hi lo!
Here is the Spybot log... kinda long...--- Search result list ---
ISearchTech.YSB: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\YourSiteBar
Altnet: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-12-06 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-16 Includes\Cookies.sbi (*)
2005-12-16 Includes\Dialer.sbi (*)
2005-12-16 Includes\Hijackers.sbi (*)
2005-12-16 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-12-16 Includes\Malware.sbi (*)
2005-12-16 Includes\PUPS.sbi (*)
2005-12-16 Includes\Revision.sbi (*)
2005-12-16 Includes\Security.sbi (*)
2005-12-16 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-12-16 Includes\Trojans.sbi (*)
--- Startup entries list ---
Located: HK_LM:Run, AHQInit
command: C:\Program Files\Creative\SBLive\Program\AHQInit.exe
file: C:\Program Files\Creative\SBLive\Program\AHQInit.exe
size: 102400
MD5: a92a1e030d09d52ea0eb11bde231a34e
Located: HK_LM:Run, avast!
command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 98352
MD5: aa78ac45f1a75f4414dc7b2681705dc8
Located: HK_LM:Run, DIAGENT
command: C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
file:
Located: HK_LM:Run, Mirabilis ICQ
command: C:\Program Files\ICQ\ICQNet.exe
file: C:\Program Files\ICQ\ICQNet.exe
size: 49230
MD5: f071d458ebaf8a282767328946fc2b21
Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 31744
MD5: 0fb22dd37c17f80ad71316049f725170
Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 741376
MD5: a4ae9ba1e10cb9f6c0949c4db91a1f72
Located: HK_LM:Run, PRISMSVR.EXE
command: "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
file:
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 77824
MD5: 96d2436434d14b99d0edf8a26be76eed
Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 151597
MD5: a05da809ac0d86d916d09e3a908d3a06
Located: HK_LM:Run, UpdReg
command: C:\WINDOWS\Updreg.exe
file: C:\WINDOWS\Updreg.exe
size: 90112
MD5: c419df63e0121d72411285780c2fc6cc
Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38
Located: HK_CU:RunOnce, ICQ
command: C:\Program Files\ICQ\ICQ.exe -trayboot
file:
Located: Startup (common), Adobe Gamma Loader.lnk
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: c2ff17734176cd15221c10044ef0ba1a
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
--- Browser helper object list ---
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link:
http://spybot.eon.net.au/ info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 12/6/2005 10:57:50 PM
Date (last access): 12/18/2005 7:49:58 PM
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0
--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
Yahoo! Pool 2 (Yahoo! Pool 2)
DPF name: Yahoo! Pool 2
CLSID name:
Installer:
Codebase:
http://download.games.yahoo.com/games/clients/y/potd_x.cab description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
{14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class)
DPF name:
CLSID name: MessengerStatsClient Class
Installer:
Codebase:
http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab description:
classification: Legitimate
known filename: MessengerStatsPAClient.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MessengerStatsPAClient.dll
Short name: MESSEN~2.DLL
Date (created): 4/6/2004 7:03:54 PM
Date (last access): 12/18/2005 8:06:38 PM
Date (last write): 4/6/2004 7:03:54 PM
Filesize: 172072
Attributes: archive
MD5: 94D1773AEAA2197AFEE3A6F8404FE4E9
CRC32: 76C3823D
Version: 9.2.7513.1
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase:
http://download.macromedia.com/pub/shockwa...director/sw.cab description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 5/16/2004 3:17:44 AM
Date (last access): 12/15/2005 1:03:56 AM
Date (last write): 3/16/2004 5:07:54 PM
Filesize: 49152
Attributes: archive
MD5: 188064B39FD529E960F9D821505747EA
CRC32: C6D7A014
Version: 10.0.0.210
{19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class)
DPF name:
CLSID name: MSSecurityAdvisor Class
Installer: C:\WINDOWS\Downloaded Program Files\msSecAdv.inf
