-04 17:11:54 0 d-------- C:\Program Files\Bonjour
2008-07-04 17:09:30 0 d-------- C:\Program Files\QuickTime
2008-07-04 17:04:48 0 d-------- C:\Program Files\Apple Software Update
2008-07-04 17:03:07 0 d-------- C:\Program Files\Common Files\Apple
2008-07-04 17:03:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-08-02 03:17:28 0 d-------- C:\Documents and Settings\Rebecca\Application Data\MSN6
2008-08-02 00:14:18 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-28 12:45:19 0 d-------- C:\Program Files\a-squared Free
2008-07-26 17:32:51 0 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-07-26 17:32:46 0 d-------- C:\Program Files\DVDVideoSoft
2008-07-11 00:45:23 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-04 17:03:07 0 d-------- C:\Program Files\Common Files
2008-07-01 18:58:36 0 d-------- C:\Program Files\Mp3TagToolsv12
2008-06-16 00:44:20 0 d-------- C:\Program Files\Java
2008-06-15 01:18:54 0 d-------- C:\Documents and Settings\Rebecca\Application Data\RipIt4Me
2008-06-08 19:16:38 0 d-------- C:\Program Files\MediaCoder


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 12:00 AM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [01/07/2004 12:01 AM]
"P17Helper"="P17.dll" [06/10/2004 10:51 AM C:\WINDOWS\SYSTEM32\P17.dll]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 07:12 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/25/2004 11:52 AM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [11/28/2005 02:02 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"NWEReboot"="" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [12/06/2004 12:05 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\M SConfig.exe" [08/04/2004 04:00 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2008 09:05 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 09:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [06/14/2005 10:05 AM]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [07/19/2004 06:51 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [10/02/2003 01:06 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

C:\Documents and Settings\Rebecca\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 12:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 12:04:12 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
"C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
"C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"a2free"=2 (0x2)




-- Hosts -----------------------------------------------------------------------

127.0.0.1 Free Credit Report at ConsumerInfo.com, an Experian company
127.0.0.1 i.i.com.com
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com

7904 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-02 04:03:55 ------------

Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

Okay, I think I've made things worse somehow.

Pancake, I followed your instructions and the guide, but something went wrong during the ComboFix scan. It started out fine, everything appearing as it does in the images accompanying the ComboFix tutorial, and I left the room for about ten minutes while the scan was in progress. When I returned, there was a window telling me that a particular .dll couldn't be shut down, and asking that ComboFix be allowed to reboot the computer. I clicked "OK" before I meant to, so I didn't get the name of the .dll (yes, I know, extremely stupid move). And then I waited, and waited, and waited for at least 15 minutes for ComboFix to perform the reboot -- but it never did, and everything was frozen and looked like it was going to be staying that way indefinitely. So I restarted the computer, and when it had rebooted, the window telling me that ComboFix is preparing the log report immediately popped up, and has now been that way for nearly 90 minutes. I know that the tutorial says the preparation of the report can take some time, but I'm afraid, given the error that occurred and the reboot, that ComboFix is just stuck somehow and is not actually preparing a report. Is an hour-plus normal? If not, how the heck do I get out of this so that I can try again?

I feel extremely boneheaded right now, and I'm sure you agree. But your help is appreciated.

Ok.Run Combofix again....

Okay, following your advice, I shut down ComboFix and then attempted to run it twice more. I didn't have a recurrence of the .dll error, but both times after completing all the stages of the scan, instead of immediately getting a message stating that the log was being prepared, I got one saying that Windows was being rebooted, and to please allow ComboFix to reboot the machine. Unlike the previous time when ComboFix did NOT reboot the machine, these last two times it did. Once the machine was rebooted, the message about the log being prepared popped up instantly, and then proceeded to hang for well over an hour in both instances, never generating the log. The rebooting seems very weird to me, as there's no mention of that step in the tutorial.

