[Resolved] laptop gone slow!

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

[Resolved] laptop gone slow!, tell it how it is doc. what have i got? somethin nasty?

Options

collen View Member Profile	Jul 16 2008, 10:29 AM Post #1
Authentic Member Group: Authentic Member Posts: 29 Joined: 15-March 05 Member No.: 27,804 Operating System: windows XP	compaq r3000 laptop running XP (SP3), 1.5gb ram. connect to internet via mobile phone (t-mobile web n walk) past week or so its been running strangely - ie: sometimes hangs for longer than usual on 'saving your settings' on shutdown browser takes a few attempts to load web pages for some reason zonealarm stopped internet access altogether, browser/email programs couldnt connect to net, although connection showing data still being transmitted/received (can't figure out which program was doing this...) - i shutdown zonealarm and browser/email/everything else works again. am now using ashampoo firewall, but am still concerned somethin is using my connection that i dont know about. computer generally sluggish, seems to take longer to open programs etc. have had a dig around in task manager for anythin hogging resources, cannot see a culprit, but im sure somethings wrong. please if anyone can help i would appreciate. heres my hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:20:15, on 16/07/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\bcmntray.exe C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Thunderbird-Tray\TBTray.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Opera\opera.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: TB-Tray.lnk = C:\Program Files\Thunderbird-Tray\TBTray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198237966031 O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{75C6336C-0C03-4FE8-A199-0814A00D0C2E}: NameServer = 149.254.201.126 149.254.192.126 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\BlueSoleil\BTNtService.exe (file missing) O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: JNU - Unknown owner - C:\DOCUME~1\Collen\LOCALS~1\Temp\JNU.exe (file missing) O23 - Service: O&O Defrag 2000 (OOD2000) - O&O Software GmbH - C:\WINDOWS\system32\OOD2000.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 10209 bytes

ken545 View Member Profile	Jul 22 2008, 11:17 AM Post #2
SuperHelper Group: Malware Expert Posts: 7,779 Joined: 3-December 04 From: Darien, Connecticut Member No.: 19,436 Operating System: Win Xp Home SP2/ Vista Home Premium	Hello collen Welcome to the Whatthetech Malware Removal Forum Sorry for the delay in responding but with the amount of people posting with infected computers there are not enough hours in the day. It looks like your infected with some malware, lets do a few things. First drag HJT to the trash as its an outdated version, we will install the new one in a bit. Do this first...Important Disable the TeaTimer, you can re enable it when were done if you wish Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select "Advanced Mode" On the left hand side, Click on Tools Then click on the Resident Icon in the List Uncheck "Resident TeaTimer" and OK any prompts. Restart your computer. Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. <-- Don't forget to do this When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy and Paste the entire report in your next reply along with a New Hijackthis log. Download ComboFix from Here or Here to your Desktop. In the event you already have Combofix, this is a new version that I need you to download. It must be saved directly to your desktop. 1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. Remember to re enable the protection again afterwards before connecting to the net 2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix. IF you have not already done so Combofix will disconnect your machine from the Internet when it starts. If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections. 3. Now double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review Download Trendmicros Hijackthis to your desktop. Double click it to install Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe Open HJT Scan and Save a Log File, it will open in Notepad Go to Format and make sure Wordwrap is Unchecked Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread. DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required. Post the Malwarebytes log, the Combofix log and a New HJT log by Trendmicro

