huadio.tmp, pskill.k, gendel.a, spyware cookies

Zazula · 06-07-2006, 03:28 AM

This pc had an issue with huadio.tmp invoking Windows Defender to ask permission to accept or not a service & drivers change. Apart from this, the only other issue was that it either unsolicitedly asked for a dial-up connection or it showed hang-up symptoms (combined with 100% cpu spikes) when it connected thru dial-up (not thru the lan gateway).

I ran the 5-step procedure, which also came up with some other threats found in that pc; namely: pskill.k, gendel.a, and spyware cookies.

The 5-step procedure was thoroughly followed according to the instructions provided by Microbell (all online scanners used), and then CleanUp and Ewido were run at Safe Mode.

Here is the resulting HJT log, waiting for your feedback:

Logfile of HijackThis v1.99.1
Scan saved at 12:08:15 μμ, on 7/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Microsoft Shared Computer Toolkit\bin\SRVANY.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
K:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
K:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\MGE\RunSC.exe
C:\WINDOWS\system32\MGE\PCtl.exe
C:\WINDOWS\system32\MGE\BIL.EXE
C:\Program Files\VeriSign\NAVI\naviagent.exe
C:\WINDOWS\system32\MGE\CILUSB.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
K:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
K:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
K:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
K:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
K:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Icons\Seticon.exe
K:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
K:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\System32\G-VGA.exe
C:\WINDOWS\SOUNDMAN.EXE
K:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
K:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
K:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
K:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\@HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webshots.com/r/internal/start/client/RAND
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - K:\Program Files\Adobe\Acrobat 7.0.7\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - K:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O4 - HKLM\..\Run: [CaISSDT] "k:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "k:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "k:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] K:\Program Files\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\Seticon.exe
O4 - HKLM\..\Run: [QuickTime Task] "K:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "K:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] K:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] K:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] K:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Check Windows Disk Protection.lnk = C:\Program Files\Microsoft Shared Computer Toolkit\CheckWDP.hta
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = K:\Program Files\Adobe\Acrobat 7.0.7\Reader\reader_sl.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://K:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra 'Tools' menuitem: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra 'Tools' menuitem: i-Nav Options - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {131EB16C-BD58-443F-8151-6DFBB0DA1778} (Anark Client 3.0 ActiveX Control) - http://install.anark.com/client/vers...n/AMClient.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource...scbase7617.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1139410088578
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1139479721531
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/ca...ail/DASAct.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...74/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - K:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - K:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MGE Service module - Unknown owner - C:\WINDOWS\system32\MGE\RunSC.exe
O23 - Service: VeriSign Updater (navi) - VeriSign, Inc. - C:\Program Files\VeriSign\NAVI\naviagent.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SCTThresholdMonitor (SCTThresholdMon) - Unknown owner - C:\Program Files\Microsoft Shared Computer Toolkit\bin\SRVANY.EXE
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups2.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - K:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WDPOperations - Unknown owner - C:\Program Files\Microsoft Shared Computer Toolkit\bin\SRVANY.EXE

**Glaswegian** · 06-07-2006, 02:32 PM

Hi Zazula

I was a bit worried when I saw your name against a post here..........

The log is clean. Any particular problems? I guess Ewido cleaned out the odd items you found?

Zazula · 06-07-2006, 11:29 PM

Hi Glaswegian

I'm really sorry if the appearance of my name in a thread raises worries...

The point is that, when huadio.tmp was intercepted by Windows Defender, I was given the sound advice in the General Security part of TSF to run the 5-step procedure. I combined this with earlier sporadic signs that could be the result of hardly-detectable malware (despite the presence in that pc of a bunch of "standard" resident anti-malware tools), and I decided to follow the 5-step procedure.

I'm really glad that I did so, because malware was indeed detected that I was unaware of, and now I feel (personally & pc-wise) in a much better state.

Now, what I found inherent in the 5-step procedure, is that it has to be performed precisely and methodically. To my understanding, this means to do what you are asked to do - nothing more, nothing less. It's of paramount importance to stick to the instructions, and that's what I did. I had a look to the HJT log myself, seemed OK, but I didn't touch a thing. When you are told so and you do otherwise, you're heading for trouble in the most unrespectful (to all the hard work that founds TSF) way.

Conclusively, this pc seems to be running and, according to the HJT log, is indeed running normally. Thanks for taking the time to check it out. I believe this thread can now be classified as resolved.

