system
December 9, 2009, 4:26am
1
So sometime ago I found this on my computer, now I don’t know which verison it is(google states there being a Trojan./Adware. verison)I deleted it along with it’s registry files.Now a couple day’s ago,about 2 minutes into the scan I found another registry of this.What I’m wondering how was this missed and if it has been there the whole time.Now I do go on somesites that do have pop-ups such as armor games, but avast should of picked it up as malware shouldn’t it?
Pctools states that the program(.adware) is installed as a browser helper tool that displays ads at random intervals.I’m wondering if this could have been installed on some private sites that I’ve been on. So I’m mostly wondering if this installed it’s self onto my computer through a web page or was it bundeled with something else.The computer this registry bit is a shared computer and I do not know what the other people go onto.However I do know that most of the sites are of chinese orgin.Now asuming that these installed them selves through a web page avast should of pop’d-up right?Would this be a possable place in which the adware came from?
[NSFW][google link]http://www.google.com/search?q=pornhub&rls=com.microsoft:*:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7GGLL_en
avast did not detect anything however the site did have links that created pop-ups while opening an actual page.
Malwarbytes:
Trojan.Cinmus, Registry Key, HKEY_CURRENT USER\SOFTWARE\Microsoft\Windows\CurrentVerison\Ext\Settings{b580cf65-e151-49c3(unreadable symbols)}
system
December 9, 2009, 4:28am
2
hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:15 ??, on 2009-12-8
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {889D2FEB-5411-4565-8998-1DD2C5261283} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: (no name) - -{B580CF65-E151-49C3-B73F-70B13FCA8E86} - (no file)
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] “C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe”
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: ???5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra ‘Tools’ menuitem: ???5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra ‘Tools’ menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ??? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: cwt - {774E529C-2458-48A2-8F57-3ED3105D8612} - C:\Program Files\CaseWare\cwproto.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP M1319 Receive Fax Service (HPM1319RcvFaxSrvc) - Marvell - C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
–
End of file - 7487 bytes
I am aware that I have orbit downloader, some of the no names are parts of a removed baidu bar
Hi Zone,
After scan your HijackThis log, there is not harmful application which running on your system. But some registry you need to fixed likes :
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: (no name) - {889D2FEB-5411-4565-8998-1DD2C5261283} - (no file)
O3 - Toolbar: (no name) - -{B580CF65-E151-49C3-B73F-70B13FCA8E86} - (no file
And then for your referenced website, after i analyzed that website is not harmful website too.
http://www.mywot.com/en/scorecard/www.google.com
Because google only search engine, but instead of that if you clicked on go to this porn website. I am not sure, in there safe or not safe?
But to make sure, please follow these steps :
Download Combofix
Download it and save with rename the file, like example : 123.exe
Please stop all of windows activity included avast antivirus protection
Please click your download fil and start the scan
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.
After the scan has did, please submit your combofix.txt in to this forum.
Referenced to : http://forum.avast.com/index.php?topic=52019.0
system
December 9, 2009, 10:21pm
4
Avast should detect and remove Cinmus. Try running a boot time scan and send to the virus chest (quarantine) whatever avast! finds.
system
December 10, 2009, 4:00am
5
now avast did not find anything on the site , I guess what I’m trying to say is that could malware’s bytes missed one registry bit?
system
December 11, 2009, 2:47am
6
Does anybody know were to get a list of websites that may contain this?
Edit: So if this was installed by website avast would of picked it up right? The only way for it to get in would be an installation for another program.