collen View Member Profile	Jul 22 2008, 02:00 PM Post #3
Authentic Member Group: Authentic Member Posts: 29 Joined: 15-March 05 Member No.: 27,804 Operating System: windows XP	hi ken thanks for the reply. have followed your instructions,heres new HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:56:16, on 22/07/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\bcmntray.exe C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\Program Files\Opera\opera.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Picture Package Menu.lnk = ? O4 - Global Startup: TB-Tray.lnk = C:\Program Files\Thunderbird-Tray\TBTray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198237966031 O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{75C6336C-0C03-4FE8-A199-0814A00D0C2E}: NameServer = 149.254.201.126 149.254.192.126 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\BlueSoleil\BTNtService.exe (file missing) O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: JNU - Unknown owner - C:\DOCUME~1\Collen\LOCALS~1\Temp\JNU.exe (file missing) O23 - Service: O&O Defrag 2000 (OOD2000) - O&O Software GmbH - C:\WINDOWS\system32\OOD2000.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 9800 bytes here's combofix log: ComboFix 08-07-21.2 - Collen 2008-07-22 20:31:38.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.899 [GMT 1:00] Running from: C:\Documents and Settings\Collen\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Collen\Application Data\.# C:\WINDOWS\system32\btfunc.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF ((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 ))))))))))))))))))))))))))))))) . 4403-01-01 01:14 . 4403-01-01 01:14 268 --ah----- C:\sqmdata01.sqm 4403-01-01 01:14 . 4403-01-01 01:14 244 --ah----- C:\sqmnoopt01.sqm 2008-07-22 20:02 . 2008-07-22 20:02 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-22 20:02 . 2008-07-22 20:02 <DIR> d-------- C:\Documents and Settings\Collen\Application Data\Malwarebytes 2008-07-22 20:02 . 2008-07-22 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-22 20:02 . 2008-07-20 20:25 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-07-22 20:02 . 2008-07-20 20:25 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-07-21 12:42 . 2008-07-21 12:42 <DIR> d-------- C:\Program Files\PIXELA 2008-07-21 12:39 . 2008-07-21 12:39 <DIR> d-------- C:\Program Files\Sony Corporation 2008-07-21 12:39 . 2008-07-21 12:39 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies 2008-07-21 02:23 . 2008-07-21 02:24 3,096 --a------ C:\capture.00.avi 2008-07-21 00:28 . 2008-07-21 00:28 <DIR> d-------- C:\Documents and Settings\Collen\Application Data\InstallShield 2008-07-21 00:12 . 2008-07-21 00:12 <DIR> d-------- C:\Documents and Settings\Collen\Application Data\Sony Corporation 2008-07-20 22:09 . 2008-07-20 22:09 <DIR> d-------- C:\Program Files\Sony 2008-07-15 21:56 . 2008-04-14 01:12 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll 2008-07-15 21:56 . 2008-04-14 01:12 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll 2008-07-15 21:56 . 2008-04-13 19:39 5,376 --a------ C:\WINDOWS\system32\MSPCLOCK.sys 2008-07-15 21:50 . 2008-07-15 21:50 <DIR> d-------- C:\Drivers 2008-07-15 21:50 . 2006-10-30 13:46 299,923 --a------ C:\WINDOWS\system32\drivers\sonyhcs.sys 2008-07-15 21:50 . 2006-10-30 13:46 102,220 --a------ C:\WINDOWS\system32\drivers\sonypvs1.sys 2008-07-15 21:50 . 2006-10-30 13:46 53,248 --a------ C:\WINDOWS\system32\SONYHCY.DLL 2008-07-15 21:50 . 2006-10-30 13:46 38,739 --a------ C:\WINDOWS\system32\drivers\sonyhcc.sys 2008-07-15 21:50 . 2006-10-30 13:46 6,097 --a------ C:\WINDOWS\system32\drivers\sonyhcb.sys 2008-07-15 21:50 . 2006-10-30 13:46 3,654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll 2008-07-15 21:48 . 2008-04-13 19:45 60,032 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys 2008-07-15 21:48 . 2008-04-13 19:45 60,032 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys 2008-07-10 00:58 . 2008-07-10 00:58 1,374 --a------ C:\WINDOWS\imsins.BAK 2008-07-01 21:55 . 2008-07-01 21:55 0 --a------ C:\WINDOWS\system32\(null)00202=19821=19818=19669.mpg.tmp 2008-06-30 21:23 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll 2008-06-30 21:03 . 2008-06-30 21:03 <DIR> d-------- C:\WINDOWS\Logs 2008-06-27 14:34 . 2008-06-27 14:36 <DIR> d-------- C:\Tv Film . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-22 19:38 17,911,840 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-07-22 19:35 215,108 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-07-22 19:00 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-07-21 11:42 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-20 21:06 --------- d-----w C:\Documents and Settings\Collen\Application Data\AVG7 2008-07-17 19:26 --------- d-----w C:\Program Files\Soulseek 2008-07-16 18:49 --------- d-----w C:\Documents and Settings\Collen\Application Data\dvdcss 2008-07-16 17:26 --------- d-----w C:\Documents and Settings\Collen\Application Data\OpenOffice.org2 2008-07-15 21:41 --------- d-----w C:\Documents and Settings\Collen\Application Data\uTorrent 2008-07-15 18:38 --------- d-----w C:\Program Files\Last.fm 2008-07-15 09:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-07-13 19:43 --------- d-----w C:\Program Files\Ashampoo 2008-07-07 15:37 --------- d-----w C:\Program Files\Opera 2008-06-26 07:38 --------- d-----w C:\Documents and Settings\Rachel\Application Data\dvdcss 2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-06 15:37 --------- d-----w C:\Program Files\4front-oss3d-7 2008-06-06 13:59 --------- d-----w C:\Program Files\iTunes 2008-06-06 13:58 --------- d-----w C:\Program Files\iPod 2008-06-06 13:55 --------- d-----w C:\Program Files\QuickTime 2008-06-03 22:49 --------- d-----w C:\Program Files\Notation 2008-06-02 20:21 --------- d-----w C:\Program Files\Guitar Pro 5 2008-05-28 22:31 --------- d-----w C:\Program Files\Sports Interactive 2008-05-28 22:31 --------- d-----w C:\Documents and Settings\Collen\Application Data\Sports Interactive 2008-05-27 14:24 --------- d-----w C:\Documents and Settings\Rachel\Application Data\OpenOffice.org2 2008-05-25 18:29 --------- d-----w C:\Program Files\Cain 2008-05-25 18:27 --------- d-----w C:\Program Files\CACE Technologies 2008-05-23 00:00 --------- d-----w C:\Program Files\Rallentando Software 2008-03-06 22:35 604 ---ha-w C:\Program Files\STLL Notifier 2007-12-26 22:47 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NTUSER(2).DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\bcmntray" [X] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-08 04:40 159744] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 22:00 335872] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-07-17 14:50 184412] "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2003-11-18 09:31 241664] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17 159744] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 10:21 580096] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-03 02:05 122939] "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 14:33 1388544] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-26 22:35 185896] "DefragTaskBar"="C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2007-08-28 17:31 169312] "BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 17:21 270336] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] "Ashampoo FireWall"="C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" [2007-04-05 14:57 3251800] "AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 11:05 88209 C:\WINDOWS\AGRSMMSG.exe] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 01:12 110592 C:\WINDOWS\system32\bthprops.cpl] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 01:12 15360] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-20 17:48 219136] C:\Documents and Settings\Rachel\Start Menu\Programs\Startup\ Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-12-28 19:17:13 106496] C:\Documents and Settings\Collen\Start Menu\Programs\Startup\ Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-07-21 00:29:36 385024] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696] Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2008-07-21 12:39:24 151552] TB-Tray.lnk - C:\Program Files\Thunderbird-Tray\TBTray.exe [2005-11-08 21:02:44 38912] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= "C:\\Program Files\\Football Manager 2008\\fm.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2004-04-14 18:52] R0 sonypvl3;sonypvl3;C:\WINDOWS\system32\drivers\sonypvl3.sys [2004-09-22 11:55] R1 sonypvf3;sonypvf3;C:\WINDOWS\system32\drivers\sonypvf3.sys [2004-11-15 13:55] R1 sonypvt3;sonypvt3;C:\WINDOWS\system32\drivers\sonypvt3.sys [2004-12-06 14:26] S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 09:05] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 13:10] S3 JNU;JNU;C:\DOCUME~1\Collen\LOCALS~1\Temp\JNU.exe [] S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-24 03:12] S3 PhDebug32;PhDebug32;c:\hr60\bios\debug32.sys [] S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2006-10-30 13:46] S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-09-26 17:02] . Contents of the 'Scheduled Tasks' folder "2008-07-05 11:47:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.daemon-search.com/startpage R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.hp.com/ ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-22 20:38:35 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????3?8?9?1??????? ?deB???????????????B? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet006\Services\ASFWHide] "ImagePath"="\??\C:\DOCUME~1\Collen\LOCALS~1\Temp\ASFWHide" . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\Ati2evxx.dll PROCESS: C:\WINDOWS\system32\lsass.exe -> C:\Program Files\Ashampoo\Ashampoo FireWall\spi.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\bcmntray.EXE C:\Program Files\Apoint2K\ApntEx.exe C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2008-07-22 20:53:19 - machine was rebooted [Collen] ComboFix-quarantined-files.txt 2008-07-22 19:52:19 Pre-Run: 5,637,697,536 bytes free Post-Run: 5,644,308,480 bytes free 202 --- E O F --- 2008-07-10 00:00:46 here's MBAM log: Malwarebytes' Anti-Malware 1.22 Database version: 979 Windows 5.1.2600 Service Pack 3 20:08:44 22/07/2008 mbam-log-7-22-2008 (20-08-44).txt Scan type: Quick Scan Objects scanned: 42435 Time elapsed: 5 minute(s), 6 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Let me know what to do next! Many thanks again Collen

