Anyone interested in the UPS Bundle of Viruses

My PC got a nasty infection. If anyone wants to study the nasty critters, I have them in zip file on a USB stick. Just tell me how to send them.

After having a bad day with UPS, I stupidly opened an email which i thought was from UPS. Worse, I opened the attached zip and ran the .exe (yes, I still cannot believe I would have been so stupid). The sad thing is that I am not alone. Others have done the same.

First of all I got some terrifying screens telling me to buy and install “XPSecurity 2008” from what masqueraded as a MicroSoft site.

On bootup, there were some strange processes such as rhcpdgj0et13.exe, lpctdgj0et13.exe and a new rhcpdgj0et13\ folder appeared in my C:\Program files\folder. A HouseCall scan turned up a number of viruses, but it could not remove them.

SDFix removed a number of viruses, including braviax.exe, which got rid of “Buy XPSecurity …or else” displays. Avast!PE got rid of more nasties such as buritos.exe and karina.dat., but it keeps finding C:\Documents and Settings\Funke\Local settings..\ttB.tmp and ..\wssl52[1].exe each time my PC starts up and lpctdgj0et13.exe appears as a new process. Also, even before Log-in, a

        WARNING

Syware detected on your computer.
Install an antivirus or spyware remover to
clean your computer

And the screensaver has been replaced by a terrifying screen-saver that presents a BSOD (blue screen…), followed by a convincing show of the PC trying to reboot, followed by another BSOD and so on. The Desktop, Screen Saver tabs on the Screen’s property sheet have been hidden, so one cannot select a friendlier screen-saver nor extend the delay period.

This is as good as it gets with Avast!

Unwilling (and probably unable) to launch a career fighting malware, I have decided to kiss my hard drive good-bye. But, I have preserved a vial of these nasties for whomever wishes to study them.

We don’t use the forums as a distribution point for malware, send the password protected zip file (with the password in the body of the email, virus will do) to virus (at) avast dot com with a subject Undetected Malware.

XPSecurity 2008
is a well know dangerous infection- with goad to purchase malware remover product
it is fixable
first schedule a boot time Avast scan
then scan with
spybot search and destroy
malware bytes anti-malware
Super anti spy
quarantine do not remove/ delete any hits (in case of false positives or need to restore)

report back

you many end up posting a HJT

Thanks for recommendations.

Because this threatens to be a BIG project, I have set this aside for a few days so I can get caught up with my work. Each scan takes about 12 to 24 hrs.

What I am learning from this is that one should really set up a fairly small (~40GB) boot partition which can be backed up and restored with partImage s/w. Having a ton of data files on the boot partition has the effect of slowing scanning. It would seem that there is merit in reducing the size of the haystack, should one have to look for a needle in it.

I emailed a zip with the UPS virus package as instructed by DavidR.

Should there be any progress in tracking down the critters, being curious, I would like to find out to how I can learn about it.

You normally don’t get a reply (a failing to my mind, there should at the very least be an auto responder so you know that they have at least got it) unless they need more information.

You can also add the samples to the User Files section of the avast chest where they can do no harm and periodically scan them from within the User Files section of the chest. One day hopefully you will have a surprise as avast alerts.

xp 2008 virus/ malware

from the spybot forum-

Its on RogueRemovers radar:

http://www.malwarebytes.org/roguenet.php?id=421

RogueRemoverFREE:

http://www.malwarebytes.org/rogueremover.php

have you run something like CCleaner???

here’s a thread of a poster with XP2008 with no AV and initial inability to read the stickies and follow instructions
do not be put off by this- especially if Malware bytes works
http://forums.spybot.info/showthread.php?t=31408

as I said before try the bootime avast scan first
then the MBAM (Malware Bytes Anti Malware)
report back
this is a team effort

no use running spybot at Today as definition is being added to Wednesday’s Beta update
see #9 this thread
http://forums.spybot.info/showthread.php?t=29150
If you are not familiar with Spybot Search and Destroy post back

need I say- Do not try this at home :slight_smile: (alone)

My PC is no longer displaying alarming messages and more alarming BSOD screensavers, thanks to Malware Bytes Anti Malware. Here is the MBAM report:

Malwarebytes’ Anti-Malware 1.23
Database version: 985
Windows 5.1.2600 Service Pack 2

5:07:49 PM 29/07/2008
mbam-log-7-29-2008 (17-07-49).txt

Scan type: Full Scan (C:|)
Objects scanned: 515785
Time elapsed: 5 hour(s), 57 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 8
Registry Data Items Infected: 6
Folders Infected: 12
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\rhcpdgj0et13 (Rogue.Multiple) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\XP_SecurityCenter (Rogue.XPSecurityCenter) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XP SecurityCenter (Rogue.XPSecurityCenter) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphctdgj0et13 (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcpdgj0et13 (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13 (Rogue.Multiple) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine (Rogue.Multiple) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\Autorun (Rogue.Multiple) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\Autorun\HKCU (Rogue.Multiple) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\Autorun\HKLM (Rogue.Multiple) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\BrowserObjects (Rogue.Multiple) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\rhcpdgj0et13\Quarantine\Packages (Rogue.Multiple) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) → Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Wise InstallBuilder 8.1\PROGRESS\WizWin32.dll (Rogue.EvidenceEliminator) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) → Quarantined and deleted successfully.
C:\WINDOWS\system32\blphctdgj0et13.scr (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\WINDOWS\system32\lphctdgj0et13.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\WINDOWS\system32\phctdgj0et13.bmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp.tt1.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp.tt2.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp.tt3.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp.tt4.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp.tt5.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp.tt6.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp.tt7.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp.tt8.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp.tt9.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp.ttA.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp.ttB.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp.ttF.tmp (Trojan.Downloader) → Quarantined and deleted successfully.

