Trojan Fake Alert Virus (hijackthis Log)[INACTIVE]

MichaelC · December 5, 2008

I believe i have the Trojan Fake Alert Virus. Can someone help me? My CPU functions best in safe mode.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:07:06 PM, on 12/4/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.a...mp;bm=ho_search

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.a...&bm=ho_home

O1 - Hosts: 68.44.244.240 idenupdate.motorola.com

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {4EB727B3-2FC9-418B-A557-B006BF1D05BF} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - C:\Program Files\WebMediaViewer\hpmun.dll

O2 - BHO: (no name) - {7F4FF6D5-E71D-4B1A-AD0B-A660C1FD1837} - C:\WINDOWS\system32\efcdaxyW.dll (file missing)

O2 - BHO: (no name) - {89A9EFED-25F7-4866-995D-169F32321972} - (no file)

O2 - BHO: (no name) - {A5F28546-F312-473F-9904-4D3EF6C9FCFC} - C:\WINDOWS\system32\qoMdDsrR.dll (file missing)

O2 - BHO: {92ef6a44-11a8-9d6b-d644-8eee4fbc1cfb} - {bfc1cbf4-eee8-446d-b6d9-8a1144a6fe29} - C:\WINDOWS\system32\cqvxsu.dll (file missing)

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Browser Toolbar - {2EEF94DF-75F6-42E9-B7FB-AF5A170A6E2E} - C:\Program Files\WebMediaViewer\browseul.dll

O4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [bc9ba61e] rundll32.exe "C:\WINDOWS\system32\nuoecjwp.dll",b

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Adrieann Rivera\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A

O4 - HKCU\..\Run: [sVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe

O4 - HKCU\..\Run: [vidxhp] "C:\Documents and Settings\Adrieann Rivera\Application Data\Google\ggqjh22510678.exe"

O4 - HKLM\..\Policies\Explorer\Run: [QuickTime Task] C:\Program Files\WebMediaViewer\qttask.exe

O4 - HKLM\..\Policies\Explorer\Run: [VMware hptray] C:\Program Files\WebMediaViewer\hpmon.exe

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [symantec Network Driver Update Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Remocon Driver.lnk = ?

O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\giga pocket\ReserveModule.exe

O4 - Global Startup: VAIO Action Setup (Server).lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)

O9 - Extra 'Tools' menuitem: IExplorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll

O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://l.yimg.com/jh/games/web_games/popca...aploader_v6.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: cqvxsu.dll,avgrsstx.dll

O20 - Winlogon Notify: efcdaxyW - efcdaxyW.dll (file missing)

O22 - SharedTaskScheduler: evacuative - {4d5b7736-a3bc-4e5b-9fa2-1bcc3e587abb} - C:\WINDOWS\system32\cwegus.dll (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\sony\giga pocket\shwserv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\giga pocket\halsv.exe

O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\giga pocket\RM_SV.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--

End of file - 9136 bytes

Rorschach112 · December 5, 2008

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

MichaelC · December 6, 2008

SmitFraudFix v2.381

Scan done at 17:18:34.09, Sat 12/06/2008

Run from SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

68.44.244.240 idenupdate.motorola.com

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

S!Ri's WS2Fix: LSP not Found.

GenericRenosFix by S!Ri

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

404Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport

DNS Server Search Order: 167.206.251.130

DNS Server Search Order: 167.206.251.129

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C50E9508-4448-44D8-96B5-98172FA671D2}: DhcpNameServer=167.206.251.130 167.206.251.129

HKLM\SYSTEM\CS1\Services\Tcpip\..\{C50E9508-4448-44D8-96B5-98172FA671D2}: DhcpNameServer=167.206.251.130 167.206.251.129

HKLM\SYSTEM\CS2\Services\Tcpip\..\{C50E9508-4448-44D8-96B5-98172FA671D2}: DhcpNameServer=167.206.251.130 167.206.251.129

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.130 167.206.251.129

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.130 167.206.251.129

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=167.206.251.130 167.206.251.129

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

Registry Cleaning done.

