Thread: Pop ups - Win32/BaiduSobar or Win32/Henbang
View Single Post
Old 01-18-2008, 04:01 PM   #1 (permalink)
jusatsking
Registered User
 
Join Date: Jan 2008
Posts: 9
OS: xp pro sp2


Pop ups - Win32/BaiduSobar or Win32/Henbang
I started getting CHINESE pop ups, sometimes they open new window browsers or they are attach to the page i am on. there are also links keep on appearing on my Favorites and other user of this PC. I scanned with:

Symantec Antivirus:
wstdik.dll
EE60714F-AC17-427E-861A-FD60CBDF119A
07.01.2007 20:51:17 - ##### check started #####
07.01.2007 20:51:17 - ### Version: 1.4
07.01.2007 20:51:17 - ### Date: 1/7/2007 8:51:17 PM
07.01.2007 20:51:17 - ##### checking bots #####
07.01.2007 20:54:24 - found: Sogou User settings
07.01.2007 20:54:24 - found: Sogou User settings
07.01.2007 20:54:25 - found: Sogou User settings
07.01.2007 20:54:29 - found: Sogou Temporary file
07.01.2007 20:54:30 - found: Sogou Temporary file
07.01.2007 20:54:31 - found: Sogou Executable
07.01.2007 21:17:15 - found: Troj.PrintSpool Settings
07.01.2007 21:17:16 - found: Troj.PrintSpool Settings
07.01.2007 21:24:49 - ##### check finished #####

Windows Defender:
Win32/Henbang

Win32/BaiduSobar
Resources:
file:
C:\WINDOWS\system32\tflock.exe->(nsis-6-BaiduBar.dll)

file:
C:\WINDOWS\system32\dsgj.exe->(nsis-3-BaiduBar.dll)

containerfile:
C:\WINDOWS\system32\tflock.exe

containerfile:
C:\WINDOWS\system32\dsgj.exe

I listed the Pop ups links:
hxxp://jipiao.kooxoo.com/?fromid=wm19di
hxxp://gg1.18day.com/
hxxp://img.zhangxiu.com/2/394.html?f=3202
hxxp://u.x-push.net/dg/full3/index_mosa_vip_2541_uid__bid_.html
hxxp://u.7town.com/html/778_1740/ly1/index.html?uid=11918&a=&b=&c=&d=&e=&f=
hxxp://cdn.deals.qunar.com/ad/activity/Qunar_DM/flights_dj_mkt5.html?flightDM=mkt5Fday1&hotelDM=mkt5Hday1&ticketDM=mkt5Day1
hxxp://mamabang.pampers.com.cn/default.aspx
hxxp://killer.http://www.myrice.com/default.html?u...=0&c=&d=&e=&f=
hxxp://www.360quan.com/?afid=17&lev1=26460&ac=XXXX&bc=XXXX&
hxxp://www.jiaboo.com/blog/CpmSiteHome.asp
hxxp://adfarm.mediaplex.com/ad/ck/4080-22903-9499-0?aid=38937;lp;15&!mpro=hxxp://www.eachnet.com/landing/99yuan.html?adid=bjmt_mta_01_0_15_38937

I also listed Favorite links (they are written as special character like 挑战答题送免费Q币) :

hxxp://www.yiqilai.com/?links
hxxp://www.amazon.cn/?source=ad4all_38937
hxxp://www.dangdang.com/league/leagueref.asp?from=P-118711&backurl=http://home.dangdang.com/
hxxp://u.x-push.net/dg/full3/index_mosa_vip_2541_uid__bid_.html
hxxp://travel.elong.com/hotels/default.aspx?campaign_id=4052610
hxxp://u.7town.com/Pub/mms/4/index.html?uid=11918&a=&b=&c=&d=&e=&f=
hxxp://www.qb-qq.com/?uid=1007&a=&b=&c=&d=
hxxp://www.yiqilai.com/?favorite
hxxp://www.eachnet.com/?adid=bjmt_mta_01_0_hp_38937
hxxp://www.zhaodao123.com/?favorite

There was also a extra button with the cut/copy/paste/delete/select all menu. It was labeled as 易趣购物 but it was gone now.

I guess those are all the information i have.

LOG POST

PANDA log Activescan:


Incident Status Location

Adware:adware/baidubar Not disinfected Windows Registry
Virus:Trj/Downloader.RYB Disinfected C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\install.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Charles\Cookies\charles@atdmt[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Kristel\Cookies\kristel@ads.addynamix[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Kristel\Cookies\kristel@atdmt[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Kristel\Cookies\kristel@tribalfusion[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\User\Cookies\user@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\User\Cookies\user@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\User\Cookies\user@bs.serving-sys[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\User\Cookies\user@questionmarket[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\User\Cookies\user@serving-sys[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\User\Cookies\user@tribalfusion[1].txt
Possible Virus. Not disinfected C:\WINDOWS\system32\my_70049.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Temp\Cookies\user@atdmt[1].txt
Virus:Trj/Downloader.RWB Disinfected C:\WINDOWS\Temp\nl264b45a.exe
Virus:Trj/Downloader.RWB Disinfected C:\WINDOWS\Temp\nldca4d0.exe


Deckard's System Scanner main.txt:

Deckard's System Scanner v20071014.68
Run by User on 2008-01-18 17:11:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
14: 2008-01-18 22:11:07 UTC - RP201 - Deckard's System Scanner Restore Point
13: 2008-01-18 20:17:39 UTC - RP200 - Software Distribution Service 3.0
12: 2008-01-17 23:22:37 UTC - RP199 - System Checkpoint
11: 2008-01-16 07:29:30 UTC - RP198 - Software Distribution Service 3.0
10: 2008-01-16 02:36:22 UTC - RP197 - System Checkpoint


-- First Restore Point --
1: 2008-01-10 01:03:21 UTC - RP188 - Removed Nero 7 Ultra Edition


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:21 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 127.0.0.2 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe Common Objects - {C86488AF-13D5-4FEF-9DDF-9FB88698CFC1} - C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_3103.dll
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [x] C:\WINDOWS\system32\x.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [lrzsny] C:\WINDOWS\system32\lrzsny.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ChikkaDefault] C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: 易趣购物 - {EE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=824 (file missing)
O9 - Extra 'Tools' menuitem: 易趣购物 - {EE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=824 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_inst...syInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7988 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 iur99 (iur9) - c:\windows\system32\drivers\iur99.sys
R2 mxdispdr - c:\windows\system32\drivers\mxdispdr.sys
R2 ymze8d - c:\windows\system32\drivers\ymze8d.sys

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)
S2 sysloader (System Event loader) - "c:\documents and settings\all users\application data\microsoft\office\system\sysloader.exe" <Not Verified; Microsoft; sysloader>
S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-18 15:16:46 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-01-03 13:39:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-12-18 and 2008-01-18 -----------------------------