Good news
However sometimes this virtumond infection comes with lots of friends
hopefully one of the removal experts will look at your post

If you have not run a boot time Avast scan manually update do that now

run ccleaner or similar

What I’d do is run a Kaspersky or Bitdefender on line scan - turn on all the options
post any hits (which may be false positives so quarantine- do not delete/remove)
reason- Bitdefender uses heuristics - which is a different approach than Avast- both have their place

DavidR states in another thread
BitDefender free is on-demand only so shouldn’t be a problem, I would simply suggest you pause the standard shield whilst doing the BitDefender scan. - good advice- as well as closing unneeded programs and locking the web

removing crap is more difficult if there is a uncaught virus lurking

Then download a fresh copy of Hijack this to your desktop
right click and rename to hijackfunke.exe
why rename?
some malware is smart enough to disable HJT
Close all windows and browsers including this one- read the instructions
run a HJT “scan only” and post it here with the AV log
DO NOT FIX ANYTHING without help
you can read the stickies at the Safernetworking general malware removal forum for some good ideas/ caveats
http://forums.spybot.info/forumdisplay.php?f=21
please do not post in more than one forum without your helpers ok and link back to here
Malware removal forums are really busy, and you can get advice which conflicts and can leave you really screwed up

thanks

I’ll think you will find that the Avast forum is VERY responsive :slight_smile:

The Avast forum is VERY responsive indeed. I have not even had a chance to add my Trojan Remover scan before getting a response.

There is a good UPS Infection thread on http://support.bicester-computers.com/showthread.php?t=18. They recommend Trojan Remover → MBAM → F-Prot. But, I have trouble following instructions. I did MBAM → Trojan Removal → Avast bootScan. Each has found nasties. Here is the Trojan Remover scan log:

***** TROJAN REMOVER HAS RESTARTED THE SYSTEM *****
29/07/2008 5:26:47 PM: Trojan Remover has been restarted
The AppInitDLLs Registry entry has been reset
Unable to rename C:\WINDOWS\system32\cru629.dat to C:\WINDOWS\system32\cru629.dat.vir
(C:\WINDOWS\system32\cru629.dat does not appear to exist)
29/07/2008 5:26:47 PM: Trojan Remover closed


***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.7.1.2536. For information, email support@simplysup1.com
[Unregistered version]
Scan started at: 5:22:58 PM 29 Jul 2008
Using Database v7080
Operating System: Windows XP SP2 [Windows XP Home Edition Service Pack 2 (Build 2600)]
File System: NTFS
Data directory: C:\Documents and Settings\Mike\Application Data\Simply Super Software\Trojan Remover
Database directory: C:\Program Files\Trojan Remover
Logfile directory: C:\Documents and Settings\Mike\My Documents\Simply Super Software\Trojan Remover Logfiles
Program directory: C:\Program Files\Trojan Remover
Running with Administrator privileges


The regfile\shell\open\command Registry Key appears to have been modified.
The current Registry entry is: regedit.exe “%1” %*.
This entry calls the following file:
C:\WINDOWS\regedit.exe
Trojan Remover has restored the Registry regfile\shell\open key.


5:23:15 PM: Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINDOWS


5:23:15 PM: Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\WINDOWS


5:23:15 PM: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.


5:23:16 PM: Scanning -----WINDOWS REGISTRY-----

Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon

Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key’s “Shell” value calls the following program(s):
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1033216 bytes
Created: 10/08/2004
Modified: 13/06/2007
Company: Microsoft Corporation

This key’s “Userinit” value calls the following program(s):
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
24576 bytes
Created: 10/08/2004
Modified: 04/08/2004
Company: Microsoft Corporation

This key’s “System” value appears to be blank

This key’s “UIHost” value calls the following program:
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
514560 bytes
Created: 10/08/2004
Modified: 04/08/2004
Company: Microsoft Corporation


Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load

Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: SoundMAXPnP
Value Data: C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
1404928 bytes
Created: 06/09/2005
Modified: 14/10/2004
Company: Analog Devices, Inc.

Value Name: SunJavaUpdateSched
Value Data: “C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe”
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
144784 bytes
Created: 24/04/2008
Modified: 25/03/2008
Company: Sun Microsystems, Inc.

Value Name: ISUSPM Startup
Value Data: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
221184 bytes
Created: 27/07/2004
Modified: 27/07/2004
Company: InstallShield Software Corporation

Value Name: ISUSScheduler
Value Data: “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
81920 bytes
Created: 27/07/2004
Modified: 27/07/2004
Company: InstallShield Software Corporation

Value Name: igfxtray
Value Data: C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxtray.exe
94208 bytes
Created: 06/09/2005
Modified: 20/09/2005
Company: Intel Corporation

Value Name: igfxhkcmd
Value Data: C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hkcmd.exe
77824 bytes
Created: 06/09/2005
Modified: 20/09/2005
Company: Intel Corporation

Value Name: igfxpers
Value Data: C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxpers.exe
114688 bytes
Created: 20/09/2005
Modified: 20/09/2005
Company: Intel Corporation

Value Name: Google Desktop Search
Value Data: “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
1838592 bytes
Created: 09/11/2006
Modified: 24/08/2007
Company: Google

Value Name: Adobe Reader Speed Launcher
Value Data: “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
39792 bytes
Created: 11/01/2008
Modified: 11/01/2008
Company: Adobe Systems Incorporated

Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
910416 bytes
Created: 29/07/2008
Modified: 26/07/2008
Company: Simply Super Software


Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty

Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty

Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty

Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: MsnMsgr
Value Data: “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
C:\Program Files\MSN Messenger\MsnMsgr.Exe [file not found to scan]

Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created: 10/08/2004
Modified: 04/08/2004
Company: Microsoft Corporation

Value Name: swg
Value Data: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
68856 bytes
Created: 13/07/2007
Modified: 13/07/2007
Company: Google Inc.

