Hijack this log - is my system clean?

Discussion in 'adware, spyware & hijack cleaning' started by garthd, May 30, 2004.

Thread Status:
Not open for further replies.
  1. garthd

    garthd Registered Member

    Joined:
    May 30, 2004
    Posts:
    3
    I've had some spyware/malware issues - namely a nasty little hijack that was sending me to various "offeroptimiser.com" sites or an ebay advertisement. I have downloaded and run Spybot Search and Destroy, Bazooka Spyware scanner, Ad-ware 6, and Spyware Blaster.

    I've had a look through the log file, and everything now looks alright. At this stage, I think I've managed to kill off alchem, powerscan, twaintech and a few other nasties - but want to be sure that I have indeed cleaned up my system.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:53:40 AM, on 31/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\CFusionMX\runtime\bin\jrunsvc.exe
    C:\CFusionMX\db\slserver52\bin\swagent.exe
    C:\CFusionMX\runtime\bin\jrun.exe
    C:\CFusionMX\db\slserver52\bin\swstrtr.exe
    C:\CFusionMX\db\slserver52\bin\swsoc.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    C:\WINDOWS\System32\sysmon45.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ajslufxq.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\WallpaperToy\Wallpapertoy.Exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\garthd\Desktop\HijackThis.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.planthealthaustralia.com.au/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = server:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
    http://localhost;<local>
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
    http://www.planthealthaustralia.com.au/
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.planthealthaustralia.com.au/"); (C:\Program Files\Netscape\Users\garth\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {43FA5935-E36E-4937-8127-A90191B2EC68} - C:\WINDOWS\System32\domain11.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {72557F9F-13AE-44C9-B3D7-5091B599027C} - C:\WINDOWS\System32\smail11.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [BCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg"
    O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [sysmon] C:\WINDOWS\System32\sysmon45.exe
    O4 - HKLM\..\Run: [Svshost] C:\WINDOWS\System32\svshost.exe 443
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [jzfctspxnejf] C:\WINDOWS\System32\ajslufxq.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: Mediadisk Update.lnk = COMMUNICATIONS\WMDISK\Bin\p_wdtake.exe
    O4 - Startup: Shortcut to stuff_to_do.txt.lnk = C:\Documents and Settings\garthd\Desktop\stuff_to_do.txt
    O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Coches (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone:
    http://mail.phau.com.au
    O15 - Trusted Zone: http://www.phau.com.au
    O15 - Trusted Zone: http://www.planthealthaustralia.com.au
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13dbf0fcac98e1cacb05/netzip/RdxIE601.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37824.9820717593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PlantHealth.local
    O17 - HKLM\Software\..\Telephony: DomainName = PlantHealth.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PlantHealth.local
     
  2. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
  3. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Before you start, please unzip HijackThis to it's own folder somewhere.
    The program will make backups in the folder it's run from.
    These easily get lost in a Temp folder and are an annoyance on the desktop.

    Use Taskmanager (Ctrl-Alt-Del) to end these running processes if you can
    (or use Process Explorer)
    C:\WINDOWS\System32\sysmon45.exe
    C:\WINDOWS\System32\ajslufxq.exe



    Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
    Next, close all browser Windows, and push the 'Fix checked' button in HijackThis

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    O2 - BHO: (no name) - {43FA5935-E36E-4937-8127-A90191B2EC68} - C:\WINDOWS\System32\domain11.dll
    O2 - BHO: (no name) - {72557F9F-13AE-44C9-B3D7-5091B599027C} - C:\WINDOWS\System32\smail11.dll
    O4 - HKLM\..\Run: [BCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg"
    O4 - HKLM\..\Run: [sysmon] C:\WINDOWS\System32\sysmon45.exe
    O4 - HKLM\..\Run: [Svshost] C:\WINDOWS\System32\svshost.exe 443
    O4 - HKLM\..\Run: [jzfctspxnejf] C:\WINDOWS\System32\ajslufxq.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http//software-dl.real.com/13dbf0fcac98e1cacb05/netzip/RdxIE601.cab


    I don't recognize this at all - have you looked at the contents of that file with notepad ?
    O4 - HKLM\..\Run: [BCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg"

    This I don't recognize
    O4 - Startup: Mediadisk Update.lnk = COMMUNICATIONS\WMDISK\Bin\p_wdtake.exe
    Does it make sense to you as a startup link ?
    O4 - Startup: Shortcut to stuff_to_do.txt.lnk = C:\Documents and Settings\garthd\Desktop\stuff_to_do.txt
    If you are at all unsure of these last 2 add them to the previous list to fix with HJT.
    It's possible that BCONSET is required but these last 2 are not.