polonus
December 11, 2009, 12:32pm
7
This is a typical adware BHO that can be removed with BHO demon: http://www.definitivesolutions.com/bhodemon.htm
Here we provide you with the manual removal instructions for this maware:
Adware.Cinmus is an annoying adware program that bombards you with hundreds of popup advertisments based on your browsing habits. Adware.Cinmus will also monitor your web surfing habit and send information to the third parties. Adware.Cinmus embeds itself into your system as a Browser Helper Object (BHO) and it may be difficult to remove it manually
Kill processes:
Step 1 : Use Windows Task Manager to Remove Adware.Cinmus Processes
Remove the “Adware.Cinmus” processes files:
ad3673.exe
malware.exe
Step 2 : Detect and Delete Other Adware.Cinmus Files
Remove the “Adware.Cinmus” processes files:
mtlrd
mtlrd.sys
ad3673.exe
Unregister DLLs:
syswindrv.dll
Delete files:
ntptdb.sys syswindrv.dll malware.exe
Step 3 : View the Adware.Cinmus Components with its MD5s
Remove the “Adware.Cinmus” components:
File Name File Size MD5
ad3673.exe 113799 5dae169ac924696ec0deff8886ae55f9
mtlrd.sys 349444 2e523abd368262b0bc74e15f8e224a0c
ntptdb.sys 212996 38bcbc5547a3d7bc5c870e7f9ce722bc
mtlrd.sys 349188 423809dc3187938880e3d480d6191f7b
malware.exe 228752 0663acb0972c48a194248b8ab0e8a56e
syswindrv.dll 189440 b8c1acb7b49eaaf3228b369e83c258b4
polonus
system
December 12, 2009, 3:17am
8
This is a typical adware BHO that can be removed with BHO demon: http://www.definitivesolutions.com/bhodemon.htm
Here we provide you with the manual removal instructions for this maware:
Adware.Cinmus is an annoying adware program that bombards you with hundreds of popup advertisments based on your browsing habits. Adware.Cinmus will also monitor your web surfing habit and send information to the third parties. Adware.Cinmus embeds itself into your system as a Browser Helper Object (BHO) and it may be difficult to remove it manually
polonus
(Shortened)
That link opens a 404- Error, but its a costom one…
system
December 15, 2009, 1:01am
9
O3 - Toolbar: (no name) - -{B580CF65-E151-49C3-B73F-70B13FCA8E86} - (no file
Anyone know how to remove this? It just comes back after every scan
Edit: It also seems to be able to close your browser, avast didn’t detect a virus. So is this just an error? I think that this is because I closed the pop-ups before it finished loading.Could some one provide an answer and maybe check out my guess on why it closes the browser?
system
December 15, 2009, 2:28am
10
Malwarebytes removes this according to thier list of trojans they detect and remove this one, Trojan.Cinmus listed as number 2075 at the time of this post, http://www.malwarebytes.org/malwarenet.php
DavidR
December 15, 2009, 2:47am
11
system
December 16, 2009, 1:40am
12
Yup, I still don’t know how to remove’em I thought Spybot qurantine’d them
DavidR
December 16, 2009, 2:39am
13
Yes, but do any of the dlls mentioned in the article on your system ?
If so they should be checked against virustotal and if multiple detections send the sample/s to avast.
Or are any of them quarantines by Spybot ?
The idea being if any files are quarantined by spybot which aren’t detected by avast you should send a sample/s to avast.
system
December 21, 2009, 11:27pm
14
Yes, but do any of the dlls mentioned in the article on your system ?
If so they should be checked against virustotal and if multiple detections send the sample/s to avast.
Or are any of them quarantines by Spybot ?
The idea being if any files are quarantined by spybot which aren’t detected by avast you should send a sample/s to avast.
I think Spybot has’em qurrantined
DavidR
December 21, 2009, 11:45pm
15
OK, that’s fine, provided you aren’t having any further problems.
system
December 22, 2009, 3:02am
16
Ok I think I may have been infected by “Malware JS:Pdfka-DH [Expl]” As I tried going there again and this thing pop’d up, I read some info on it and
I’m wondering if this is why my broswer closed suddenly. I’m wondering if I am safe from these 2 things on the bottom list of this site’s page http://www.f-secure.com/v-descs/exploit_js_pdfka_ti.shtml
I’m currently scanning on Malwarebyte’s at “Scanning for infected files, folders,and misellanious objects” It has found something beloning the Trojan.fakealert for a “thunder”? file(C:\Program Files\Thunder Network\Thunder\Program\Update\BHOStubUpdate-20081222.exe (Trojan.FakeAl).It has asked for a restart and another scan.
Another question is that since I own more than one computer canit be possable if they get contaminated for using the same connection even if they do not connect to each other?And if some form of malware does try to connect to them would avast pick it up?
system
December 22, 2009, 3:03am
17
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:29 ??, on 2009-12-21
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: (no name) - -{B580CF65-E151-49C3-B73F-70B13FCA8E86} - (no file)
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] “C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe” /runcleanupscript
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] “C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe”
O4 - HKUS\S-1-5-21-220523388-1292428093-725345543-1005..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘YanGao’)
O4 - HKUS\S-1-5-21-220523388-1292428093-725345543-1005..\Run: [swg] “C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” (User ‘YanGao’)
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: ???5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra ‘Tools’ menuitem: ???5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra ‘Tools’ menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ??? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: cwt - {774E529C-2458-48A2-8F57-3ED3105D8612} - C:\Program Files\CaseWare\cwproto.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP M1319 Receive Fax Service (HPM1319RcvFaxSrvc) - Marvell - C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
–
End of file - 7754 bytes
Same as last time but an Thunder BHO?