Value Name: Skype
Value Data: “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
C:\Program Files\Skype\Phone\Skype.exe
-R- 21718312 bytes
Created: 30/05/2008
Modified: 30/05/2008
Company: Skype Technologies S.A.


Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty

Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty


5:23:19 PM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place


5:23:19 PM: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed

No Hidden File-loading Registry Entries found


5:23:20 PM: Scanning -----ACTIVE SCREENSAVER-----
No active ScreenSaver found to scan.


…continued on next post

Trojan Remover Log continued…


5:23:20 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
Key: {94de52c8-2d59-4f1b-883e-79663d2d9a8c}
Path: rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider
C:\WINDOWS\system32\Setup\FxsOcm.dll
132608 bytes
Created: 10/08/2004
Modified: 04/08/2004
Company: Microsoft Corporation


5:23:20 PM: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: AppMgmt
%SystemRoot%\System32\appmgmts.dll - file is globally excluded (file cannot be found)


5:23:20 PM: Scanning ----- SERVICES REGISTRY KEYS -----
Key: aspnet_state
ImagePath: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
32768 bytes
Created: 14/07/2004
Modified: 14/07/2004
Company: Microsoft Corporation

Key: C4ULoad2515
ImagePath: System32\Drivers\C4ULoad2.sys
C:\WINDOWS\System32\Drivers\C4ULoad2.sys
19112 bytes
Created: 27/04/2004
Modified: 27/04/2004
Company: anchor chips

Key: CAN4USB_MCP2515
ImagePath: System32\Drivers\ezusb.sys
C:\WINDOWS\System32\Drivers\ezusb.sys
-R- 12307 bytes
Created: 29/05/2002
Modified: 29/05/2002
Company: cypress semiconductor

Key: cvslock
ImagePath: “C:\Program Files\CVSNT\cvslock.exe”
C:\Program Files\CVSNT\cvslock.exe
58368 bytes
Created: 05/07/2006
Modified: 05/07/2006
Company:

Key: cvsnt
ImagePath: “C:\Program Files\CVSNT\cvsservice.exe”
C:\Program Files\CVSNT\cvsservice.exe
37888 bytes
Created: 05/07/2006
Modified: 05/07/2006
Company: March Hare Software Ltd

Key: DSBrokerService
ImagePath: “C:\Program Files\DellSupport\brkrsvc.exe”
C:\Program Files\DellSupport\brkrsvc.exe
76848 bytes
Created: 07/03/2007
Modified: 07/03/2007
Company:

Key: DSproct
ImagePath: ??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
4736 bytes
Created: 05/10/2006
Modified: 05/10/2006
Company: Gteko Ltd.

Key: dsunidrv
ImagePath: system32\DRIVERS\dsunidrv.sys
C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
-S- 5376 bytes
Created: 25/02/2007
Modified: 25/02/2007
Company: Gteko Ltd.

Key: GoogleDesktopManager
ImagePath: “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe”
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
1838592 bytes
Created: 09/11/2006
Modified: 24/08/2007
Company: Google

Key: gusvc
ImagePath: “C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe”
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
138168 bytes
Created: 31/01/2007
Modified: 31/01/2007
Company: Google

Key: hhdserial
ImagePath: ??\C:\WINDOWS\system32\drivers\hhdserial.sys
C:\WINDOWS\system32\drivers\hhdserial.sys
30856 bytes
Created: 26/03/2008
Modified: 02/10/2007
Company: HHD Software Ltd.

Key: HSFHWBS2
ImagePath: system32\DRIVERS\HSFHWBS2.sys
C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
212224 bytes
Created: 06/09/2005
Modified: 17/11/2003
Company: Conexant Systems, Inc.

Key: ialm
ImagePath: system32\DRIVERS\ialmnt5.sys
C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
1302332 bytes
Created: 06/09/2005
Modified: 20/09/2005
Company: Intel Corporation

Key: mf
ImagePath: system32\DRIVERS\mf.sys
C:\WINDOWS\system32\DRIVERS\mf.sys
63744 bytes
Created: 03/08/2004
Modified: 04/08/2004
Company: Microsoft Corporation

Key: NDMSHLP
ImagePath: ??\C:\Program Files\Common Files\HHD Software\Device Monitor\ndmshlp.sys
C:\Program Files\Common Files\HHD Software\Device Monitor\ndmshlp.sys
7632 bytes
Created: 24/05/2005
Modified: 24/05/2005
Company: HHD Software

Key: NetSvc
ImagePath: C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
143360 bytes
Created: 17/12/2003
Modified: 17/12/2003
Company: Intel(R) Corporation

Key: NPF
ImagePath: system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\npf.sys
32512 bytes
Created: 02/08/2005
Modified: 02/08/2005
Company: CACE Technologies

Key: rpcapd
ImagePath: “%ProgramFiles%\WinPcap\rpcapd.exe” -d -f “%ProgramFiles%\WinPcap\rpcapd.ini”
C:\Program Files\WinPcap\rpcapd.exe
86016 bytes
Created: 02/08/2005
Modified: 02/08/2005
Company: CACE Technologies

Key: senfilt
ImagePath: system32\drivers\senfilt.sys
C:\WINDOWS\system32\drivers\senfilt.sys
732928 bytes
Created: 06/09/2005
Modified: 17/09/2004
Company: Creative Technology Ltd.