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

MichaelC · December 6, 2008

ComboFix 08-12-06.04 - Adrieann Rivera 2008-12-06 18:11:40.1 - NTFSx86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.298 [GMT -5:00]

Running from: c:\documents and settings\Adrieann Rivera\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Adrieann Rivera\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Adrieann Rivera\Application Data\gadcom

c:\documents and settings\Adrieann Rivera\Application Data\gadcom\coma.exe

c:\documents and settings\Adrieann Rivera\Application Data\Google\ggqjh22510678.exe

c:\documents and settings\Adrieann Rivera\Local Settings\Temporary Internet Files\fbk.sts

c:\documents and settings\Jaime Rivera\My Documents\My Documents.url

c:\documents and settings\Jaime Rivera\My Documents\My Pictures\My Pictures.url

c:\documents and settings\Jaime Rivera\My Documents\My Videos\My Video.url

c:\program files\outlook

c:\program files\outlook\p.zip

c:\program files\outlook\v.tmp

c:\program files\winupdates

c:\program files\winupdates\a.zip

c:\windows\BMbfa89582.txt

c:\windows\BMbfa89582.xml

c:\windows\cookies.ini

c:\windows\hosts

c:\windows\system32\abojxfeq.ini

c:\windows\system32\bszip.dll

c:\windows\system32\cmd.com

c:\windows\system32\digeste.dll

c:\windows\system32\grknlwse.ini

c:\windows\system32\htjbyddf.ini

c:\windows\system32\ldrutfsv.ini

c:\windows\system32\lwtkscee.ini

c:\windows\system32\mcrh.tmp

c:\windows\system32\obhhfgoi.ini

c:\windows\system32\ping.com

c:\windows\system32\pwjceoun.ini

c:\windows\system32\RrsDdMoq.ini

c:\windows\system32\RrsDdMoq.ini2

c:\windows\system32\tasklist.com

c:\windows\system32\tracert.com

c:\windows\system32\wyoopghi.ini

c:\windows\wiaserviv.log

.

((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))

.

2008-12-06 16:48 . 2008-12-06 17:18 3,402 --a------ c:\windows\system32\tmp.reg

2008-12-04 19:06 . 2008-12-04 19:06 <DIR> d-------- c:\program files\Trend Micro

2008-12-01 10:24 . 2008-12-02 21:31 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2008-11-23 19:15 . 2008-11-30 22:05 <DIR> d-------- c:\program files\PokerStars.NET

2008-11-16 18:37 . 2008-11-16 18:37 <DIR> d-------- c:\program files\Webtools

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-03 02:44 --------- d-----w c:\program files\Incomplete

2008-12-03 02:42 --------- d-----w c:\program files\LimeWire

2008-12-01 02:24 --------- d-----w c:\documents and settings\Adrieann Rivera\Application Data\LimeWire

2008-11-06 00:08 --------- d-----w c:\documents and settings\Adrieann Rivera\Application Data\Apple Computer

2008-10-26 21:13 --------- d-----w c:\program files\iTunes

2008-10-26 21:13 --------- d-----w c:\program files\iPod

2008-10-26 21:13 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-10-26 21:12 --------- d-----w c:\program files\QuickTime

2008-10-26 21:11 --------- d-----w c:\program files\Common Files\Apple

2008-10-26 21:06 --------- d-----w c:\documents and settings\All Users\Application Data\Apple

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"SpybotSD TeaTimer"="d:\spybot - search & destroy\TeaTimer.exe" [2008-07-07 2156368]

"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-20 218496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]

"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-23 1409024]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-06-26 212992]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-07-01 71280]

"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 70800]

"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-07-25 100056]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 36975]

"Adobe Reader Speed Launcher"="d:\adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

"AGRSMMSG"="AGRSMMSG.exe" [2003-03-31 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 233472]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

Remocon Driver.lnk - c:\program files\sony\usbsircs\usbsircs.exe [2003-08-14 208896]