2008-01-18 17:13:12 0 d-------- C:\Program Files\Trend Micro
2008-01-18 16:56:07 0 d-------- C:\ZonedOut
2008-01-18 16:55:36 0 d-------- C:\ie-spyad_zo
2008-01-18 16:52:44 0 d-------- C:\Documents and Settings\User\Application Data\WinRAR
2008-01-18 16:42:49 0 d-------- C:\Program Files\SpywareBlaster
2008-01-18 16:18:15 0 dr-h----- C:\Documents and Settings\User\Recent
2008-01-18 15:39:55 8576 --a------ C:\WINDOWS\system32\drivers\sntsalcnqmhc.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-18 15:36:15 8576 --a------ C:\WINDOWS\system32\drivers\rjvescefttgt.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-18 15:18:22 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-18 15:18:20 0 d-------- C:\WINDOWS\LastGood
2008-01-14 20:31:27 0 d-------- C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-01-11 23:01:21 0 d-------- C:\Program Files\Chikka Messenger
2008-01-11 22:42:33 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-01-11 22:42:31 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-01-11 22:42:31 0 d-------- C:\Program Files\Xvid
2008-01-11 22:32:28 0 d-------- C:\Documents and Settings\Charles\Application Data\WinRAR
2008-01-10 19:39:12 0 d-------- C:\Program Files\Windows Defender
2008-01-10 15:29:23 0 d-------- C:\Program Files\Windows Live
2008-01-09 19:51:29 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-01-09 19:47:33 0 d--hs---- C:\Documents and Settings\LocalService\UserData
2008-01-09 02:14:18 0 d-------- C:\Program Files\Common Files\ODBC
2008-01-09 00:30:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-01-06 13:08:00 14 --a------ C:\WINDOWS\system32\-10958-54120
2008-01-06 13:07:46 168388 --a------ C:\WINDOWS\system32\drivers\mxdispdr.sys
2008-01-06 04:08:48 14 --a------ C:\WINDOWS\system32\systeminfo3.dll
2008-01-05 11:42:19 20541 --a------ C:\WINDOWS\system32\detoured.dll <Not Verified; Microsoft Corporation; Microsoft Research Detours Package>
2008-01-05 11:04:04 18087 --a------ C:\WINDOWS\system32\comrcinf.dat
2008-01-04 20:03:31 0 d-------- C:\Program Files\Common Files\Ahead
2008-01-04 13:45:48 396 --a------ C:\WINDOWS\system32\cmbinfo.dat
2008-01-04 13:45:43 134144 --a------ C:\WINDOWS\tempaq
2008-01-04 13:45:19 165693 --a------ C:\WINDOWS\system32\dodolook254.exe
2008-01-04 13:45:07 20480 --a------ C:\WINDOWS\system32\my_70049.exe
2008-01-03 23:56:23 0 d-------- C:\Program Files\Microsoft Works
2008-01-03 23:52:40 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2007-12-21 18:45:41 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-01-18 16:02:44 0 d-------- C:\Program Files\Symantec AntiVirus
2008-01-18 16:00:18 0 d-------- C:\Program Files\iTunes
2008-01-18 15:59:21 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-10 15:24:03 45056 ---hs---- C:\WINDOWS\bitdot.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2008-01-09 02:14:18 0 d-------- C:\Program Files\Common Files
2008-01-04 19:42:33 0 d-------- C:\Documents and Settings\User\Application Data\Adobe
2008-01-04 19:39:57 0 d-------- C:\Program Files\Common Files\Adobe
2007-12-23 01:03:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-24 17:38:11 116996 --a----c- C:\WINDOWS\hpoins11.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C86488AF-13D5-4FEF-9DDF-9FB88698CFC1}]
01/04/2008 02:10 PM 172032 --a------ C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_3103.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/23/2005 09:36 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/23/2005 09:31 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 01:42 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 06:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 08:41 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/27/2007 07:14 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]
"x"="C:\WINDOWS\system32\x.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/02/2005 09:21 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [06/23/2005 07:27 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"ChikkaDefault"="C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe" [08/28/2007 05:11 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"lrzsny"=C:\WINDOWS\system32\lrzsny.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1/4/2008 7:40:08 PM]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d3cbaa-8028-11dc-8623-000f1f927d07}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468a92cc-5a31-11dc-85cc-000f1f927d07}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9be5b1fc-5c22-11dc-85d4-000f1f927d07}]
Auto\command- setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

*Newly Created Service* - RJVESCEFTTGT
*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK
*Newly Created Service* - SNTSALCNQMHC



-- Hosts -----------------------------------------------------------------------

127.0.0.2 localhost


-- End of Deckard's System Scanner: finished at 2008-01-18 17:14:48 ------------

Thank you.
Attached Files
File Type: txt extra.txt (20.3 KB, 6 views)
Last edited by Ried; 02-05-2008 at 09:32 PM. Reason: munged the live links for safety
jusatsking is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here