Key: Ser2pl
ImagePath: system32\DRIVERS\ser2pl.sys
C:\WINDOWS\system32\DRIVERS\ser2pl.sys
-R- 42752 bytes
Created: 01/02/2006
Modified: 27/06/2004
Company: Prolific Technology Inc.

Key: SerIMPsw
ImagePath: system32\DRIVERS\serimpsw.sys
C:\WINDOWS\system32\DRIVERS\serimpsw.sys
60800 bytes
Created: 17/01/2006
Modified: 21/01/2004
Company: Windows (R) 2000 DDK provider

Key: SerMon
ImagePath: ??\C:\Program Files\HHD Software\Free Serial Port Monitor\sermon.sys
C:\Program Files\HHD Software\Free Serial Port Monitor\sermon.sys
18432 bytes
Created: 24/05/2005
Modified: 24/05/2005
Company: HHD Software

Key: smwdm
ImagePath: system32\drivers\smwdm.sys
C:\WINDOWS\system32\drivers\smwdm.sys
260352 bytes
Created: 06/09/2005
Modified: 27/01/2005
Company: Analog Devices, Inc.

Key: SwPrv
ImagePath: C:\WINDOWS\system32\dllhost.exe /Processid:{A445BD1E-49EE-4607-B370-5CCA447377C4}
C:\WINDOWS\system32\dllhost.exe
5120 bytes
Created: 10/08/2004
Modified: 04/08/2004
Company: Microsoft Corporation

Key: TetaSCDevice
ImagePath: ??\C:\WINDOWS\system32\tetascop.SYS
C:\WINDOWS\system32\tetascop.SYS [file not found to scan]

Key: U2SP
ImagePath: system32\DRIVERS\u2s2kxp.sys
C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys
23387 bytes
Created: 26/08/2002
Modified: 26/08/2002
Company: Magic Control Technology Corp.

Key: wanatw
ImagePath: system32\DRIVERS\wanatw4.sys
C:\WINDOWS\system32\DRIVERS\wanatw4.sys [file not found to scan]

Key: WinDriver6
ImagePath: system32\drivers\windrvr6.sys
C:\WINDOWS\system32\drivers\windrvr6.sys
329072 bytes
Created: 10/08/2005
Modified: 10/08/2005
Company: Jungo


5:23:26 PM: Scanning -----VXD ENTRIES-----


5:23:26 PM: Scanning ----- WINLOGON\NOTIFY DLLS -----
Key: igfxcui
DLL: igfxdev.dll
C:\WINDOWS\system32\igfxdev.dll
135168 bytes
Created: 06/09/2005
Modified: 20/09/2005
Company: Intel Corporation


5:23:26 PM: Scanning ----- CONTEXTMENUHANDLERS -----
Key: Notepad++
CLSID: {120B94B5-2E6A-4F13-94D0-414BCB64FA0F}
Path: C:\Program Files\Notepad++\nppcm.dll
C:\Program Files\Notepad++\nppcm.dll
24576 bytes
Created: 23/11/2006
Modified: 23/11/2006
Company: Burgaud.com

Key: TextPad
CLSID: {2F25CF20-C569-11D1-B94C-00608CB45480}
Path: C:\Program Files\TextPad 4\System\shellext.dll
C:\Program Files\TextPad 4\System\shellext.dll
49152 bytes
Created: 30/10/2003
Modified: 30/10/2003
Company: Helios Software Solutions

Key: TortoiseCVS
CLSID: {5d1cb710-1c4b-11d4-bed5-005004b1f42f}
Path: C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll
1073152 bytes
Created: 12/09/2005
Modified: 12/09/2005
Company: www.tortoisecvs.org

Key: WinMerge
CLSID: {4E716236-AA30-4C65-B225-D68BBA81E9C2}
Path: C:\Program Files\WinMerge\ShellExtensionU.dll
C:\Program Files\WinMerge\ShellExtensionU.dll
65536 bytes
Created: 03/07/2007
Modified: 19/06/2007
Company:


5:23:26 PM: Scanning ----- FOLDER\COLUMNHANDLERS -----
Key: {5d1cb710-1c4b-11d4-bed5-005004b1f42f}
File: C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll
1073152 bytes
Created: 12/09/2005
Modified: 12/09/2005
Company: www.tortoisecvs.org


5:23:26 PM: Scanning ----- BROWSER HELPER OBJECTS -----
No Browser Helper Objects found to scan


5:23:26 PM: Scanning ----- SHELLSERVICEOBJECTS -----


…continued on next post…

Trojan Remover scan log continued…


5:23:26 PM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----


5:23:26 PM: Scanning ----- IMAGEFILE DEBUGGERS -----
No “Debugger” entries found.


