jacked.

projectx · August 26, 2008

Followed all directions.

Ran MBAM... logs follow.

Can't get Panda to run. Hangs on page:

http://*.mcafee.com

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2EA5393C-E568-4E79-8109-461FDB59FCDF}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{2F774C72-7808-4276-A161-DC3DCA8B8408}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{32AD9A87-872B-4D6A-A9B0-E52AF943CD5D}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{3C747279-42F4-49B0-81F7-6CD35BBAA08B}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA9BBA3-6260-40B0-9A03-45F602E5C1A7}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{BDA82194-9CCB-4475-962A-9A88D8197D6E}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll

O22 - SharedTaskScheduler: werkjdnfi8wnkjmdfdfkefn - {C5AF49A2-94F3-42BD-F434-3604812C897D} - (no file)

O23 - Service: McAfee Application Installer Cleanup (0302741219555362) (0302741219555362mcinstcleanup) - Unknown owner - C:\Users\joe\AppData\Local\Temp\030274~1.EXE (file missing)

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel

1972vet · August 26, 2008

What threats did ESET find? You're able to paste the logs here, can you run the ESET scan again and save the results...to do this, click "File" from the menu at the top of the browser. Scroll down to and select "Save as" and save it to your desktop. Change the Save as type: to "Text File (*.txt)", leave the file name as it is then click the Save button. Post that text file back here on your next reply. Thanks!

projectx · August 26, 2008

OK, re-ran all apps.

1) MBAM Log looks clean. MBAM Logs to follow.

2) Re-ran ESET, found 0 threats - would not let me capture log.

3) HJT Logs to follow. Several things look wrong. (see bold) DNS Entries look suspect, some other things are suspect as well.

Your thoughts?

--------------------------------------------------------------------------------------------------------------

MBAM Log

--------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.25

Database version: 1088

Windows 6.0.6000

9:42:59 AM 8/26/2008

mbam-log-08-26-2008 (09-42-59).txt

Scan type: Quick Scan

Objects scanned: 47915

Time elapsed: 3 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

--------------------------------------------------------------------------------------------------------------

ESET Capture (garbage)

--------------------------------------------------------------------------------------------------------------

Free ESET Online Antivirus ScannerGet a FREE Online Virus Scan

Use ESET's Online Antivirus Scan and Make Sure Your System Is Clean

Scanner | More Details | System Requirements | Help | FAQ View Cart Solutions

Products Purchase Download Partners Threat Center Support Company Search

Global Sites Online Scanner

Security Tips

Threats Explained

Threat Encyclopedia

Blog

White Papers

Newsletter Signup

Podcasts

RSS | Contact Us | Privacy | Legal Notices | Sitemap

Copyright

1972vet · August 27, 2008

I'm puzzled as to why ESET missed the few trojans you still have in residence. ESET of all would certainly have squawked about a few of these but why it reported finding nothing is a mystery...

Download and scan with SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
[*]Click the "Close" button to leave the control center screen.
[*]Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
[*]On the left, make sure you check C:\Fixed Drive.
[*]On the right, under "Complete Scan", choose Perform Complete Scan.
[*]Click "Next" to start the scan. Please be patient while it scans your computer.
[*]After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
[*]Make sure everything has a checkmark next to it and click "Next".
[*]A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
[*]If asked if you want to reboot, click "Yes".
[*]To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
[*]Click Close to exit the program.

projectx · August 28, 2008

SUPERAntiSpyware is STILL running...

so far it has found 2 registry items and 30 file items.

21.5 hours and counting. 2.77 million files. wow.

normal?

1972vet · August 28, 2008

Normal? No...that is, if you don't have 2.77 million files. The size of the disk and the amount of files all play a part in the time it takes to complete a scan.

projectx · August 28, 2008

I realize that, I just didn''t know if there was a race condition this things gets stuck in where it loops on a subset of files.

1972vet · August 28, 2008

The scanner shows you a scanning progress at the top of the window. Does it appear stuck on a particular file or is the file path still changing showing each file in succession as it scans?

projectx · August 28, 2008

It keeps changing. Seems to spend a good deal of time on DriverStore\FileRepository\* and revisits it often.

projectx · August 28, 2008

Here's the Log:

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 08/27/2008 at 08:32 PM

Application Version : 4.20.1046

Core Rules Database Version : 3549

Trace Rules Database Version: 1537

Scan type : Complete Scan

Total Scan Time : 00:05:04

Memory items scanned : 660

Memory threats detected : 0

Registry items scanned : 8168

Registry threats detected : 2

File items scanned : 3155782

File threats detected : 30

Adware.Vundo Variant

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{C5AF49A2-94F3-42BD-F434-3604812C897D}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{C3F6F4FE-85F6-4D0C-98DE-15324B09F149}