Timer Recording Manager.lnk - c:\program files\Sony\giga pocket\ReserveModule.exe [2003-08-14 262144]

VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2003-08-12 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=cqvxsu.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"="0x00000000"

"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=

"c:\\Program Files\\Sony\\giga pocket\\gps.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Sony\\VAIO Media 2.6\\Vc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-09-27 97928]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-09-27 875288]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-09-27 231704]

S2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-09-27 76040]

S2 F111230803DEBA54;F111230803DEBA54;\??\c:\documents and settings\Jaime Rivera\Desktop\F111230803DEBA54\F111230803DEBA54 []

S2 SonyKBS;Keyboard State Detection Service;c:\windows\system32\DRIVERS\SonyKBS.sys [2003-08-12 7936]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-06-08 42112]

.

Contents of the 'Scheduled Tasks' folder

2008-09-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe []

2008-05-02 c:\windows\Tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1072662350.job

- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-06-26 18:50]

2003-12-14 c:\windows\Tasks\Registration reminder 1.job

- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 02:56]

2008-12-06 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDetect.exe []

.

- - - - ORPHANS REMOVED - - - -

BHO-{4EB727B3-2FC9-418B-A557-B006BF1D05BF} - (no file)

BHO-{7F4FF6D5-E71D-4B1A-AD0B-A660C1FD1837} - c:\windows\system32\efcdaxyW.dll

BHO-{89A9EFED-25F7-4866-995D-169F32321972} - (no file)

BHO-{A5F28546-F312-473F-9904-4D3EF6C9FCFC} - c:\windows\system32\qoMdDsrR.dll

BHO-{bfc1cbf4-eee8-446d-b6d9-8a1144a6fe29} - c:\windows\system32\cqvxsu.dll

HKCU-Run-vidxhp - c:\documents and settings\Adrieann Rivera\Application Data\Google\ggqjh22510678.exe

HKLM-Run-SiS KHooker - c:\windows\System32\khooker.exe

HKLM-Run-bc9ba61e - c:\windows\system32\nuoecjwp.dll

HKLM-Run-SiS Tray - (no file)

HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe

HKU-Default-Run-Symantec Network Driver Update Warning - c:\progra~1\Symantec\LIVEUP~1\SNDWarn.EXE

ShellExecuteHooks-{7F4FF6D5-E71D-4B1A-AD0B-A660C1FD1837} - c:\windows\system32\efcdaxyW.dll

Notify-efcdaxyW - efcdaxyW.dll

.

------- Supplementary Scan -------

.

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe

IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe -

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-06 18:18:26

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\F111230803DEBA54]

"ImagePath"="\??\c:\documents and settings\Jaime Rivera\Desktop\F111230803DEBA54\F111230803DEBA54"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\F111230803DEBA54]

"ImagePath"="\??\c:\documents and settings\Jaime Rivera\Desktop\F111230803DEBA54\F111230803DEBA54"

.

Completion time: 2008-12-06 18:22:20 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-06 23:22:17

Pre-Run: 2,554,392,576 bytes free

Post-Run: 2,789,736,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

185 --- E O F --- 2008-09-12 17:54:08

Rorschach112 · December 7, 2008

Helllo

Please download the OTMoveIt3 by OldTimer or from here.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
:Processes
explorer.exe