5:23:26 PM: Scanning ----- APPINIT_DLLS -----
AppInitDLLs entry = [cru629.dat]
cru629.dat - this reference will be removed
C:\WINDOWS\system32\cru629.dat - unable to take ownership/change permissions
C:\WINDOWS\system32\cru629.dat - marked for renaming when the PC is restarted (if it exists)


5:24:05 PM: Scanning ----- SECURITY PROVIDER DLLS -----


5:24:06 PM: Scanning ------ COMMON STARTUP GROUP ------
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
-HS- 84 bytes
Created: 10/08/2004
Modified: 10/08/2004
Company:

C:\Program Files\Microsoft Office\Office\OSA9.EXE
65588 bytes
Created: 21/03/1999
Modified: 21/03/1999
Company: Microsoft Corporation
Microsoft Office.lnk - links to C:\Program Files\Microsoft Office\Office\OSA9.EXE


5:24:06 PM: Scanning ------ USER STARTUP GROUPS ------

Checking Startup Group for: Administrator
[C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP]
The Startup Group for Administrator attempts to load the following file(s):
C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 24/07/2008
Modified: 10/08/2004
Company:


5:24:06 PM: Scanning ----- SCHEDULED TASKS -----
No Scheduled Tasks found to scan


5:24:06 PM: Scanning ----- SHELLICONOVERLAYIDENTIFIERS -----
Key: TortoiseCVS0
CLSID: {5d1cb710-1c4b-11d4-bed5-005004b1f42f}
File: C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll - file already scanned

Key: TortoiseCVS1
CLSID: {5d1cb711-1c4b-11d4-bed5-005004b1f42f}
File: C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll - file already scanned

Key: TortoiseCVS2
CLSID: {5d1cb712-1c4b-11d4-bed5-005004b1f42f}
File: C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll - file already scanned

Key: TortoiseCVS3
CLSID: {5d1cb713-1c4b-11d4-bed5-005004b1f42f}
File: C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll - file already scanned

Key: TortoiseCVS4
CLSID: {5d1cb714-1c4b-11d4-bed5-005004b1f42f}
File: C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll - file already scanned

Key: TortoiseCVS5
CLSID: {5d1cb715-1c4b-11d4-bed5-005004b1f42f}
File: C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll - file already scanned

Key: TortoiseCVS6
CLSID: {5d1cb716-1c4b-11d4-bed5-005004b1f42f}
File: C:\Program Files\TortoiseCVS\TrtseShl.dll
C:\Program Files\TortoiseCVS\TrtseShl.dll - file already scanned


5:24:06 PM: ----- ADDITIONAL CHECKS -----
PE386 rootkit checks completed

Winlogon registry rootkit checks completed

Heuristic checks for hidden files/drivers completed

Layered Service Provider entries checks completed

Windows Explorer Policies checks completed

Desktop Wallpaper entry is blank

Web Desktop Wallpaper: %SystemRoot%\web\wallpaper\Bliss.bmp
C:\WINDOWS\web\wallpaper\Bliss.bmp
1440054 bytes
Created: 10/08/2004
Modified: 10/08/2004
Company:

Additional file checks completed


5:24:07 PM: Scanning ----- RUNNING PROCESSES -----

C:\WINDOWS\System32\smss.exe
[1 loaded module]

C:\WINDOWS\system32\csrss.exe
[10 loaded modules in total]

C:\WINDOWS\system32\winlogon.exe
[66 loaded modules in total]

C:\WINDOWS\system32\services.exe
[37 loaded modules in total]

C:\WINDOWS\system32\lsass.exe
[62 loaded modules in total]

C:\WINDOWS\system32\svchost.exe
[49 loaded modules in total]

C:\WINDOWS\system32\svchost.exe
[39 loaded modules in total]

C:\WINDOWS\System32\svchost.exe
[160 loaded modules in total]

C:\WINDOWS\system32\svchost.exe
[32 loaded modules in total]

C:\WINDOWS\system32\svchost.exe
[42 loaded modules in total]

C:\WINDOWS\system32\spoolsv.exe
[52 loaded modules in total]

C:\Program Files\CVSNT\cvslock.exe
[33 loaded modules in total]

C:\Program Files\CVSNT\cvsservice.exe
[46 loaded modules in total]

c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
[19 loaded modules in total]

C:\WINDOWS\system32\svchost.exe
[39 loaded modules in total]

C:\WINDOWS\system32\wdfmgr.exe
[14 loaded modules in total]

C:\WINDOWS\System32\alg.exe
[33 loaded modules in total]

C:\WINDOWS\Explorer.EXE
[99 loaded modules in total]

C:\WINDOWS\system32\wscntfy.exe
[16 loaded modules in total]

C:\Program Files\Analog Devices\Core\smax4pnp.exe
[35 loaded modules in total]

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
[25 loaded modules in total]

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[9 loaded modules in total]

C:\WINDOWS\system32\hkcmd.exe
[20 loaded modules in total]

C:\WINDOWS\system32\igfxpers.exe
[21 loaded modules in total]

C:\WINDOWS\system32\ctfmon.exe
[25 loaded modules in total]

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[53 loaded modules in total]

C:\Program Files\Skype\Phone\Skype.exe
[74 loaded modules in total]

C:\Program Files\Skype\Plugin Manager\skypePM.exe
[58 loaded modules in total]

C:\WINDOWS\system32\taskmgr.exe
[36 loaded modules in total]

C:\WINDOWS\system32\wuauclt.exe
[42 loaded modules in total]

C:\Documents and Settings\Mike\Application Data\Simply Super Software\Trojan Remover\kvw2.exe
FileSize: 2536000
[This is a Trojan Remover component]
[25 loaded modules in total]


