Tech Support Forum - View Single Post - Unwanted popups and malware in the system

jmash · 11-17-2008, 12:56 PM

Hi Chemist,

The system seems to be bevahing to good extent now. But the internet explorers take whole of memory in task manager when I try to browse any url and it comes back after few seconds. Not sure if this is relate to malware problem we are trying to solve.

Here are the logs:
1. Eset log:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3615 (20081115)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=274cdda0194f2d4fa1af0c1ec2632a00
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2004-11-16 11:36:23
# local_time=2004-11-16 11:36:23 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=592536
# found=59
# scan_time=7110
C:\Qoobox\Quarantine\C\window\svchost.exe.vir Win32/Delf.NRU trojan 3A8C747C9EDAA2789AA0F97E42047255
C:\Qoobox\Quarantine\C\WINNT\dcbdcatys32_081027a.dll.vir a variant of Win32/Spy.Pophot trojan 68EC8571B7A02CF22842D8DA07711B71
C:\Qoobox\Quarantine\C\WINNT\wftadfi16_081027a.dll.vir a variant of Win32/Spy.Pophot trojan F22FED737CAE20CB7F0C75A7253FDA52
C:\Qoobox\Quarantine\C\WINNT\system\sgcxcxxaspf081027.exe.vir a variant of Win32/Spy.Pophot trojan A500FEE0AD43471FAE584A476DA32C7A
C:\Qoobox\Quarantine\C\WINNT\system32\afisicx.exe.vir a variant of Win32/Adware.Coolezweb application 2FBB8B776ED0E07140D3C8A7CB89991D
C:\Qoobox\Quarantine\C\WINNT\system32\IPHOST.dll.vir Win32/Agent.YNL trojan 97D74E7CD95120A0AA1C6C920D55EF06
C:\Qoobox\Quarantine\C\WINNT\system32\noytcyr.exe.vir a variant of Win32/Adware.Coolezweb application ED720F520B1C6809F708AEB98A5861A4
C:\Qoobox\Quarantine\C\WINNT\system32\roytctm.exe.vir a variant of Win32/Adware.Coolezweb application 674B84D89833028517FAAD960FA2533E
C:\Qoobox\Quarantine\C\WINNT\system32\spoolsv.exe.vir probably a variant of Win32/TrojanDownloader.Agent.AFLS trojan C1B273114F984334AABB43A5E8A6FBC6
C:\Qoobox\Quarantine\C\WINNT\system32\_proxy.dll.vir Win32/Agent.YNL trojan 97D74E7CD95120A0AA1C6C920D55EF06
C:\Qoobox\Quarantine\C\WINNT\system32\inf\scsys16_081027.dll.vir a variant of Win32/Spy.Pophot trojan F22FED737CAE20CB7F0C75A7253FDA52
C:\Qoobox\Quarantine\C\WINNT\system32\inf\sppdcrs081027.scr.vir a variant of Win32/Spy.Pophot trojan A500FEE0AD43471FAE584A476DA32C7A
C:\temp\kopdl0544.exe multiple infiltrations 8AB51F35C127943834DFA07BA7ED7B95
C:\temp\kopdl0544.exe »NSIS »bmv35gui.exe Win32/TrojanDownloader.Small.BUY trojan 00000000000000000000000000000000
C:\temp\kopdl0544.exe »NSIS »retmwav3.exe Win32/TrojanDownloader.Small.IAW trojan 00000000000000000000000000000000
C:\temp\kopdl0544.exe »NSIS »cegmgr76.exe Win32/Adware.ZenoSearch application 00000000000000000000000000000000
C:\WINNT\CSC\d8\8000004F Win32/Adware.WinReanimator application 828A14150262A6A18A31B046AA350CA0
C:\WINNT\CSC\d8\8000004F »ZIP »WinReanimator.exe Win32/Adware.WinReanimator application 00000000000000000000000000000000
C:\WINNT\system32\2.8-Install.exe a variant of Win32/Proxec.A trojan 327622A6C84679ADEBCA7D150E7754E9
C:\WINNT\system32\tmpxr_171181334020.bk a variant of Win32/Adware.Coolezweb application 163F0BCDCBF11FE86FB61E664FDC4B39
C:\WINNT\system32\tmpxr_195992756418.bk a variant of Win32/Adware.Coolezweb application 853614CE021CE4E0E11D99D6DF45F832
C:\WINNT\system32\tmpxr_205689303098.bk a variant of Win32/Adware.Coolezweb application BBE6CDAAF9717B481C2196462830FBAF
C:\WINNT\system32\tmpxr_23861349732.bk a variant of Win32/Adware.Coolezweb application D1AE54058AB715EF46214757448D0F1E