Codebase:
http://download.microsoft.com/download/0/5...b?1084470414000 description:
classification: Legitimate
known filename: mssecadv.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\System32\
Long name: mssecadv.dll
Short name:
Date (created): 9/8/2003 11:30:46 AM
Date (last access): 12/11/2005 4:41:22 PM
Date (last write): 9/8/2003 11:30:46 AM
Filesize: 36960
Attributes: archive
MD5: A4282FD762CE1C4FFA665538E335CFF0
CRC32: 51ECFB75
Version: 5.4.3790.14
{2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class)
DPF name:
CLSID name: Minesweeper Flags Class
Installer:
Codebase:
http://messenger.zone.msn.com/binary/MineSweeper.cab description:
classification: Legitimate
known filename: minesweeper.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: minesweeper.dll
Short name: MINESW~1.DLL
Date (created): 5/29/2003 3:00:22 PM
Date (last access): 12/18/2005 8:06:38 PM
Date (last write): 5/29/2003 3:00:22 PM
Filesize: 84064
Attributes: archive
MD5: F951FD0EA383DF2D49CA0359E4A86968
CRC32: 50A69718
Version: 7.1.9502.1
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner)
DPF name:
CLSID name: Symantec AntiVirus scanner
Installer: C:\WINDOWS\Downloaded Program Files\avsniff.inf
Codebase:
http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab description: Symantec online scanner
classification: Legitimate
known filename: AVSNIFF.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\Downloaded Program Files\
Long name: avsniff.dll
Short name:
Date (created): 11/17/2005 2:03:22 PM
Date (last access): 12/18/2005 8:06:38 PM
Date (last write): 11/17/2005 2:03:22 PM
Filesize: 202400
Attributes: archive
MD5: BCE679811E5A7441A24C250803A87F26
CRC32: B9D953A5
Version: 2004.12.14.55
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
DPF name:
CLSID name: YInstStarter Class
Installer: C:\WINDOWS\Downloaded Program Files\yinst.inf
Codebase:
http://download.yahoo.com/dl/installs/yinst0401.cab description: Yahoo! Installation helper
classification: Legitimate
known filename: %SystemRoot%\Downloaded Program Files\yinsthelper.dll
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\Downloaded Program Files\
Long name: yinsthelper.dll
Short name: YINSTH~1.DLL
Date (created): 1/26/2004 6:40:04 PM
Date (last access): 12/18/2005 8:06:38 PM
Date (last write): 1/26/2004 6:40:04 PM
Filesize: 133120
Attributes: archive
MD5: E1FBF33D995C89583A36F461EC2879FF
CRC32: 1592E04B
Version: 2004.1.26.1
{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf
Codebase:
http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
{427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control)
DPF name:
CLSID name: Pixami Image Editor Control
Installer: C:\WINDOWS\Downloaded Program Files\BPImageEditor.inf
Codebase:
http://www.imagestation.com/common/classes...ab?ver=1,1,0,32 description:
classification: Open for discussion
known filename: BPImageEditor.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: BPImageEditor.ocx
Short name: BPIMAG~1.OCX
Date (created): 12/12/2003 2:58:58 PM
Date (last access): 12/11/2005 4:30:38 PM
Date (last write): 12/12/2003 2:58:58 PM
Filesize: 630784
Attributes: archive
MD5: BF7CBE5BCD49C2DB064F1BB80189A5D7
CRC32: 60BF6BA0
Version: 1.1.0.32
{644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)
DPF name:
CLSID name: Symantec RuFSI Utility Class
Installer: C:\WINDOWS\Downloaded Program Files\CabSA.inf
Codebase:
http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab description:
classification: Legitimate
known filename: rufsi.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: rufsi.dll
Short name:
Date (created): 11/17/2005 2:03:36 PM
Date (last access): 12/18/2005 8:06:38 PM
Date (last write): 11/17/2005 2:03:36 PM
Filesize: 161480
Attributes: archive
MD5: 1A3A17DEC5DB03CD99ADCF3DABD4A3D0
CRC32: A399EBC2
Version: 2004.6.23.42
{74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
DPF name:
CLSID name: HouseCall Control
Installer: C:\WINDOWS\Downloaded Program Files\xscan.inf
Codebase:
http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab description: Trend Micro Antivirus online scanner
classification: Legitimate
known filename: XSCAN53.OCX
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\DOWNLO~1\
Long name: xscan53.ocx
Short name:
Date (created): 3/24/2004 6:22:12 PM
Date (last access): 12/11/2005 4:30:42 PM
Date (last write): 3/24/2004 6:22:12 PM
Filesize: 435712
Attributes: archive
MD5: 99A67AEE9A6E3EFD2126AFA0840ECBED
CRC32: 9198FA39
Version: 5.70.0.1085
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class)
DPF name:
CLSID name: MessengerStatsClient Class
Installer:
Codebase:
http://messenger.zone.msn.com/binary/Messe...StatsClient.cab description:
classification: Legitimate
known filename: messengerstatsclient.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: messengerstatsclient.dll
Short name: MESSEN~1.DLL
Date (created): 5/29/2003 3:00:20 PM
Date (last access): 12/18/2005 8:06:38 PM
Date (last write): 5/29/2003 3:00:20 PM
Filesize: 160864
Attributes: archive
MD5: B069B555A00AA026F657AA4FD13AE154
CRC32: 89BB01E1
Version: 7.1.9502.1
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name:
CLSID name: ActiveScan Installer Class
Installer: C:\WINDOWS\Downloaded Program Files\asinst.inf
Codebase:
http://acs.pandasoftware.com/activescan/as5free/asinst.cab description:
classification: Open for discussion
known filename: ASINST.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: asinst.dll
Short name:
Date (created): 11/11/2005 8:28:22 AM
Date (last access): 12/18/2005 8:06:38 PM
Date (last write): 11/11/2005 8:28:22 AM
Filesize: 135168
Attributes: archive
MD5: 5793AB11CE5B5029ED2B9EB4CF67641C
CRC32: 1E2240F6
Version: 58.3.0.0
{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\iuctl.inf
Codebase:
http://v4.windowsupdate.microsoft.com/CAB/...8040.2508564815 description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla
{A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object)
DPF name:
CLSID name: SassCln Object
Installer: C:\WINDOWS\Downloaded Program Files\SASSCLN.INF
Codebase:
http://www.microsoft.com/security/controls.../20/SassCln.CAB description:
classification: Legitimate
known filename: SassCln.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: SassCln.dll
Short name:
Date (created): 5/11/2004 1:15:20 PM
Date (last access): 12/18/2005 8:06:38 PM
Date (last write): 5/11/2004 1:15:20 PM
Filesize: 118784
Attributes: archive
MD5: A41CA01D1F7E6F64BCD08C88FAEAF85F
CRC32: B5166F79
Version: 1.0.0.20
{B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class)
DPF name:
CLSID name: ZoneIntro Class
Installer:
Codebase:
http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab description:
classification: Legitimate
known filename: ZIntro.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ZIntro.ocx
Short name:
Date (created): 4/6/2004 7:03:12 PM
Date (last access): 12/11/2005 4:30:42 PM
Date (last write): 4/6/2004 7:03:12 PM
Filesize: 85032
Attributes: archive
MD5: 65431ACCF09A96C3BE53B7681BFFE44D
CRC32: C8777857
Version: 9.2.7513.1
{B9191F79-5613-4C76-AA2A-398534BB8999} ()
DPF name:
CLSID name:
Installer: C:\Program Files\Yahoo!\Common\yaddbook.dll
Codebase:
http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab description: Yahoo! Address book
classification: Legitimate
known filename: %ProgramFiles%\Yahoo!\Common\yaddbook.dll
info link:
info source: Patrick M. Kolla
{C6760A07-A574-4705-B113-7856315922C3} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\sysnetsvc32.inf
Codebase:
http://akamai.downloadv3.com/binaries/IA/s...svc32_EN_XP.cab description:
classification: Confirmed as malware
known filename: sysnetsvc32.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\System32\
Long name: sysnetsvc32.dll
{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class)
DPF name:
CLSID name: ActiveDataInfo Class
Installer:
Codebase:
https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll description:
classification: Open for discussion
known filename: SymAData.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: SymAData.dll
Short name:
Date (created): 5/7/2004 10:02:48 PM
Date (last access): 12/18/2005 8:06:38 PM
Date (last write): 5/7/2004 10:03:02 PM
Filesize: 124112
Attributes: archive
MD5: 509273596B62B1533B6AD1544704A043
CRC32: A42751C1
Version: 1.0.0.1
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase:
http://fpdownload.macromedia.com/get/shock...ash/swflash.cab description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\macromed\flash\
Long name: Flash.ocx
Short name:
Date (created): 7/14/2004 11:44:26 AM
Date (last access): 12/18/2005 7:52:06 PM
Date (last write): 7/14/2004 11:44:26 AM
Filesize: 939224
Attributes: archive
MD5: 774BABD80803E3A7B69A3775F07F0707
CRC32: E2AF9C11
Version: 7.0.19.0
{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)
DPF name:
CLSID name: PopCapLoader Object
Installer: C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Codebase:
http://download.games.yahoo.com/games/popc...aploader_v5.cab description:
classification: Open for discussion
known filename: POPCAPLOADER.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: popcaploader.dll
Short name: POPCAP~1.DLL
Date (created): 12/19/2003 5:02:06 PM
Date (last access): 12/18/2005 8:06:38 PM
Date (last write): 12/19/2003 5:02:06 PM
Filesize: 126976
Attributes: archive
MD5: 3FDDB5EE807DD371405B305ABDAE3529
CRC32: F4B06292
Version: 1.0.0.5
{E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class)
DPF name:
CLSID name: ActiveDataObj Class
Installer:
Codebase:
https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab description:
classification: Open for discussion
known filename: ActiveData.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ActiveData.dll
Short name: ACTIVE~1.DLL
Date (created): 6/12/2002 1:16:22 PM
Date (last access): 12/18/2005 8:06:38 PM
Date (last write): 6/12/2002 1:16:22 PM
Filesize: 112312
Attributes: archive
MD5: C0A5720A581109543B113A8BEAE7868C
CRC32: 1B08DE36
Version: 1.0.0.1
--- Process list ---
PID: 1580 ( 716) alg.exe
PID: 1300 ( 716) svchost.exe
PID: 1196 ( 716) svchost.exe
PID: 648 ( 600) csrss.exe
PID: 1792 ( 716) wdfmgr.exe
PID: 4 ( 0) System
PID: 0 ( 0) [System]
PID: 672 ( 600) \??\C:\WINDOWS\system32\winlogon.exe
PID: 600 ( 4) \SystemRoot\System32\smss.exe
PID: 1076 ( 320) C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 98352
MD5: AA78AC45F1A75F4414DC7B2681705DC8
PID: 1640 ( 716) C:\Program Files\Alwil Software\Avast4\ashServ.exe
size: 98352
MD5: 53D983A1472375CFB47F0D97D9213F06
PID: 732 ( 716) C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
size: 241712
MD5: F6702B0872E4FD34DFFF39A54526FD3F
PID: 1620 ( 716) C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
size: 53248
MD5: 435D862E96FE19612093177CF6618F4E
PID: 928 ( 716) C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
size: 360496
MD5: BE88DE95D6618573120C37DA36D736C6
PID: 1700 ( 716) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
size: 270336
MD5: D8DDCFC45D8597D57F417D7368538CF0
PID: 1788 ( 320) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 151597
MD5: A05DA809AC0D86D916D09E3A908D3A06
PID: 436 ( 320) C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
size: 172122
MD5: 7846D002604BD0C0565F9C91230FB0D3
PID: 3288 ( 320) C:\Program Files\Internet Explorer\iexplore.exe
size: 91136
MD5: 418D301C3B1FA94B19584AEEB3D65166
PID: 1164 ( 320) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496EEE0DDBE485F658693826F44D38
PID: 3240 (1164) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 3476 (3240) C:\WINDOWS\regedit.exe
size: 134144
MD5: B28FB518CD2949715CBFCE0E93A7A535
PID: 320 (1280) C:\WINDOWS\Explorer.EXE
size: 1004032
MD5: A82B28BFC2E4455FE43022A498C0EF0A
PID: 1728 ( 716) C:\WINDOWS\System32\nvsvc32.exe
size: 81920
MD5: 5ED834603C36414B579979B3A9C90F54
PID: 1892 ( 716) C:\WINDOWS\System32\MsPMSPSv.exe
size: 53520
MD5: 581176F60885AEF8F78C6E38DCC3CDF9
PID: 2268 (1032) C:\WINDOWS\System32\wuauclt.exe
size: 124184
MD5: EBF1AB7E4FC05CABF2F4680D2A45F827