5:24:24 PM: Checking AUTOEXEC.BAT file
AUTOEXEC.BAT found in C:
No malicious entries were found in the AUTOEXEC.BAT file


5:24:24 PM: Checking AUTOEXEC.NT file
AUTOEXEC.NT found in C:\WINDOWS\system32
No malicious entries were found in the AUTOEXEC.NT file


5:24:24 PM: Checking HOSTS file
No malicious entries were found in the HOSTS file


5:24:24 PM: Scanning ------ %TEMP% DIRECTORY ------


5:24:25 PM: Scanning ------ C:\WINDOWS\Temp DIRECTORY ------


5:24:25 PM: Scanning ------ ROOT DIRECTORY ------


5:24:25 PM: ------ Scan for other files to remove ------
No malware-related files found to remove


Remainder of Trojan Remover scan:


------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKLM\Software\Microsoft\Internet Explorer\Main"Start Page":
http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main"Local Page":
%SystemRoot%\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main"Search Page":
http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main"Default_Page_URL":
http://go.microsoft.com/fwlink/?LinkId=69157
HKLM\Software\Microsoft\Internet Explorer\Main"Default_Search_URL":
http://www.google.com/ie
HKLM\Software\Microsoft\Internet Explorer\Search"CustomizeSearch":
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM\Software\Microsoft\Internet Explorer\Search"SearchAssistant":
http://www.google.com
HKCU\Software\Microsoft\Internet Explorer\Main"Start Page":
http://www.google.com
HKCU\Software\Microsoft\Internet Explorer\Main"Local Page":
C:\WINDOWS\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main"Search Page":
http://www.google.com
HKCU\Software\Microsoft\Internet Explorer\Main"Default_Page_URL":
http://www.dell.ca/myway


=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ===
Scan completed at: 5:24:25 PM 29 Jul 2008

One or more files could not be moved or renamed as requested.
They may be in use by Windows, so Trojan Remover needs
to restart the system in order to deal with these files.
29/07/2008 5:24:28 PM: restart commenced


Phew!!

Following up on my MBAM → Trojan Removal → Avast bootScan. Each has found nasties. Here is the Avast bootScan log:

CmdLine - quick
aswBoot.exe /A:“" /L:“English” /KBD:2
CmdLine end
SafeBoot: 0
CreateKbThread
new CKbBuffer
CKbBuffer::Init
CKbBuffer::Init end
NtCreateEvent(g_hStopEvent)
dep_osBeginThread - KbThread
CreateKbThread end
NtInitializeRegistry
KbThread start
ReadRegistry
DATA=C:\Program Files\Alwil Software\Avast4\DATA
PROG=C:\Program Files\Alwil Software\Avast4
BUILD=1229
Microsoft Windows XP Service Pack 2
SystemRoot=C:\WINDOWS
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
ReadRegistry end
CreateTemp
CreateTemp end
cmnbInit
SetFolders
SetFolders end
aswEnginDllMain(DLL_PROCESS_ATTACH)
InitLog
InitLog end
CmdLine - full
aswBoot.exe /A:"
” /L:“English” /KBD:2
CmdLine end
Unschedule
61,00,75,00,74,00,6F,00,63,00,68,00,65,00,63,00,
6B,00,20,00,61,00,75,00,74,00,6F,00,63,00,68,00,
6B,00,20,00,2A,00,00,00,61,00,73,00,77,00,42,00,
6F,00,6F,00,74,00,2E,00,65,00,78,00,65,00,20,00,
2F,00,41,00,3A,00,22,00,2A,00,22,00,20,00,2F,00,
4C,00,3A,00,22,00,45,00,6E,00,67,00,6C,00,69,00,
73,00,68,00,22,00,20,00,2F,00,4B,00,42,00,44,00,
3A,00,32,00,00,00,00,00,
Unschedule end
LoadResources
LoadResources end
InitReport
InitReport end
NtSetEvent(g_hInitEvent) - 1
InitKeyboard
FreeMemory: 434495488
g_dwKbdNum: 2
avworkInitialize
s_dwKbdClassCnt: 2
InitKeyboard end
NtSetEvent(g_hInitEvent) - 2
GetKey
FreeMemory: 384831488
CKbBuffer::Wait
CKbBuffer::Get
CKbBuffer::Get end
CKbBuffer::Wait end
ProcessArea
avfilesScanAdd *MBR0
avfilesScanAdd *RAW:C:\ [Fs: 000500ff, NTFS; Dev: 07, 00000020]
avfilesScanRealMulti begin
CKbBuffer::Get
0, 7, 0, 0, 0
GetKey end
CKbBuffer::Put
CKbBuffer::Put end
CKbBuffer::Get end
GetKey
0, 7, 1, 0, 0
avfilesScanRealMulti finished
avworkClose
Checking deleted files:
MarkFileRemoval
MarkFileRemoval end
TerminateKbThread
GetKey end
CloseKeyboard
CloseKeyboard end
KbThread stop
CKbBuffer::~CKbBuffer
CKbBuffer::~CKbBuffer end
aswEnginDllMain(DLL_PROCESS_DETACH)
cmnbFree
FreeResources
CloseReport
CloseLog

OK
I’m not familiar with Trojan Remover - what a log
I’ve used Trojan Hunter which has a nice 30 day free trial
and A-Squared free
did you buy trojan remover?

anyway
go to my last post
start at run ccleaner
and continue
post a nice hjt log and let’s see if freewheeling frank or one of the HJT experts will pronounce you clean or in need of some additional work
there are things that the tools/ programs can’t easily get- or you have to know which one to use
AND IN WHICH ORDER

ps
DO NOT RUN COMBO FIX unattended- or anything else not mentioned above

The C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt providers a more user friendly summary of the boot-time scan and it should list any detections.