06-07-2006, 03:28 AM	#1 (permalink)
Zazula Manager Emeritus, I'm blond, James Blond Join Date: Apr 2006 Location: Athens, Greece Posts: 7,667 OS: Win XP Pro SP2	huadio.tmp, pskill.k, gendel.a, spyware cookies This pc had an issue with huadio.tmp invoking Windows Defender to ask permission to accept or not a service & drivers change. Apart from this, the only other issue was that it either unsolicitedly asked for a dial-up connection or it showed hang-up symptoms (combined with 100% cpu spikes) when it connected thru dial-up (not thru the lan gateway). I ran the 5-step procedure, which also came up with some other threats found in that pc; namely: pskill.k, gendel.a, and spyware cookies. The 5-step procedure was thoroughly followed according to the instructions provided by Microbell (all online scanners used), and then CleanUp and Ewido were run at Safe Mode. Here is the resulting HJT log, waiting for your feedback: Logfile of HijackThis v1.99.1 Scan saved at 12:08:15 μμ, on 7/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Microsoft Shared Computer Toolkit\bin\SRVANY.EXE C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe K:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe K:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\MGE\RunSC.exe C:\WINDOWS\system32\MGE\PCtl.exe C:\WINDOWS\system32\MGE\BIL.EXE C:\Program Files\VeriSign\NAVI\naviagent.exe C:\WINDOWS\system32\MGE\CILUSB.EXE C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe K:\Program Files\UPHClean\uphclean.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE K:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe K:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe K:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe K:\Program Files\ZoneAlarm\zlclient.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Icons\Seticon.exe K:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe K:\Program Files\Java\jre1.5.0_07\bin\jusched.exe C:\WINDOWS\System32\G-VGA.exe C:\WINDOWS\SOUNDMAN.EXE K:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe K:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\WINDOWS\system32\ctfmon.exe K:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Messenger\MSMSGS.EXE C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe K:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe C:\@HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webshots.com/r/internal/start/client/RAND R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - K:\Program Files\Adobe\Acrobat 7.0.7\ActiveX\AcroIEHelper.dll O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - K:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O2 - BHO: i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll O4 - HKLM\..\Run: [CaISSDT] "k:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe" O4 - HKLM\..\Run: [CaAvTray] "k:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "k:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [Zone Labs Client] K:\Program Files\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\Seticon.exe O4 - HKLM\..\Run: [QuickTime Task] "K:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [BootSkin Startup Jobs] "K:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] K:\Program Files\Java\jre1.5.0_07\bin\jusched.exe O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] K:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] K:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - Startup: Check Windows Disk Protection.lnk = C:\Program Files\Microsoft Shared Computer Toolkit\CheckWDP.hta O4 - Global Startup: Adobe Gamma Loader.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = K:\Program Files\Adobe\Acrobat 7.0.7\Reader\reader_sl.exe O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://K:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing) O9 - Extra 'Tools' menuitem: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing) O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll O9 - Extra 'Tools' menuitem: i-Nav Options - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://download.windowsupdate.com O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx O16 - DPF: {131EB16C-BD58-443F-8151-6DFBB0DA1778} (Anark Client 3.0 ActiveX Control) - http://install.anark.com/client/vers...n/AMClient.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource...scbase7617.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1139410088578 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1139479721531 O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/ca...ail/DASAct.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326 O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...74/mcfscan.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: CAISafe - Computer Associates International, Inc. - K:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe O23 - Service: ewido security suite control - ewido networks - K:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: MGE Service module - Unknown owner - C:\WINDOWS\system32\MGE\RunSC.exe O23 - Service: VeriSign Updater (navi) - VeriSign, Inc. - C:\Program Files\VeriSign\NAVI\naviagent.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SCTThresholdMonitor (SCTThresholdMon) - Unknown owner - C:\Program Files\Microsoft Shared Computer Toolkit\bin\SRVANY.EXE O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups2.exe (file missing) O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - K:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WDPOperations - Unknown owner - C:\Program Files\Microsoft Shared Computer Toolkit\bin\SRVANY.EXE __________________ "Time is the wisest because it discovers everything" Thales of Miletus (ca.624BC-ca.546BC) "Everything flows, nothing stands still." Heraclitus of Ephesus (ca.535BC-475BC) "One thing I know, that I know nothing" Socrates of Athens (ca.470BC–399BC)

06-07-2006, 02:32 PM	#2 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,951 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi Zazula I was a bit worried when I saw your name against a post here.......... The log is clean. Any particular problems? I guess Ewido cleaned out the odd items you found? __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

06-07-2006, 11:29 PM	#3 (permalink)
Zazula Manager Emeritus, I'm blond, James Blond Join Date: Apr 2006 Location: Athens, Greece Posts: 7,667 OS: Win XP Pro SP2	Hi Glaswegian I'm really sorry if the appearance of my name in a thread raises worries... The point is that, when huadio.tmp was intercepted by Windows Defender, I was given the sound advice in the General Security part of TSF to run the 5-step procedure. I combined this with earlier sporadic signs that could be the result of hardly-detectable malware (despite the presence in that pc of a bunch of "standard" resident anti-malware tools), and I decided to follow the 5-step procedure. I'm really glad that I did so, because malware was indeed detected that I was unaware of, and now I feel (personally & pc-wise) in a much better state. Now, what I found inherent in the 5-step procedure, is that it has to be performed precisely and methodically. To my understanding, this means to do what you are asked to do - nothing more, nothing less. It's of paramount importance to stick to the instructions, and that's what I did. I had a look to the HJT log myself, seemed OK, but I didn't touch a thing. When you are told so and you do otherwise, you're heading for trouble in the most unrespectful (to all the hard work that founds TSF) way. Conclusively, this pc seems to be running and, according to the HJT log, is indeed running normally. Thanks for taking the time to check it out. I believe this thread can now be classified as resolved. __________________ "Time is the wisest because it discovers everything" Thales of Miletus (ca.624BC-ca.546BC) "Everything flows, nothing stands still." Heraclitus of Ephesus (ca.535BC-475BC) "One thing I know, that I know nothing" Socrates of Athens (ca.470BC–399BC)