PID: 1460 ( 716) C:\WINDOWS\system32\spoolsv.exe
size: 53248
MD5: 6B4BF97957A0B8795811975D4BF1ACFE
PID: 904 ( 716) C:\WINDOWS\system32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1660 ( 716) C:\WINDOWS\System32\CTsvcCDA.EXE
size: 44032
MD5: 3C8B6609712F4FF78E521F6DCFC4032B
PID: 444 ( 436) C:\WINDOWS\System32\devldr32.exe
size: 25600
MD5: D874723E025C465990B5F105715361F7
PID: 1032 ( 716) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 728 ( 672) C:\WINDOWS\system32\lsass.exe
size: 11776
MD5: B2B6BA905D0E3F8A32A0EB3B4051807B
PID: 1764 ( 716) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 716 ( 672) C:\WINDOWS\system32\services.exe
size: 101376
MD5: E3DF4A0252D287C44606EE55355E1623
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 12/18/2005 8:15:19 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\System32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearchHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.yahoo.com/HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearchHKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhomeHKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearchHKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htmHKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E965462C-B0F7-492E-863D-CFA67DB10AF0}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E965462C-B0F7-492E-863D-CFA67DB10AF0}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2A5AC477-29EC-4E13-A898-08723FE5E82C}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2A5AC477-29EC-4E13-A898-08723FE5E82C}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{313576BA-63F0-452D-9E94-68741674B541}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{313576BA-63F0-452D-9E94-68741674B541}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A8EEB436-D8AD-4B7A-9078-E2B5A22A3739}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A8EEB436-D8AD-4B7A-9078-E2B5A22A3739}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{25BFAC5F-85D6-46C2-AE06-FF1D7E8C49B7}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{25BFAC5F-85D6-46C2-AE06-FF1D7E8C49B7}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{738B5172-EEF0-4371-9AA3-823AB67346AE}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{738B5172-EEF0-4371-9AA3-823AB67346AE}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
and this is the silent runners log."Silent Runners.vbs", revision 41,
http://www.silentrunners.org/Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"ICQ" = "C:\Program Files\ICQ\ICQ.exe -trayboot" ["ICQ Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"DIAGENT" = "C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\Updreg.exe" ["Creative Technology Ltd."]
"AHQInit" = "C:\Program Files\Creative\SBLive\Program\AHQInit.exe" ["Creative Technology Ltd"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Mirabilis ICQ" = "C:\Program Files\ICQ\ICQNet.exe" [null data]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"PRISMSVR.EXE" = ""C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY" [file not found]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{BF05BB6E-442C-428B-8025-82280B7BC26C}" = "Zen Micro Media Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll" ["Creative Technology Ltd"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ICQMenu\(Default) = "{f802f260-519b-11d1-bb5d-0060974c6013}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQMenu\(Default) = "{f802f260-519b-11d1-bb5d-0060974c6013}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"
Startup items in "Cindy2" & "All Users" startup folders:
--------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{6224F700-CBA3-4071-B251-47CB894244CD}\
"ButtonText" = "ICQ Pro"
"MenuText" = "ICQ"
"Exec" = "C:\Program Files\ICQ\ICQ.exe" ["ICQ Inc."]
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 155 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 15 seconds.
---------- (total run time: 218 seconds)
Thanks for all the help man!