I'm stumped as to what the problem is -- as I said, I followed the instructions very carefully. Any ideas regarding how I can get ComboFix to work, or what's keeping it from working?

Ok.See ifyou can run it in safe mode,if not run this.


Please download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt to here.
Please attach extra.txt to your post.
To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt

Click Upload.

What DSS will do:
Create a new System Restore point in Windows XP and Vista.
Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

It took a couple of tries in safe mode, but I finally have a ComboFix log - yay! And here is the new HiJackThis log too:



ComboFix 08-08-01.05 - Rebecca 2008-08-03 17:30:22.5 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Rebecca\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-08-03 17:00 . 2008-08-03 17:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-08-03 15:07 . 2008-08-03 15:11 141,824,000 --a------ C:\MY_BRILLIANT_CAREER.ISO
2008-08-03 14:30 . 2008-08-03 14:30 <DIR> d-------- C:\MY_BRILLIANT_CAREER
2008-08-02 03:57 . 2008-08-02 03:57 <DIR> d-------- C:\Deckard
2008-07-30 21:29 . 2008-07-30 21:29 <DIR> d-------- C:\Program Files\DVD Audio Extractor
2008-07-27 19:50 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-07-27 19:34 . 2008-07-27 19:34 <DIR> d-------- C:\Program Files\Panda Security
2008-07-24 13:22 . 2008-07-27 18:43 <DIR> d-------- C:\Documents and Settings\Rebecca\Application Data\MSNInstaller
2008-07-23 03:04 . 2008-07-23 03:04 <DIR> d-------- C:\Program Files\Western Digital Technologies
2008-07-17 19:41 . 2008-07-17 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-17 15:43 . 2003-02-24 17:17 299,552 --a------ C:\WINDOWS\wmsysprx.prx
2008-07-17 14:52 . 2008-07-17 14:52 24 --a------ C:\WINDOWS\99cmg290in.lcx
2008-07-17 14:46 . 2008-07-17 14:46 <DIR> d-------- C:\Documents and Settings\Rebecca\Application Data\Acoustica
2008-07-17 14:41 . 2008-07-17 14:41 <DIR> d-------- C:\Program Files\NCH Software
2008-07-17 14:41 . 2008-07-17 14:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-07-16 23:26 . 2008-07-19 22:40 444 --a------ C:\WINDOWS\TOC Printer.INI
2008-07-09 18:58 . 2008-07-09 20:00 <DIR> d-------- C:\Documents and Settings\Rebecca\Application Data\MSNInstaller(3)
2008-07-05 02:48 . 2008-07-26 13:49 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-04 17:16 . 2008-07-04 17:16 <DIR> d-------- C:\Program Files\iTunes
2008-07-04 17:16 . 2008-07-04 17:16 <DIR> d-------- C:\Program Files\iPod
2008-07-04 17:11 . 2008-07-04 17:11 <DIR> d-------- C:\Program Files\Bonjour
2008-07-04 17:09 . 2008-07-04 17:11 <DIR> d-------- C:\Program Files\QuickTime
2008-07-04 17:04 . 2008-07-04 17:04 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-04 17:03 . 2008-07-04 17:03 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-04 17:03 . 2008-07-04 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-04 01:54 . 2008-07-04 01:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-04 01:54 . 2008-07-04 01:54 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-08-04 00:27 6,752 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-04 00:27 522,272 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-03 23:53 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\MSN6
2008-08-03 21:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-08-03 07:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 07:06 12,981,248 ----a-w C:\WINDOWS\Internet Logs\xDB108.tmp
2008-07-28 19:45 --------- d-----w C:\Program Files\a-squared Free
2008-07-27 00:32 --------- d-----w C:\Program Files\DVDVideoSoft
2008-07-27 00:32 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-07-11 07:45 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-07-09 23:57 1,691,648 ----a-w C:\WINDOWS\Internet Logs\xDB107.tmp
2008-07-09 16:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-02 01:58 --------- d-----w C:\Program Files\Mp3TagToolsv12
2008-07-02 00:54 1,651,200 ----a-w C:\WINDOWS\Internet Logs\xDB106.tmp
2008-07-01 21:18 1,651,200 ----a-w C:\WINDOWS\Internet Logs\xDB105.tmp
2008-06-30 04:20 18,724,730 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 09:53 1,636,864 ----a-w C:\WINDOWS\Internet Logs\xDB104.tmp
2008-06-17 10:27 1,636,352 ----a-w C:\WINDOWS\Internet Logs\xDB103.tmp
2008-06-16 07:44 --------- d-----w C:\Program Files\Java
2008-06-15 08:18 --------- d-----w C:\Documents and Settings\Rebecca\Application Data\RipIt4Me
2008-06-14 20:37 1,615,872 ----a-w C:\WINDOWS\Internet Logs\xDB102.tmp
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 07:56 1,587,200 ----a-w C:\WINDOWS\Internet Logs\xDB101.tmp
2008-06-09 02:16 --------- d-----w C:\Program Files\MediaCoder
2008-06-02 11:20 1,580,544 ----a-w C:\WINDOWS\Internet Logs\xDB100.tmp
2008-05-26 11:15 1,492,992 ----a-w C:\WINDOWS\Internet Logs\xDBFF.tmp
2008-05-23 22:29 1,470,976 ----a-w C:\WINDOWS\Internet Logs\xDBFE.tmp
2005-05-14 00:12 217,073 -csha-r C:\WINDOWS\meta4.exe
2005-07-14 19:31 27,648 -csha-r C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 22:32 616,448 -csha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-22 05:37 45,568 -csha-r C:\WINDOWS\SYSTEM32\cygz.dll
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\SYSTEM32\flvDX.dll
2004-01-25 07:00 70,656 -csha-r C:\WINDOWS\SYSTEM32\i420vfw.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\SYSTEM32\msfDX.dll
2004-01-25 07:00 70,656 -csha-r C:\WINDOWS\SYSTEM32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2005-06-14 10:05 6856704]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 06:51 306688]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2003-10-02 13:06 98304]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01 110592]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12 221184]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 11:52 339968]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 14:02 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05 127035]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\M SConfig.exe" [2004-08-04 04:00 158208]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"P17Helper"="P17.dll" [2004-06-10 10:51 60928 C:\WINDOWS\SYSTEM32\P17.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a------ 2005-11-28 14:02 988701 C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"a2free"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Giganology\\Gigaget\\Gigaget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboo t.sys [2008-06-19 17:24]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Rebecca\Application Data\Mozilla\Firefox\Profiles\5w52zurx.default\