ken545 View Member Profile	Jul 22 2008, 05:03 PM Post #4
SuperHelper Group: Malware Expert Posts: 7,779 Joined: 3-December 04 From: Darien, Connecticut Member No.: 19,436 Operating System: Win Xp Home SP2/ Vista Home Premium	Hi Collen, The scans did not find much but there is a service on your system running out of a temp directory which is pretty odd, do this please. You need to enable windows to show all files and folders, instructions Here Go to VirusTotal and submit this file for analysis, just use the Browse Feature and then Send File, you will get a report back, post the report into this thread for me to see. C:\DOCUMENTS AND SETTINGS\Collen\LOCAL SETTINGS\Temp\JNU.exe <---This File

collen View Member Profile	Jul 23 2008, 04:21 AM Post #5
Authentic Member Group: Authentic Member Posts: 29 Joined: 15-March 05 Member No.: 27,804 Operating System: windows XP	hi ken thanks for the reply again. i enabled windows to show all hidden files like you said, but when i went to the virustotal page, there was no file named JNU.xein the temp folder that you specified. the only things in this folder were ASFWhide file and a MessengerCache folder. Any ideas? Many thanks for your help! collen

ken545 View Member Profile	Jul 23 2008, 04:45 AM Post #6
SuperHelper Group: Malware Expert Posts: 7,779 Joined: 3-December 04 From: Darien, Connecticut Member No.: 19,436 Operating System: Win Xp Home SP2/ Vista Home Premium	Good Morning, ASFWhide <-- This may be part of the Haxdoor Rootkit infection, lets run this tool. Download haxfix.exe and save it to your desktop. Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix) Checkmark "Create a desktop icon" Click "Next" When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed Click "Finish" A red "dos window" (dos box) will open with options: 1. Make logfile 2. Run auto fix 3. Run manual fix E. Exit Haxfix Select option 1. Make logfile by typing 1 and then pressing Enter Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt)

collen View Member Profile	Jul 23 2008, 07:37 AM Post #7
Authentic Member Group: Authentic Member Posts: 29 Joined: 15-March 05 Member No.: 27,804 Operating System: windows XP	thanks ken. heres logfile: HAXFIX logfile - by Marckie version 5.01.2 23/07/2008 14:18:40.48 running from C:\HaxFix --- Checking for Haxdoor --- checking for a3d files a3d files not found checking for matching notify keys matching notify keys found AtiE checking for matching services matching services found CmBatt checking for matching safeboot services no matching safeboot services found --- Checking for Goldun --- checking for SSODL keys no ssodl keys found checking for notify keys no notify keys found checking for services no services found checking iexplore.exe iexplore.exe is not infected --- Checking for other Goldun and Haxdoor files --- no other Haxdoor or Goldun files found --- Catchme logfile - thank you Gmer --- catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-23 14:19:09 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools Lite\" "h0"=dword:00000000 "khjeh"=hex:95,9d,ef,10,2a,54,38,85,cc,2c,dd,a4,0d,17,4b,14,9a,16,b6,ac,85,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,32,f6,ae,77,8b,0b,55,e3,86,79,a6,fe,32,09,24,f3,84,.. "khjeh"=hex:9f,b7,84,ec,2c,3b,7d,1e,76,b8,b4,4f,83,9d,84,59,4b,4b,06,b1,fe,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:af,15,7d,c0,c9,35,7c,3c,0c,1b,db,8c,99,b3,ee,45,5e,53,07,43,85,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0008f4164ce5] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools Lite\" "h0"=dword:00000000 "khjeh"=hex:95,9d,ef,10,2a,54,38,85,cc,2c,dd,a4,0d,17,4b,14,9a,16,b6,ac,85,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,32,f6,ae,77,8b,0b,55,e3,86,79,a6,fe,32,09,24,f3,84,.. "khjeh"=hex:9f,b7,84,ec,2c,3b,7d,1e,76,b8,b4,4f,83,9d,84,59,4b,4b,06,b1,fe,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:af,72,68,3a,a4,19,7c,4a,6f,1a,c1,81,f7,ec,03,a4,a5,3d,2e,26,df,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:38,8d,14,6e,93,d7,36,0c,0a,7f,c5,ad,af,fb,f4,03,c7,79,19,7f,9d,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools Lite\" "h0"=dword:00000000 "khjeh"=hex:95,9d,ef,10,2a,54,38,85,cc,2c,dd,a4,0d,17,4b,14,9a,16,b6,ac,85,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,32,f6,ae,77,8b,0b,55,e3,86,79,a6,fe,32,09,24,f3,84,.. "khjeh"=hex:07,02,79,4c,61,71,ec,ea,90,e2,01,72,65,a6,68,c6,06,d8,29,35,bf,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:39,23,e2,ad,ee,cb,89,92,d1,eb,6e,e7,01,b0,81,d0,ed,53,38,1e,89,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:ce,21,70,06,55,92,a7,9d,65,5c,3f,7f,e7,53,b2,51,a2,a1,bf,15,3b,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\0008f4164ce5] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools Lite\" "h0"=dword:00000000 "khjeh"=hex:95,9d,ef,10,2a,54,38,85,cc,2c,dd,a4,0d,17,4b,14,9a,16,b6,ac,85,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,32,f6,ae,77,8b,0b,55,e3,86,79,a6,fe,32,09,24,f3,84,.. "khjeh"=hex:9f,b7,84,ec,2c,3b,7d,1e,76,b8,b4,4f,83,9d,84,59,4b,4b,06,b1,fe,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:39,23,e2,ad,ee,cb,89,92,d1,eb,6e,e7,01,b0,81,d0,ed,53,38,1e,89,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0008f4164ce5] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools Lite\" "h0"=dword:00000000 "khjeh"=hex:95,9d,ef,10,2a,54,38,85,cc,2c,dd,a4,0d,17,4b,14,9a,16,b6,ac,85,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,32,f6,ae,77,8b,0b,55,e3,86,79,a6,fe,32,09,24,f3,84,.. "khjeh"=hex:9f,b7,84,ec,2c,3b,7d,1e,76,b8,b4,4f,83,9d,84,59,4b,4b,06,b1,fe,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:af,72,68,3a,a4,19,7c,4a,6f,1a,c1,81,f7,ec,03,a4,a5,3d,2e,26,df,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:38,8d,14,6e,93,d7,36,0c,0a,7f,c5,ad,af,fb,f4,03,c7,79,19,7f,9d,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools Lite\" "h0"=dword:00000000 "khjeh"=hex:95,9d,ef,10,2a,54,38,85,cc,2c,dd,a4,0d,17,4b,14,9a,16,b6,ac,85,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,32,f6,ae,77,8b,0b,55,e3,86,79,a6,fe,32,09,24,f3,84,.. "khjeh"=hex:07,02,79,4c,61,71,ec,ea,90,e2,01,72,65,a6,68,c6,06,d8,29,35,bf,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:d7,36,1b,0d,ca,04,ed,17,1e,b0,cc,b1,8b,33,fa,28,e9,56,c8,88,4c,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:38,8d,14,6e,93,d7,36,0c,0a,7f,c5,ad,af,fb,f4,03,c7,79,19,7f,9d,.. scanning hidden registry entries ... [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UnreadMail\horridreview@hotmail.com] "MessageCount"=dword:00000002 scanning hidden files ... C:\Documents and Settings\Collen\Local Settings\Application Data\Opera\Opera\profile\opcache\opr01PU2 scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 4 --- Analysing Catchme logfile --- no matching regkeys found Finished!