DavidR: Yes, I posted the Avast bootScan in Reply #13.

wrmryder: I have done a F-Prot scan as suggested by the UPS thread (http://support.bicester-computers.com/showthread.php?t=18) and a CClean at your suggestion. SpyBot S & D is next.

F-Prot only found malware in the HoseCall Quarantine folder. Here is its log:

-----------------------------SCAN REPORT-----------------------------
F-PROT Antivirus for Windows

Antivirus Scanning Engine version number: 4.4.4
Virus signature file from: 28/04/2008, 1:17 PM

Scan name: [My Computer]
Path to scan: [My Computer]

Normal scan
Also scan: Inside subfolders, Compressed files, Streams

Scan started: 30/07/2008, 10:08:34 AM

[Warning] C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[Warning] C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[Warning] C:\Documents and Settings\LocalService\NTUSER.DAT
[Warning] C:\Documents and Settings\LocalService\ntuser.dat.LOG
[Found security risk] <W32/WinReanimator.B (exact, not disinfectable)> C:\Documents and Settings\Mike.housecall6.6\Quarantine\Binaries2.zip.bac_a02348->(XORCrypt)->XPSecurityCenter.dll
[Contains infected objects] C:\Documents and Settings\Mike.housecall6.6\Quarantine\Binaries2.zip.bac_a02348
[Quarantined] C:\Documents and Settings\Mike.housecall6.6\Quarantine\Binaries2.zip.bac_a02348->(XORCrypt)->pthreadVC2.dll
[Found possible security risk] <W32/Heuristic-XEN!Eldorado (not disinfectable)> C:\Documents and Settings\Mike.housecall6.6\Quarantine\cru629.dat.bac_a00280->(XORCrypt)
[Quarantined] C:\Documents and Settings\Mike.housecall6.6\Quarantine\cru629.dat.bac_a00280->(XORCrypt)
[Found possible security risk] <W32/Heuristic-XEN!Eldorado (not disinfectable)> C:\Documents and Settings\Mike.housecall6.6\Quarantine\karina.dat.bac_a00280->(XORCrypt)
[Quarantined] C:\Documents and Settings\Mike.housecall6.6\Quarantine\karina.dat.bac_a00280->(XORCrypt)
[Found possible security risk] <W32/Heuristic-XEN!Eldorado (not disinfectable)> C:\Documents and Settings\Mike.housecall6.6\Quarantine\karina.dat.bac_a02348->(XORCrypt)
[Quarantined] C:\Documents and Settings\Mike.housecall6.6\Quarantine\karina.dat.bac_a02348->(XORCrypt)
[Found security risk] <W32/WinReanimator.B (exact)> C:\Documents and Settings\Mike.housecall6.6\Quarantine\XPSecurityCenter.dll.bac_a02352->(XORCrypt)
[Deleted] C:\Documents and Settings\Mike.housecall6.6\Quarantine\XPSecurityCenter.dll.bac_a02352->(XORCrypt)
[Warning] C:\Documents and Settings\Mike\Application Data\FRISK Software\F-PROT Antivirus for Windows\ReportFiles\2008-07-30T10-08-34 - [My Computer].txt
[Unscannable] C:\Documents and Settings\Mike\Application Data\Opera\Opera\profile\cache4\opr00E8G.htm->(packed)
[Warning] C:\Documents and Settings\Mike\Application Data\Skype\bob.furber\call256.dbb
[Warning] C:\Documents and Settings\Mike\Application Data\Skype\bob.furber\callmember256.dbb
[Warning] C:\Documents and Settings\Mike\Application Data\Skype\bob.furber\chat512.dbb
[Warning] C:\Documents and Settings\Mike\Application Data\Skype\bob.furber\chatmember256.dbb
[Warning] C:\Documents and Settings\Mike\Application Data\Skype\bob.furber\chatmsg1024.dbb
[Warning] C:\Documents and Settings\Mike\Application Data\Skype\bob.furber\chatmsg256.dbb
[Warning] C:\Documents and Settings\Mike\Application Data\Skype\bob.furber\chatmsg4096.dbb
[Warning] C:\Documents and Settings\Mike\Application Data\Skype\bob.furber\chatmsg512.dbb
[Warning] C:\Documents and Settings\Mike\Application Data\Skype\bob.furber\contactgroup256.dbb
[Warning] C:\Documents and Settings\Mike\Application Data\Skype\bob.furber\index2.dat
[Warning] C:\Documents and Settings\Mike\Application Data\Skype\bob.furber\profile256.dbb
[Warning] C:\Documents and Settings\Mike\Application Data\Skype\bob.furber\user1024.dbb
[Warning] C:\Documents and Settings\Mike\Application Data\Skype\bob.furber\user16384.dbb
[Warning] C:\Documents and Settings\Mike\Application Data\Skype\bob.furber\user256.dbb
[Warning] C:\Documents and Settings\Mike\Application Data\Skype\bob.furber\voicemail256.dbb
[Warning] C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[Warning] C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[Warning] C:\Documents and Settings\Mike\NTUSER.DAT
[Warning] C:\Documents and Settings\Mike\ntuser.dat.LOG
[Warning] C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[Warning] C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[Warning] C:\Documents and Settings\NetworkService\NTUSER.DAT
[Warning] C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->ABORT.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->ABS.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->ALLOC.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->ATOI.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->CTYPE.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->LIB.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->MEMCHR.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->MEMCMP.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->MEMCPY.C