    Empty the TIF (Temporary Internet Files)
    To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
    Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

    Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder

    Set your Explorer up using the info in this link so that hidden and System files are visible
    Also Uncheck the "Hide extensions for known file types" box

    Reboot to SAFE mode
    How to start the computer in Safe mode

    Delete the following files: (the first two will likely be gone and HJT will have them as backups)
    C:\WINDOWS\System32\domain11.dll
    C:\WINDOWS\System32\smail11.dll
    C:\WINDOWS\System32\sysmon45.exe
    C:\WINDOWS\System32\svshost.exe
    C:\WINDOWS\System32\ajslufxq.exe


    Reboot to normal mode

    -------
    Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
    After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.
    Now do the following:
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    check: "Unload recognized processes during scanning."
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    Check: "Let Windows remove files in use after reboot."

    Press "Scan Now"
    - Check option "Use Custom scanning options"
    - Check option "Activate In-Depth Scan"
    - Press "Select drives\folders to scan"
    - Select the active partition which is usually C:

    Now press "Next" to let Ad-aware scan your drives...
    It will find a number of "bad" files and registry keys.
    Right-click in that pane and choose "select all"

    Now press "Next" again.
    It will ask you whether you'd like to remove all checked items. Click OK.

    Finally, close Ad-Aware, and reboot.

    -----
    update your AV and scan -- or get a good online virus scan at HouseCall

    ------ some partial info (for further cleanup)
    http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=index&catid=&topic=24
    http://www.sophos.com/virusinfo/analyses/trojketchb.html

    ---
    Let us know how it goes -- post a new log when you're this far along
     
  4. garthd

    garthd Registered Member

    Joined:
    May 30, 2004
    Posts:
    3
    OK, I followed all the instructions, and I think I've managed to knock off all the nasties mentioned above - and my system does seem to be running faster..which is good. Revised Hijack This log file appears below.

    I haven't quite worked out what the following file does...but I think it might be something to allow a blue tooth connection.
    O4 - HKLM\..\Run: [BCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg"

    The following settings are OK. First one is a program that I can vouch for as being OK, and the second is just a link to a text file that opens at startup.

    O4 - Startup: Mediadisk Update.lnk = COMMUNICATIONS\WMDISK\Bin\p_wdtake.exe
    O4 - Startup: Shortcut to stuff_to_do.txt.lnk = C:\Documents and Settings\garthd\Desktop\stuff_to_do.txt

    ----

    Logfile of HijackThis v1.97.7
    Scan saved at 9:42:47 AM, on 1/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\CFusionMX\runtime\bin\jrunsvc.exe
    C:\CFusionMX\db\slserver52\bin\swagent.exe
    C:\CFusionMX\runtime\bin\jrun.exe
    C:\CFusionMX\db\slserver52\bin\swstrtr.exe
    C:\CFusionMX\db\slserver52\bin\swsoc.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\WallpaperToy\Wallpapertoy.Exe
    C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
    C:\Program Files\HijackThis\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.planthealthaustralia.com.au/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = server:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
    http://localhost;<local>
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
    http://www.planthealthaustralia.com.au/
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.planthealthaustralia.com.au/"); (C:\Program Files\Netscape\Users\garth\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [BCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg"
    O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QCWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: Mediadisk Update.lnk = COMMUNICATIONS\WMDISK\Bin\p_wdtake.exe
    O4 - Startup: Shortcut to stuff_to_do.txt.lnk = C:\Documents and Settings\garthd\Desktop\stuff_to_do.txt
    O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Coches (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone:
    http://mail.phau.com.au
    O15 - Trusted Zone: http://www.phau.com.au
    O15 - Trusted Zone: http://www.planthealthaustralia.com.au
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37824.9820717593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PlantHealth.local
    O17 - HKLM\Software\..\Telephony: DomainName = PlantHealth.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PlantHealth.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PlantHealth.local
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = PlantHealth.local
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Your log looks clean to me.