ken545 View Member Profile	Jul 23 2008, 10:41 AM Post #8
SuperHelper Group: Malware Expert Posts: 7,779 Joined: 3-December 04 From: Darien, Connecticut Member No.: 19,436 Operating System: Win Xp Home SP2/ Vista Home Premium	Hello, No rootkit infection. Lets do a few other things. Please download ATF Cleaner by Atribune to your desktop. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up Reboot and then do this. Your log looks like that file is missing but lets disable the service and see if it makes a difference. Go to Start> Run and type in services.msc then press Enter Scroll down to JNU Double Click that service to open it. Click on Stop Service. Then change the Startup Type to Disabled. OK your way out of the program. Reboot and let me know if it made a difference

collen

Jul 23 2008, 12:07 PM

Post #9

Authentic Member

Group: Authentic Member
Posts: 29
Joined: 15-March 05
Member No.: 27,804
Operating System: windows XP

thanks ken,

i completed the atf cleaner instructions. is this similar to ccleaner? for info, i already use ccleaner probably once a week.

disabled in JNU in services, it was set to manual, and hadnt been started. ive no idea what it is.

have fixed my original problem, which was mainlynot being able to connect to internet whilst zonealar was running. apparently it was due to a ms update that mesed it up. zonealarm released a new version, ive installed that and it seems to be working fine again. i will probably now uninstall the other firewall i put on to keep me protected while zonealarm didnt work (ashampoo firewall) unless you think its worth havin them both running?

laptop seems to be shutting down fine and i dont have to hit reload/F5 to get webpages to load with error, so i think i may be clean again.

heres latest hijackthis log if u could confirm im clean?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:05:50, on 23/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Thunderbird-Tray\TBTray.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray
O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS&#