-----------------------------SCAN REPORT-----------------------------
F-PROT Antivirus for Windows ctd…

[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->MEMMOVE.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->MEMSET.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->MODF.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->NEWHEAP.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->PRINTF.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->PUTS.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->RAND.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->SPRINTF.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->STDIO.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->STRCAT.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->STRCHR.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->STRCMP.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->STRCSPN.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->STRLEN.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->STRNCAT.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->STRNCMP.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->STRNCPY.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->STRPBRK.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->STRRCHR.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->STRSPN.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->STRSTR.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->STRTOL.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->STRTOUL.C
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->atol.c
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->fmod.c
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->fp2long.c
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->fpabs.c
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->fpatrig.c
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->fplong.c
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->iochar.c
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->itoa.c
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->long2fp.c
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->ltoa.c
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->serial.c
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->stdarg.c
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->ulong2fp.c
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->CRT16EVB.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->CRT16MF.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->CRT16MNF.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->FP.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->FP2INT.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->FPADD.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->FPBUF.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->FPCMP.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->FPDIV.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->FPEXP.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->FPFLTSTR.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->FPINTFLT.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->FPLOG.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->FPMODMUL.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->FPSQRT.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->FPSTRFLT.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->FPSUB.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->FPTRIG.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->STRCPY.S
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->cnstutil.s
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->crt16.s
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->crtsevb.s
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->div.s
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->end16.s
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->io.s
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->long.s
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->longarth.s
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->setjmp.s
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->setup.s
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->util.s
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->_ALLOC.H
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->fperr.h
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->hc16_icc.h
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->long.h
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->rtevb16.h
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->rtevb16l.h
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->rtmitef.h
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->rtmitenf.h
[Unscannable] C:\Mailbox\F16-mite-RTL\F16\ICC\libsrc.16\libsrc.zip->makefile.16
[Unscannable] C:\Program Files\Advanced Serial Port Monitor\aspmon.pdb->aspmon.pdb
[Unscannable] C:\Program Files\Microsoft Visual Studio .NET 2003\CompactFrameworkSDK\v1.0.5000\Windows CE\sqlce20sql2ksp1.exe->(CAB)->\CONNECT.CAB->sqlredis.exe.F26FFD4A_05B4_4969_A552_30C7F9BAB1F4->(CAB)->mdacxpak.cab
[Unscannable] C:\Program Files\MSDN\2004JAN\1033\dnacc.hxs->(ZIP)->DCM_Document.doc
[Unscannable] C:\Program Files\Wise InstallBuilder 8.1\RUNTIME\ODBC30\40COMUPD.EXE
[Warning] C:\WINDOWS\system32\config\DEFAULT
[Warning] C:\WINDOWS\system32\config\default.LOG
[Warning] C:\WINDOWS\system32\config\SAM
[Warning] C:\WINDOWS\system32\config\SAM.LOG
[Warning] C:\WINDOWS\system32\config\SECURITY
[Warning] C:\WINDOWS\system32\config\SECURITY.LOG
[Warning] C:\WINDOWS\system32\config\SOFTWARE
[Warning] C:\WINDOWS\system32\config\software.LOG
[Warning] C:\WINDOWS\system32\config\SYSTEM
[Warning] C:\WINDOWS\system32\config\system.LOG
[Unscannable] D:\UPS_Invoice.zip->UPS_INVOICE_978172.zip
[Unscannable] D:\UPS_Invoice.zip->Padding.txt


Scan ended: 30/07/2008, 3:44:03 PM
Duration: 5:35:28

Scan result:

Scanned files: 481076
Infected objects: 5
Disinfected objects: 1
Quarantined files: 4

No you didn’t, you posted the C:\Program Files\Alwil Software\Avast4\DATA\log\aswBoot.log file not the C:\Program Files\Alwil Software\Avast4\DATA[b]report[/b]\aswBoot.txt.

Check it and you will see it is a much more user friendly report.

07/09/2008 14:04 Scan of all local drives

Number of searched folders: 876
Number of tested files: 11214
Number of infected files: 0


07/30/2008 09:51
Scan of C:\

Scan of E:\

File E:\zz-avast-Exclude\breakout-mozilla-firefox.exe is infected by Win32:Agent-MP [trj]
File E:\zz-avast-Exclude\breakout.exe is infected by Win32:Trojan-gen {Other}
File E:\zz-avast-Exclude\UnInstaller.exe is infected by Win32:Adware-gen [Adw]
File E:\zz-avast-Exclude\zabypass\zabypass.exe is infected by Win32:FWBypass [Tool]
File E:\zz-avast-Exclude\zEicarTests\eicar.com is infected by EICAR Test-NOT virus!!
Number of searched folders: 2493
Number of tested files: 26725
Number of infected files: 5

Thanks for ‘C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt’ tip. I shall post that next.

I did a CCleaner Scan and it removed 6 years of temp files and cookies. The log file is 422,636 characters, so it is not practical to upload it. Perhaps someone could suggest what I should be looking for.

The HJT log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:47:24 PM, on 30/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
D:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe”
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Validate XML - C:\WINDOWS\web\msxmlval.htm
O8 - Extra context menu item: View XSL Output - C:\WINDOWS\web\msxmlvw.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip..{69752F42-1B23-4437-BB67-3E92CC00B86C}: NameServer = 192.168.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe


End of file - 5374 bytes