Adware.Tracking Cookie

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@www.googleadservices[3].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@collective-media[2].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ads.revsci[1].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@findwhat[1].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@msnportalbeetsearchapr2007.112.2o7[1].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@www.eztrackz[1].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ads.adap[2].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@wmvmedialease[1].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@trafficmp[2].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@pro-market[2].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@specificclick[2].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@interclick[1].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@app.insightgrit[1].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@overture[2].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@www.googleadservices[1].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@adbrite[2].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@revsci[2].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@anad.tacoda[2].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@stats.renault[1].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ads.motogp[1].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@tacoda[2].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@adopt.specificclick[2].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@stats.renault[2].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@www.googleadservices[2].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ads.monster[2].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ads.traderonline[2].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@ads.pointroll[1].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@click.highspeedbackbone[1].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@coxhsi.112.2o7[1].txt

C:\Users\joe\AppData\Roaming\Microsoft\Windows\Cookies\joe@msnportal.112.2o7[1].txt

1972vet · August 28, 2008

OK, let's see a fresh HijackThis log. How's it running now?

projectx · August 28, 2008

Still a few suspect items. See bold.

------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:20:41 AM, on 8/28/2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16711)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Windows\sttray.exe

C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\SiteAdvisor\6261\SiteAdv.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Pantone\huey\hueyTray.exe

C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Users\joe\AppData\Local\Temp\SolidWorksLicTemp.0001

c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.mcafee.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{2EA5393C-E568-4E79-8109-461FDB59FCDF}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{2F774C72-7808-4276-A161-DC3DCA8B8408}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{32AD9A87-872B-4D6A-A9B0-E52AF943CD5D}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{3C747279-42F4-49B0-81F7-6CD35BBAA08B}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA9BBA3-6260-40B0-9A03-45F602E5C1A7}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{BDA82194-9CCB-4475-962A-9A88D8197D6E}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll

O23 - Service: McAfee Application Installer Cleanup (0302741219555362) (0302741219555362mcinstcleanup) - Unknown owner - C:\Users\joe\AppData\Local\Temp\030274~1.EXE (file missing)

O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: Moldflow Product Security (MFPS Daemon) - Unknown owner - C:\PROGRA~1\Moldflow\PRODUC~1\mfpsd.exe

O23 - Service: Dimension 3D Printers Service (ModelServerWinServiceP) - Stratasys, Inc. - C:\Program Files\Dimension\CatalystEX 3.0\nt\ModelServer.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

O23 - Service: Plastics Insight 6.1 Job Manager (synjm61) - Unknown owner - C:\Program Files\Moldflow\Plastics Insight 6.1\bin\mpijm.exe

O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdmus.exe (file missing)

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

End of file - 14025 bytes

1972vet · August 28, 2008

Please answer this question:

How's it running now?

...and allow me to point out what is suspect.

projectx · August 28, 2008

Seems better, but some programs still are a bit jumpy, slow then normal.

1972vet · August 28, 2008

The O17 entries relate to http://*.mcafee.com

This entry should have gone away with the first reboot after installation of McAfee

O23 - Service: McAfee Application Installer Cleanup (0302741219555362) (0302741219555362mcinstcleanup) - Unknown owner - C:\Users\joe\AppData\Local\Temp\030274~1.EXE (file missing)

Close all windows now except for HijackThis (that includes this browser window), then click the Fix Checked button.

Reboot the computer into Safe mode.

Once in safe mode and logged on as administrator, please continue with the instructions below:

Locate and delete the following files/folders indicated in Bold text:

C:\Windows\TEMP\inst1.exe

C:\Users\joe\AppData\Local\Temp\winlogan.exe

C:\Windows\TEMP\setup1013.exe

Reboot and post a fresh HijackThis log. Thanks!

projectx · August 28, 2008

ran all instructions. Logs follow.

What is Windows Tribute Service? See bold below.

Still require Acrobat 8.0 as it is part of the AdobeCS3 package and can't be removed seperately. Also, don't have distiller upgrade package.

---------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:50:27 PM, on 8/28/2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16711)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Windows\sttray.exe

C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\SiteAdvisor\6261\SiteAdv.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Pantone\huey\hueyTray.exe

C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe

C:\Windows\ehome\ehmsas.exe

C:\Users\joe\AppData\Local\Temp\SolidWorksLicTemp.0001

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://usatoday.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [solidWorks_CheckForUpdates] "C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe

O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

O4 - HKLM\..\Run: [siteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [EPSON Stylus Photo 1400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBUA.EXE /FU "C:\Users\joe\AppData\Local\Temp\E_S3BCE.tmp" /EF "HKCU"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q c:\users\joe\appdata\local\temp\SO5C08~1.SH! (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q c:\users\joe\appdata\local\temp\SO5C08~1.SH! (User 'Default user')

O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe

O4 - Global Startup: hueyTray.lnk = C:\Program Files\Pantone\huey\hueyTray.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O13 - Gopher Prefix: