Tech Support Forum - View Single Post

XTTX · 10-03-2007, 02:14 PM

So, I'm guessing this is a new beast unleashed?

Also, found a symptom upon restart:
No explorer until ctrl+alt+del was pressed
Consistent "anti-spyware" windows popups which open along with links to other sites.

I assume it's embedded into explorer.exe since I can't seem to find a process that relates to it.

Edit: Ran HJT again, found traces of a lot of browser hijacking... Heres a new log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:33 PM, on 10/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\WINDOWS\system32\nvsvc32.exe
F:\PROGRAM FILES\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Tablet.exe
F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Razer\Tarantula\razerhid.exe
C:\Razer\Copperhead\razerhid.exe
C:\D-Link\AirPlus XtremeG\AirPlusCFG.exe
F:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE
F:\PROGRAM FILES\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDHLP.EXE
F:\PROGRAM FILES\Softwin\BitDefender10\bdmcon.exe
C:\Razer\Barracuda AC-1 Gaming Audio Card\Customapp\PROGRAM\RAZER BARRACUDA AC-1 GAMING AUDIO CARD.EXE
F:\PROGRAM FILES\Softwin\BitDefender10\bdagent.exe
F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
F:\PROGRAM FILES\Softwin\BitDefender10\vsserv.exe
f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
F:\PROGRAM FILES\Microsoft Office\Office12\GrooveMonitor.exe
F:\program files\Winamp\winampa.exe
F:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Razer\Copperhead\razertra.exe
F:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
F:\PROGRAM FILES\Google\Google Talk\googletalk.exe
C:\Razer\Copperhead\razerofa.exe
F:\PROGRAM FILES\Java\jre1.6.0_02\bin\jusched.exe
F:\PROGRAM FILES\COMMON FILES\AHEAD\LIB\NMBGMONITOR.EXE
C:\WINDOWS\system32\ctfmon.exe
F:\PROGRAM FILES\LClock\lclock.exe
F:\PROGRAM FILES\Vista Sidebar\sidebar.exe
F:\PROGRAM FILES\ViStart\ViStart.exe
F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
F:\PROGRAM FILES\PeerGuardian2\pg2.exe
C:\Razer\Tarantula\razertra.exe
F:\program files\Microsoft Office\Office12\ONENOTEM.EXE
F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexStoreSvr.exe
F:\program files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
F:\PROGRAM FILES\COMMON FILES\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
F:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\PROGRAM FILES\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\PROGRAM FILES\COMMON FILES\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSVPS System - {ECBD04D1-1133-4480-8A8C-BC9FDD54D6C1} - C:\WINDOWS\afxp.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - F:\PROGRAM FILES\Styler\TB\StylerTB.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: The netadv - {E99D4D0C-EB54-46AF-B62A-3AA1F31D53E5} - C:\WINDOWS\netadv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tarantula] C:\Razer\Tarantula\razerhid.exe
O4 - HKLM\..\Run: [Copperhead] C:\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [Cmaudio8788] RunDll32 cmicnfgp.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] F:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
O4 - HKLM\..\Run: [TrueImageMonitor.exe] F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE
O4 - HKLM\..\Run: [AcronisTimounterMonitor] F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TIMOUNTERMONITOR.EXE
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "F:\PROGRAM FILES\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDHLP.EXE"
O4 - HKLM\..\Run: [BDMCon] "F:\PROGRAM FILES\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "F:\PROGRAM FILES\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [VisualTooltip] F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "F:\PROGRAM FILES\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] F:\program files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [googletalk] F:\PROGRAM FILES\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SMSystemAnalyzer] "F:\PROGRAM FILES\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\PROGRAM FILES\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\PROGRAM FILES\COMMON FILES\AHEAD\LIB\NMBGMONITOR.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] F:\PROGRAM FILES\LClock\lclock.exe
O4 - HKCU\..\Run: [Vista Sidebar] F:\PROGRAM FILES\Vista Sidebar\sidebar.exe
O4 - HKCU\..\Run: [ViStart] F:\PROGRAM FILES\ViStart\ViStart.exe
O4 - HKCU\..\Run: [VisualTooltip] F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
O4 - HKCU\..\Run: [PeerGuardian] F:\PROGRAM FILES\PeerGuardian2\pg2.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = F:\program files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = F:\program files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRAM FILES\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRAM FILES\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8614BE35-8B64-43DC-A053-0B43947C50EF}: NameServer = 192.168.0.1,4.2.2.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O21 - SSODL: msvb - {75F1B25C-DB49-4EB6-BEE0-401922B3F60D} - C:\WINDOWS\msvb.dll
O21 - SSODL: sysdx - {8838E502-1D3B-432A-B1C4-935A86E0F941} - C:\WINDOWS\sysdx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - G:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - F:\PROGRAM FILES\COMMON FILES\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Unknown owner - G:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - F:\program files\Ares\chatServer.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - F:\PROGRAM FILES\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - F:\PROGRAM FILES\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\PROGRAM FILES\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - F:\PROGRAM FILES\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - F:\PROGRAM FILES\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Communicator\xcommsvr.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 13634 bytes

Here's some suspicious lines I saw:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) // Is this safe to delete?
O2 - BHO: MSVPS System - {ECBD04D1-1133-4480-8A8C-BC9FDD54D6C1} - C:\WINDOWS\afxp.dll
O3 - Toolbar: The netadv - {E99D4D0C-EB54-46AF-B62A-3AA1F31D53E5} - C:\WINDOWS\netadv.dll
O21 - SSODL: msvb - {75F1B25C-DB49-4EB6-BEE0-401922B3F60D} - C:\WINDOWS\msvb.dll
O21 - SSODL: sysdx - {8838E502-1D3B-432A-B1C4-935A86E0F941} - C:\WINDOWS\sysdx.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Thanks for your help so far, it's appreciated!

10-03-2007, 02:14 PM	#2 (permalink)
XTTX Registered User Join Date: Mar 2005 Location: US Posts: 167 OS: XP x64, Ubuntu x86_64, OS X 10.5.7	Re: netadv.dll So, I'm guessing this is a new beast unleashed? Also, found a symptom upon restart: No explorer until ctrl+alt+del was pressed Consistent "anti-spyware" windows popups which open along with links to other sites. I assume it's embedded into explorer.exe since I can't seem to find a process that relates to it. Edit: Ran HJT again, found traces of a lot of browser hijacking... Heres a new log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:15:33 PM, on 10/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe C:\WINDOWS\system32\nvsvc32.exe F:\PROGRAM FILES\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\Tablet.exe F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Communicator\xcommsvr.exe C:\WINDOWS\system32\WTablet\TabUserW.exe F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Scan Server\bdss.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Razer\Tarantula\razerhid.exe C:\Razer\Copperhead\razerhid.exe C:\D-Link\AirPlus XtremeG\AirPlusCFG.exe F:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE F:\PROGRAM FILES\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDHLP.EXE F:\PROGRAM FILES\Softwin\BitDefender10\bdmcon.exe C:\Razer\Barracuda AC-1 Gaming Audio Card\Customapp\PROGRAM\RAZER BARRACUDA AC-1 GAMING AUDIO CARD.EXE F:\PROGRAM FILES\Softwin\BitDefender10\bdagent.exe F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe F:\PROGRAM FILES\Softwin\BitDefender10\vsserv.exe f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe F:\PROGRAM FILES\Microsoft Office\Office12\GrooveMonitor.exe F:\program files\Winamp\winampa.exe F:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe C:\Razer\Copperhead\razertra.exe F:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe F:\PROGRAM FILES\Google\Google Talk\googletalk.exe C:\Razer\Copperhead\razerofa.exe F:\PROGRAM FILES\Java\jre1.6.0_02\bin\jusched.exe F:\PROGRAM FILES\COMMON FILES\AHEAD\LIB\NMBGMONITOR.EXE C:\WINDOWS\system32\ctfmon.exe F:\PROGRAM FILES\LClock\lclock.exe F:\PROGRAM FILES\Vista Sidebar\sidebar.exe F:\PROGRAM FILES\ViStart\ViStart.exe F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe F:\PROGRAM FILES\PeerGuardian2\pg2.exe C:\Razer\Tarantula\razertra.exe F:\program files\Microsoft Office\Office12\ONENOTEM.EXE F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexStoreSvr.exe F:\program files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexingService.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe F:\PROGRAM FILES\COMMON FILES\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\explorer.exe F:\HJT\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\PROGRAM FILES\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\PROGRAM FILES\COMMON FILES\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: MSVPS System - {ECBD04D1-1133-4480-8A8C-BC9FDD54D6C1} - C:\WINDOWS\afxp.dll O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - F:\PROGRAM FILES\Styler\TB\StylerTB.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: The netadv - {E99D4D0C-EB54-46AF-B62A-3AA1F31D53E5} - C:\WINDOWS\netadv.dll O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Tarantula] C:\Razer\Tarantula\razerhid.exe O4 - HKLM\..\Run: [Copperhead] C:\Razer\Copperhead\razerhid.exe O4 - HKLM\..\Run: [Cmaudio8788] RunDll32 cmicnfgp.cpl,CMICtrlWnd O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\D-Link\AirPlus XtremeG\AirPlusCFG.exe O4 - HKLM\..\Run: [ANIWZCS2Service] F:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE O4 - HKLM\..\Run: [TrueImageMonitor.exe] F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE O4 - HKLM\..\Run: [AcronisTimounterMonitor] F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TIMOUNTERMONITOR.EXE O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "F:\PROGRAM FILES\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDHLP.EXE" O4 - HKLM\..\Run: [BDMCon] "F:\PROGRAM FILES\Softwin\BitDefender10\bdmcon.exe" /reg O4 - HKLM\..\Run: [BDAgent] "F:\PROGRAM FILES\Softwin\BitDefender10\bdagent.exe" O4 - HKLM\..\Run: [NeroFilterCheck] F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [VisualTooltip] F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [GrooveMonitor] "F:\PROGRAM FILES\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [WinampAgent] F:\program files\Winamp\winampa.exe O4 - HKLM\..\Run: [Adobe Version Cue CS2] "f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [googletalk] F:\PROGRAM FILES\Google\Google Talk\googletalk.exe /autostart O4 - HKLM\..\Run: [SMSystemAnalyzer] "F:\PROGRAM FILES\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\PROGRAM FILES\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\PROGRAM FILES\COMMON FILES\AHEAD\LIB\NMBGMONITOR.EXE" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [LClock] F:\PROGRAM FILES\LClock\lclock.exe O4 - HKCU\..\Run: [Vista Sidebar] F:\PROGRAM FILES\Vista Sidebar\sidebar.exe O4 - HKCU\..\Run: [ViStart] F:\PROGRAM FILES\ViStart\ViStart.exe O4 - HKCU\..\Run: [VisualTooltip] F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe O4 - HKCU\..\Run: [PeerGuardian] F:\PROGRAM FILES\PeerGuardian2\pg2.exe O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = F:\program files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Gamma.lnk = F:\program files\common files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRAM FILES\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRAM FILES\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8614BE35-8B64-43DC-A053-0B43947C50EF}: NameServer = 192.168.0.1,4.2.2.2 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O21 - SSODL: msvb - {75F1B25C-DB49-4EB6-BEE0-401922B3F60D} - C:\WINDOWS\msvb.dll O21 - SSODL: sysdx - {8838E502-1D3B-432A-B1C4-935A86E0F941} - C:\WINDOWS\sysdx.dll O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - G:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing) O23 - Service: Adobe LM Service - Adobe Systems - F:\PROGRAM FILES\COMMON FILES\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Unknown owner - G:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (file missing) O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - F:\program files\Ares\chatServer.exe O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Scan Server\bdss.exe O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - F:\PROGRAM FILES\iolo\Common\Lib\ioloDMVSvc.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Update Service\livesrv.exe O23 - Service: NBService - Nero AG - F:\PROGRAM FILES\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\PROGRAM FILES\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - F:\PROGRAM FILES\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - F:\PROGRAM FILES\Softwin\BitDefender10\vsserv.exe O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Communicator\xcommsvr.exe O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm -- End of file - 13634 bytes Here's some suspicious lines I saw: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) // Is this safe to delete? O2 - BHO: MSVPS System - {ECBD04D1-1133-4480-8A8C-BC9FDD54D6C1} - C:\WINDOWS\afxp.dll O3 - Toolbar: The netadv - {E99D4D0C-EB54-46AF-B62A-3AA1F31D53E5} - C:\WINDOWS\netadv.dll O21 - SSODL: msvb - {75F1B25C-DB49-4EB6-BEE0-401922B3F60D} - C:\WINDOWS\msvb.dll O21 - SSODL: sysdx - {8838E502-1D3B-432A-B1C4-935A86E0F941} - C:\WINDOWS\sysdx.dll O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm Thanks for your help so far, it's appreciated! Last edited by tetonbob; 10-11-2007 at 05:52 PM. Reason: removed link to Spykiller thread