    If you can find bconprof.reg and open it in notepad, I think we will be able to confirm your suspicion.

    Regards,

    Pieter
     
  6. garthd

    garthd Registered Member

    Joined:
    May 30, 2004
    Posts:
    3
    Ok, bconref.reg file has the following contents:

    REGEDIT4
    [HKEY_CURRENT_USER\Software\IBM\BtSecWiz\NumProfiles2]
    "NumProfiles"=dword:00000003
    "UserDefinedProfName"="Customize"
    "ProfVer"="6"


    [HKEY_CURRENT_USER\Software\IBM\BtSecWiz\NumProfiles2\Full Lock]
    "AllowOthersToDiscover"=dword:00000000
    "WhoAllowedToConnect"=dword:00000000
    "UseInquiryFilters"=dword:00000000
    "SecurityType"=dword:00000003
    "ProfileName"="High"
    "ProfileType"=dword:00001002
    "ApplyToAllSvc"=dword:00000001
    "SvcAuthentication"=dword:00000000
    "SvcAuthorization"=dword:00000000
    "SvcEncryption"=dword:00000000

    [HKEY_CURRENT_USER\Software\IBM\BtSecWiz\NumProfiles2\Lock]
    "AllowOthersToDiscover"=dword:00000001
    "WhoAllowedToConnect"=dword:00000001
    "UseInquiryFilters"=dword:00000000
    "SecurityType"=dword:00000002
    "ProfileName"="Medium"
    "ProfileType"=dword:00001003
    "ApplyToAllSvc"=dword:00000001
    "SvcAuthentication"=dword:00000001
    "SvcAuthorization"=dword:00000001
    "SvcEncryption"=dword:00000001


    [HKEY_CURRENT_USER\Software\IBM\BtSecWiz\NumProfiles2\Lock_home]
    "AllowOthersToDiscover"=dword:00000001
    "WhoAllowedToConnect"=dword:00000001
    "UseInquiryFilters"=dword:00000000
    "SecurityType"=dword:00000002
    "ProfileName"="Low"
    "ProfileType"=dword:00001001
    "ApplyToAllSvc"=dword:00000001
    "SvcAuthentication"=dword:00000001
    "SvcAuthorization"=dword:00000000
    "SvcEncryption"=dword:00000001


    [HKEY_CURRENT_USER\Software\IBM\BtSecWiz\NumProfiles2\UnLock]
    "AllowOthersToDiscover"=dword:00000001
    "WhoAllowedToConnect"=dword:00000001
    "UseInquiryFilters"=dword:00000000
    "SecurityType"=dword:00000002
    "ProfileName"="None"
    "ProfileType"=dword:00001000
    "ApplyToAllSvc"=dword:00000001
    "SvcAuthentication"=dword:00000000
    "SvcAuthorization"=dword:00000000
    "SvcEncryption"=dword:00000000


    [HKEY_CURRENT_USER\Software\IBM\BtSecWiz\NumProfiles2\MSHigh]
    "AllowOthersToDiscover"=dword:00000000
    "WhoAllowedToConnect"=dword:00000000
    "UseInquiryFilters"=dword:00000000
    "SecurityType"=dword:00000000
    "ProfileName"="High"
    "ProfileType"=dword:00002002
    "ApplyToAllSvc"=dword:00000000
    "SvcAuthentication"=dword:00000000
    "SvcAuthorization"=dword:00000000
    "SvcEncryption"=dword:00000000


    [HKEY_CURRENT_USER\Software\IBM\BtSecWiz\NumProfiles2\MSMedium]
    "AllowOthersToDiscover"=dword:00000000
    "WhoAllowedToConnect"=dword:00000000
    "UseInquiryFilters"=dword:00000000
    "SecurityType"=dword:00000000
    "ProfileName"="Medium"
    "ProfileType"=dword:00002001
    "ApplyToAllSvc"=dword:00000000
    "SvcAuthentication"=dword:00000000
    "SvcAuthorization"=dword:00000000
    "SvcEncryption"=dword:00000000
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    That sure looks like something to secure a connection.
    Which means your log is clean. :cool:

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.