C:\WINNT\system32\tmpxr_282413342461.bk a variant of Win32/Adware.Coolezweb application 2B71088ACCB7834656E6FD594D05C69D
C:\WINNT\system32\tmpxr_356987149273.bk a variant of Win32/Adware.Coolezweb application 21EED78CB2BD68C5B03C3848C2A9AA53
C:\WINNT\system32\tmpxr_417120747761.bk Win32/Adware.Coolezweb application BEC5F07CDD2C52C8ECE0035081467743
C:\WINNT\system32\tmpxr_425936403528.bk a variant of Win32/Adware.Coolezweb application BBE6CDAAF9717B481C2196462830FBAF
C:\WINNT\system32\tmpxr_460012159609.bk a variant of Win32/Adware.Coolezweb application E00A71833991D6230974E81A7A86C356
C:\WINNT\system32\tmpxr_461285101735.bk a variant of Win32/Adware.Coolezweb application 30622C6FB6AADE86119D459154576BDE
C:\WINNT\system32\tmpxr_495990362066.bk a variant of Win32/Adware.Coolezweb application 070A8B879C4446DB6297C2C95DA6FA9F
C:\WINNT\system32\tmpxr_507946635869.bk a variant of Win32/Adware.Coolezweb application 48E44646132A3C8ACB5A6D7425000DDF
C:\WINNT\system32\tmpxr_537203219726.bk a variant of Win32/Adware.Coolezweb application 3083AAC7A0FA96198DCE380834054A79
C:\WINNT\system32\tmpxr_558510725087.bk a variant of Win32/Adware.Coolezweb application 3083AAC7A0FA96198DCE380834054A79
C:\WINNT\system32\tmpxr_62211495425.bk a variant of Win32/Adware.Coolezweb application 30622C6FB6AADE86119D459154576BDE
C:\WINNT\system32\tmpxr_6599531352.bk a variant of Win32/Adware.Coolezweb application ADC918C2DB7FFD808D48C2BC99E5F952
C:\WINNT\system32\tmpxr_676204822280.bk a variant of Win32/Adware.Coolezweb application 983CF12D541C9BB67C36EDD08FA9D109
C:\WINNT\system32\tmpxr_684689111763.bk a variant of Win32/Adware.Coolezweb application 2B71088ACCB7834656E6FD594D05C69D
C:\WINNT\system32\tmpxr_693103862995.bk a variant of Win32/Adware.Coolezweb application 21EED78CB2BD68C5B03C3848C2A9AA53
C:\WINNT\system32\tmpxr_699846558307.bk a variant of Win32/Adware.Coolezweb application 48E44646132A3C8ACB5A6D7425000DDF
C:\WINNT\system32\tmpxr_710829279225.bk a variant of Win32/Adware.Coolezweb application E00A71833991D6230974E81A7A86C356
C:\WINNT\system32\tmpxr_712273811668.bk a variant of Win32/Adware.Coolezweb application 4A01C090780BE7CCCFFEC7004637231C
C:\WINNT\system32\tmpxr_722079827962.bk a variant of Win32/Adware.Coolezweb application 4A01C090780BE7CCCFFEC7004637231C
C:\WINNT\system32\tmpxr_72936194152.bk Win32/Adware.Coolezweb application BEC5F07CDD2C52C8ECE0035081467743
C:\WINNT\system32\tmpxr_769476218194.bk a variant of Win32/Adware.Coolezweb application CD36BADE2BB2C98F9FEA497C09032BF2
C:\WINNT\system32\tmpxr_774126331392.bk a variant of Win32/Adware.Coolezweb application F910A95C0936D60DCA50C3F463B3504C
C:\WINNT\system32\tmpxr_779767628882.bk a variant of Win32/Adware.Coolezweb application 070A8B879C4446DB6297C2C95DA6FA9F
C:\WINNT\system32\tmpxr_792091519450.bk a variant of Win32/Adware.Coolezweb application CD36BADE2BB2C98F9FEA497C09032BF2
C:\WINNT\system32\tmpxr_817036450882.bk a variant of Win32/Adware.Coolezweb application 983CF12D541C9BB67C36EDD08FA9D109
C:\WINNT\system32\tmpxr_855838239784.bk a variant of Win32/Adware.Coolezweb application 6A319C395576EEAA4EA7F09FA6B422CC
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[1].exe a variant of Win32/Proxec.A trojan A747023C58D30AC5ED68CB3175EB0BFD
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[2].exe a variant of Win32/Proxec.A trojan A747023C58D30AC5ED68CB3175EB0BFD
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[3].exe a variant of Win32/Proxec.A trojan A747023C58D30AC5ED68CB3175EB0BFD
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[4].exe Win32/Proxec.B trojan 9CE4BB83069B2126536DAFA3C2E93E93
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[5].exe Win32/Proxec.B trojan 9CE4BB83069B2126536DAFA3C2E93E93
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3VEGDJY0\Cracked[1].exe a variant of Win32/Proxec.A trojan 327622A6C84679ADEBCA7D150E7754E9
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3VEGDJY0\Cracked[2].exe a variant of Win32/Proxec.A trojan 327622A6C84679ADEBCA7D150E7754E9
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3VEGDJY0\Cracked[3].exe a variant of Win32/Proxec.A trojan 327622A6C84679ADEBCA7D150E7754E9
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6AW3FHQC\Cracked[1].exe Win32/Proxec.B trojan 9CE4BB83069B2126536DAFA3C2E93E93
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ONTJJMGN\system[1].exe a variant of Win32/Proxec.A trojan 0D35F8B9477AE77778869C7D3FCBCBA0

2. Hijackthis.log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:02, on 2004-11-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Sie\CAT Bulletin Board\CBBS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ManageSoft\Launcher\mgsdl.exe
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\ManageSoft\Launcher\ndserv.exe
C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\openFT\bin\SECSERV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\Program Files\openFT\bin\NEACTRLS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\TEMP\NV1921.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Sie\CAT Bulletin Board\CBB.exe
C:\Program Files\Sie\Card API\bin\siecacst.exe
C:\Program Files\CryptoEx\Common\CexTray.exe
C:\Program Files\CryptoEx\Common\EASServer.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\OfficeScan NT\Pop3Trap.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\users\Mahesh\software\cav.bal.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pacs.erl.sbs.de/sbs.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=mddmproxy.gb001.Sie.net:80;https=mddmproxy.gb001.sie.net:80;ftp=mddmproxy.gb001.sie.net:80;gopher=localhost:1;socks=proxy1.sbs.sie.co.uk:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.sitest.net;*.sie.net;*.sie.de;<local>
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\Program Files\Ahead\\Nero\NeroCheck.exe
O4 - HKLM\..\Run: [DirXconnect settings] C:\\PROGRA~1\SIE\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Sie\Card API\bin\siecacst.exe
O4 - HKLM\..\Run: [Discovery User Input] c:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp
O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon
O4 - HKLM\..\Run: [SchedulingAgent_nDG] "C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe" -o RunNDStartup=True -o Startup=True
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [CatUserRun] exec32 /wh /c chgreg5 /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\GetFlash.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1960408961-725345543-468838394-1152\..\Policies\Explorer\Run: [1] \\gb001.sie.net\DFSRoot\NCIP_SBS\SBS\NT4 Printer Migration\MigrateClientPrinters.bat (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fast4.net/members/
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1176402450038
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GB001.sie.net
O17 - HKLM\Software\..\Telephony: DomainName = GB001.sie.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GB001.sie.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = GB001.sie.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = GB001.sie.net
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll
O23 - Service: CatSystem (CatSystemSvc) - Sie AG - C:\WINNT\CatPC\CATSYS\CatSystemSvc.exe
O23 - Service: CAT Bulletin Board (CBBS) - Unknown owner - C:\Program Files\Sie\CAT Bulletin Board\CBBS.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - -C:\WINNT\SYSTEM32\DWRCS.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ipx/ip Service (ipxlauncher) - Unknown owner - c:\window\svchost.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ManageSoft Peer-to-Peer Download Service (mgsdl) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\mgsdl.exe
O23 - Service: ManageSoft installation agent (ndGlobalLauncher) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\ndserv.exe
O23 - Service: ManageSoft managed device (ndinit) - ManageSoft Corp - C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: openFT Server (openFT FTNEA) - Sie Computers GmbH - C:\Program Files\openFT\bin\NEACTRLS.EXE
O23 - Service: openFT Security Server - Sie Computers GmbH - C:\Program Files\openFT\bin\SECSERV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe

--
End of file - 10356 bytes

Thanks,
jmash

11-17-2008, 12:56 PM	#14 (permalink)
jmash Registered User Join Date: May 2008 Posts: 18 OS: xp SP2	Re: Unwanted popups and malware in the system Hi Chemist, The system seems to be bevahing to good extent now. But the internet explorers take whole of memory in task manager when I try to browse any url and it comes back after few seconds. Not sure if this is relate to malware problem we are trying to solve. Here are the logs: 1. Eset log: # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3615 (20081115) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=274cdda0194f2d4fa1af0c1ec2632a00 # end=finished # remove_checked=false # unwanted_checked=true # utc_time=2004-11-16 11:36:23 # local_time=2004-11-16 11:36:23 (+0000, GMT Standard Time) # country="United Kingdom" # osver=5.1.2600 NT Service Pack 2 # scanned=592536 # found=59 # scan_time=7110 C:\Qoobox\Quarantine\C\window\svchost.exe.vir Win32/Delf.NRU trojan 3A8C747C9EDAA2789AA0F97E42047255 C:\Qoobox\Quarantine\C\WINNT\dcbdcatys32_081027a.dll.vir a variant of Win32/Spy.Pophot trojan 68EC8571B7A02CF22842D8DA07711B71 C:\Qoobox\Quarantine\C\WINNT\wftadfi16_081027a.dll.vir a variant of Win32/Spy.Pophot trojan F22FED737CAE20CB7F0C75A7253FDA52 C:\Qoobox\Quarantine\C\WINNT\system\sgcxcxxaspf081027.exe.vir a variant of Win32/Spy.Pophot trojan A500FEE0AD43471FAE584A476DA32C7A C:\Qoobox\Quarantine\C\WINNT\system32\afisicx.exe.vir a variant of Win32/Adware.Coolezweb application 2FBB8B776ED0E07140D3C8A7CB89991D C:\Qoobox\Quarantine\C\WINNT\system32\IPHOST.dll.vir Win32/Agent.YNL trojan 97D74E7CD95120A0AA1C6C920D55EF06 C:\Qoobox\Quarantine\C\WINNT\system32\noytcyr.exe.vir a variant of Win32/Adware.Coolezweb application ED720F520B1C6809F708AEB98A5861A4 C:\Qoobox\Quarantine\C\WINNT\system32\roytctm.exe.vir a variant of Win32/Adware.Coolezweb application 674B84D89833028517FAAD960FA2533E C:\Qoobox\Quarantine\C\WINNT\system32\spoolsv.exe.vir probably a variant of Win32/TrojanDownloader.Agent.AFLS trojan C1B273114F984334AABB43A5E8A6FBC6 C:\Qoobox\Quarantine\C\WINNT\system32\_proxy.dll.vir Win32/Agent.YNL trojan 97D74E7CD95120A0AA1C6C920D55EF06 C:\Qoobox\Quarantine\C\WINNT\system32\inf\scsys16_081027.dll.vir a variant of Win32/Spy.Pophot trojan F22FED737CAE20CB7F0C75A7253FDA52 C:\Qoobox\Quarantine\C\WINNT\system32\inf\sppdcrs081027.scr.vir a variant of Win32/Spy.Pophot trojan A500FEE0AD43471FAE584A476DA32C7A C:\temp\kopdl0544.exe multiple infiltrations 8AB51F35C127943834DFA07BA7ED7B95 C:\temp\kopdl0544.exe »NSIS »bmv35gui.exe Win32/TrojanDownloader.Small.BUY trojan 00000000000000000000000000000000 C:\temp\kopdl0544.exe »NSIS »retmwav3.exe Win32/TrojanDownloader.Small.IAW trojan 00000000000000000000000000000000 C:\temp\kopdl0544.exe »NSIS »cegmgr76.exe Win32/Adware.ZenoSearch application 00000000000000000000000000000000 C:\WINNT\CSC\d8\8000004F Win32/Adware.WinReanimator application 828A14150262A6A18A31B046AA350CA0 C:\WINNT\CSC\d8\8000004F »ZIP »WinReanimator.exe Win32/Adware.WinReanimator application 00000000000000000000000000000000 C:\WINNT\system32\2.8-Install.exe a variant of Win32/Proxec.A trojan 327622A6C84679ADEBCA7D150E7754E9 C:\WINNT\system32\tmpxr_171181334020.bk a variant of Win32/Adware.Coolezweb application 163F0BCDCBF11FE86FB61E664FDC4B39 C:\WINNT\system32\tmpxr_195992756418.bk a variant of Win32/Adware.Coolezweb application 853614CE021CE4E0E11D99D6DF45F832 C:\WINNT\system32\tmpxr_205689303098.bk a variant of Win32/Adware.Coolezweb application BBE6CDAAF9717B481C2196462830FBAF C:\WINNT\system32\tmpxr_23861349732.bk a variant of Win32/Adware.Coolezweb application D1AE54058AB715EF46214757448D0F1E C:\WINNT\system32\tmpxr_282413342461.bk a variant of Win32/Adware.Coolezweb application 2B71088ACCB7834656E6FD594D05C69D C:\WINNT\system32\tmpxr_356987149273.bk a variant of Win32/Adware.Coolezweb application 21EED78CB2BD68C5B03C3848C2A9AA53 C:\WINNT\system32\tmpxr_417120747761.bk Win32/Adware.Coolezweb application BEC5F07CDD2C52C8ECE0035081467743 C:\WINNT\system32\tmpxr_425936403528.bk a variant of Win32/Adware.Coolezweb application BBE6CDAAF9717B481C2196462830FBAF C:\WINNT\system32\tmpxr_460012159609.bk a variant of Win32/Adware.Coolezweb application E00A71833991D6230974E81A7A86C356 C:\WINNT\system32\tmpxr_461285101735.bk a variant of Win32/Adware.Coolezweb application 30622C6FB6AADE86119D459154576BDE C:\WINNT\system32\tmpxr_495990362066.bk a variant of Win32/Adware.Coolezweb application 070A8B879C4446DB6297C2C95DA6FA9F C:\WINNT\system32\tmpxr_507946635869.bk a variant of Win32/Adware.Coolezweb application 48E44646132A3C8ACB5A6D7425000DDF C:\WINNT\system32\tmpxr_537203219726.bk a variant of Win32/Adware.Coolezweb application 3083AAC7A0FA96198DCE380834054A79 C:\WINNT\system32\tmpxr_558510725087.bk a variant of Win32/Adware.Coolezweb application 3083AAC7A0FA96198DCE380834054A79 C:\WINNT\system32\tmpxr_62211495425.bk a variant of Win32/Adware.Coolezweb application 30622C6FB6AADE86119D459154576BDE C:\WINNT\system32\tmpxr_6599531352.bk a variant of Win32/Adware.Coolezweb application ADC918C2DB7FFD808D48C2BC99E5F952 C:\WINNT\system32\tmpxr_676204822280.bk a variant of Win32/Adware.Coolezweb application 983CF12D541C9BB67C36EDD08FA9D109 C:\WINNT\system32\tmpxr_684689111763.bk a variant of Win32/Adware.Coolezweb application 2B71088ACCB7834656E6FD594D05C69D C:\WINNT\system32\tmpxr_693103862995.bk a variant of Win32/Adware.Coolezweb application 21EED78CB2BD68C5B03C3848C2A9AA53 C:\WINNT\system32\tmpxr_699846558307.bk a variant of Win32/Adware.Coolezweb application 48E44646132A3C8ACB5A6D7425000DDF C:\WINNT\system32\tmpxr_710829279225.bk a variant of Win32/Adware.Coolezweb application E00A71833991D6230974E81A7A86C356 C:\WINNT\system32\tmpxr_712273811668.bk a variant of Win32/Adware.Coolezweb application 4A01C090780BE7CCCFFEC7004637231C C:\WINNT\system32\tmpxr_722079827962.bk a variant of Win32/Adware.Coolezweb application 4A01C090780BE7CCCFFEC7004637231C C:\WINNT\system32\tmpxr_72936194152.bk Win32/Adware.Coolezweb application BEC5F07CDD2C52C8ECE0035081467743 C:\WINNT\system32\tmpxr_769476218194.bk a variant of Win32/Adware.Coolezweb application CD36BADE2BB2C98F9FEA497C09032BF2 C:\WINNT\system32\tmpxr_774126331392.bk a variant of Win32/Adware.Coolezweb application F910A95C0936D60DCA50C3F463B3504C C:\WINNT\system32\tmpxr_779767628882.bk a variant of Win32/Adware.Coolezweb application 070A8B879C4446DB6297C2C95DA6FA9F C:\WINNT\system32\tmpxr_792091519450.bk a variant of Win32/Adware.Coolezweb application CD36BADE2BB2C98F9FEA497C09032BF2 C:\WINNT\system32\tmpxr_817036450882.bk a variant of Win32/Adware.Coolezweb application 983CF12D541C9BB67C36EDD08FA9D109 C:\WINNT\system32\tmpxr_855838239784.bk a variant of Win32/Adware.Coolezweb application 6A319C395576EEAA4EA7F09FA6B422CC C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[1].exe a variant of Win32/Proxec.A trojan A747023C58D30AC5ED68CB3175EB0BFD C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[2].exe a variant of Win32/Proxec.A trojan A747023C58D30AC5ED68CB3175EB0BFD C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[3].exe a variant of Win32/Proxec.A trojan A747023C58D30AC5ED68CB3175EB0BFD C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[4].exe Win32/Proxec.B trojan 9CE4BB83069B2126536DAFA3C2E93E93 C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0NDBN6TJ\Cracked[5].exe Win32/Proxec.B trojan 9CE4BB83069B2126536DAFA3C2E93E93 C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3VEGDJY0\Cracked[1].exe a variant of Win32/Proxec.A trojan 327622A6C84679ADEBCA7D150E7754E9 C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3VEGDJY0\Cracked[2].exe a variant of Win32/Proxec.A trojan 327622A6C84679ADEBCA7D150E7754E9 C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3VEGDJY0\Cracked[3].exe a variant of Win32/Proxec.A trojan 327622A6C84679ADEBCA7D150E7754E9 C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6AW3FHQC\Cracked[1].exe Win32/Proxec.B trojan 9CE4BB83069B2126536DAFA3C2E93E93 C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ONTJJMGN\system[1].exe a variant of Win32/Proxec.A trojan 0D35F8B9477AE77778869C7D3FCBCBA0 2. Hijackthis.log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:02, on 2004-11-17 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Sie\CAT Bulletin Board\CBBS.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\ManageSoft\Launcher\mgsdl.exe C:\WINNT\System32\mnmsrvc.exe C:\Program Files\ManageSoft\Launcher\ndserv.exe C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe C:\WINNT\system32\rundll32.exe C:\Program Files\openFT\bin\SECSERV.EXE C:\WINNT\System32\svchost.exe C:\Program Files\OfficeScan NT\tmlisten.exe C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe C:\Program Files\openFT\bin\NEACTRLS.EXE C:\WINNT\System32\svchost.exe C:\WINNT\TEMP\NV1921.EXE C:\WINNT\Explorer.EXE C:\WINNT\System32\hkcmd.exe C:\Program Files\RightFax\FaxCtrl.exe C:\Program Files\Sie\CAT Bulletin Board\CBB.exe C:\Program Files\Sie\Card API\bin\siecacst.exe C:\Program Files\CryptoEx\Common\CexTray.exe C:\Program Files\CryptoEx\Common\EASServer.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Brother\ControlCenter3\brccMCtl.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\OfficeScan NT\Pop3Trap.exe C:\WINNT\system32\taskmgr.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINNT\system32\notepad.exe C:\Program Files\OfficeScan NT\ntrtscan.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINNT\system32\NOTEPAD.EXE C:\users\Mahesh\software\cav.bal.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pacs.erl.sbs.de/sbs.pac R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=mddmproxy.gb001.Sie.net:80;https=mddmproxy.gb001.sie.net:80;ftp=mddmproxy.gb001.sie.net:80;gopher=localhost:1;socks=proxy1.sbs.sie.co.uk:1080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .sitest.net;.sie.net;*.sie.de;<local> O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [NeroCheck] C:\Program Files\Ahead\\Nero\NeroCheck.exe O4 - HKLM\..\Run: [DirXconnect settings] C:\\PROGRA~1\SIE\DIRXDI~1\dxdSetup.exe -silent -dxcsettings O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Sie\Card API\bin\siecacst.exe O4 - HKLM\..\Run: [Discovery User Input] c:\Discovery\User Input\userin32.exe O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon O4 - HKLM\..\Run: [SchedulingAgent_nDG] "C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe" -o RunNDStartup=True -o Startup=True O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [CatUserRun] exec32 /wh /c chgreg5 /c O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\GetFlash.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-21-1960408961-725345543-468838394-1152\..\Policies\Explorer\Run: [1] \\gb001.sie.net\DFSRoot\NCIP_SBS\SBS\NT4 Printer Migration\MigrateClientPrinters.bat (User '?') O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\GetFlash.exe (User 'Default user') O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll (file missing) O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.fast4.net/members/ O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.co.uk/SnapfishUKActivia.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1176402450038 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GB001.sie.net O17 - HKLM\Software\..\Telephony: DomainName = GB001.sie.net O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GB001.sie.net O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = GB001.sie.net O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = GB001.sie.net O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll O23 - Service: CatSystem (CatSystemSvc) - Sie AG - C:\WINNT\CatPC\CATSYS\CatSystemSvc.exe O23 - Service: CAT Bulletin Board (CBBS) - Unknown owner - C:\Program Files\Sie\CAT Bulletin Board\CBBS.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - -C:\WINNT\SYSTEM32\DWRCS.EXE (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Ipx/ip Service (ipxlauncher) - Unknown owner - c:\window\svchost.exe (file missing) O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: ManageSoft Peer-to-Peer Download Service (mgsdl) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\mgsdl.exe O23 - Service: ManageSoft installation agent (ndGlobalLauncher) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\ndserv.exe O23 - Service: ManageSoft managed device (ndinit) - ManageSoft Corp - C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe O23 - Service: openFT Server (openFT FTNEA) - Sie Computers GmbH - C:\Program Files\openFT\bin\NEACTRLS.EXE O23 - Service: openFT Security Server - Sie Computers GmbH - C:\Program Files\openFT\bin\SECSERV.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe -- End of file - 10356 bytes Thanks, jmash