************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 17:36:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
.
************************************************** ************************
.
Completion time: 2008-08-03 17:41:28 - machine was rebooted [Rebecca]
ComboFix-quarantined-files.txt 2008-08-04 00:41:18

Pre-Run: 122,077,736,960 bytes free
Post-Run: 121,517,723,648 bytes free

177 --- E O F --- 2008-07-09 23:28:21





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:10 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:9022
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper Class - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: FloatBar Class - {75B1A646-CDCE-4C06-B52F-84F4463B4FC8} - C:\Program Files\PimpFish\FloatBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: PimpFish Basic - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe " /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: PimpFish Basic - Grab movies on this page - C:\Program Files\PimpFish\GRABPAGEMOVIES.HTM
O8 - Extra context menu item: PimpFish Basic - Grab pictures on this page - C:\Program Files\PimpFish\GRABPAGEPICS.HTM
O8 - Extra context menu item: PimpFish Basic - Grab pictures this page links to - C:\Program Files\PimpFish\GRABPAGELINKS.HTM
O8 - Extra context menu item: PimpFish Basic - Grab Target File - C:\Program Files\PimpFish\GRABLINK.HTM
O8 - Extra context menu item: PimpFish Basic - Grab This Picture - C:\Program Files\PimpFish\GRABPIC.HTM
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9314 bytes