:Services
F111230803DEBA54

:Reg

:Files
c:\program files\Webtools

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
```
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MichaelC · December 7, 2008

======== PROCESSES ==========

Process explorer.exe killed successfully.

========== SERVICES/DRIVERS ==========

Service F111230803DEBA54 stopped successfully.

Service F111230803DEBA54 deleted successfully.

========== REGISTRY ==========

========== FILES ==========

c:\program files\Webtools moved successfully.

========== COMMANDS ==========

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

Local Service Temporary Internet Files folder emptied.

Windows Temp folder emptied.

Java cache emptied.

Temp folders emptied.

Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12072008_154641

MichaelC · December 8, 2008

I also want to add that i tried starting my computer normally and when i get to the log on page to choose an account the computer freezes. However, i have noticed that the computer starts and does not freeze when i take out the ethernet cord. When the cord is connected it freezes. As a result, i can only use in safe mode.

Rorschach112 · December 8, 2008

Hello

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

MichaelC · December 9, 2008

BY THE WAY...I'VE BEEN DOING THIS ALL IN SAFE MODE. I DON'T KNOW IF IT MAKES A DIFFERENCE BUT I FIGURE I TELL YOU.

Malwarebytes' Anti-Malware 1.31

Database version: 1472

Windows 5.1.2600 Service Pack 2

12/7/2008 7:55:55 PM

mbam-log-2008-12-07 (19-55-55).txt

Scan type: Quick Scan

Objects scanned: 56727

Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 4

Registry Keys Infected: 29

Registry Values Infected: 3

Registry Data Items Infected: 3

Folders Infected: 2

Files Infected: 22

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\wvUlIBtU.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\tuvSjJyY.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ddcCVOGv.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\zycthq.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53958725-2484-4e69-8790-56d0bf5e9a7e} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{53958725-2484-4e69-8790-56d0bf5e9a7e} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvsjjyy (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a0b911fd-9af2-4b5a-b1f4-b5a30bf6cc56} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a0b911fd-9af2-4b5a-b1f4-b5a30bf6cc56} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\webmedia.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Alert Manager (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer add-on (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Toolbar (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave (Adware.WhenUSave) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\wvulibtu -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\wvulibtu -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digeste.dll -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\Adrieann Rivera\Application Data\gadcom (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\Jaime Rivera\Start Menu\\Programs\AntivirusTrigger 2.1 (Rogue.VirusTrigger) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\wvUlIBtU.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\UtBIlUvw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UtBIlUvw.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tuvSjJyY.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\zycthq.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\gpaqdcgc.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\cgcdqapg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ddcCVOGv.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\Documents and Settings\Adrieann Rivera\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dlolsram.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\jkkKApNH.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Adrieann Rivera\Local Settings\temp\c3f90a2a-8050-4cf2-b2d9-a52b879925a9.tmp (Worm.P2P) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jaime Rivera\Start Menu\\Programs\AntivirusTrigger 2.1\AntivirusTrigger 2.1.lnk (Rogue.VirusTrigger) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\digeste.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hosts (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jaime Rivera\Desktop\Adv. Antivirus.lnk (Rogue.AdvancedAntivirus) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Online Antispyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jaime Rivera\Favorites\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jaime Rivera\Start Menu\AntivirusTrigger 2.1.lnk (Rogue.VirusTrigger) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jaime Rivera\Desktop\AntivirusTrigger 2.1.lnk (Rogue.VirusTrigger) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jaime Rivera\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusTrigger 2.1.lnk (Rogue.VirusTrigger) -> Quarantined and deleted successfully.

Rorschach112 · December 9, 2008

You can do it in normal mode

Post the Kaspersky log and a new HJT log

MichaelC · December 9, 2008

I cant run the kaspersky online scanner because java won't let me download because it says administrative policy prevents it. Also, i can't do it in normal mode unless i take out the ethernet cord. If i leave the ethernet cord connected and try it in normal mode, the computer freezes on the sign in menu. Internet Explorer wouldn't even open up in normal mode. I'll try again.

Rorschach112 · December 9, 2008

Ok post a new HJT log

MichaelC · December 10, 2008

*PERFORMED IN SAFE MODE*

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:56:43, on 12/9/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: (no name) - {4EB727B3-2FC9-418B-A557-B006BF1D05BF} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7F4FF6D5-E71D-4B1A-AD0B-A660C1FD1837} - (no file)

O2 - BHO: (no name) - {89A9EFED-25F7-4866-995D-169F32321972} - (no file)

O2 - BHO: (no name) - {bfc1cbf4-eee8-446d-b6d9-8a1144a6fe29} - (no file)